PKI and CLM Insights from 2024: Preparing for a Cyber Resilient 2025

As the year winds down, it’s the perfect time to pause for retrospection. 2024 has been both exciting and challenging for the PKI and CLM space, pushing the industry to rethink strategies and adapt. From the explosive growth of non-human and machine identities to the proposed move toward shorter-lived certificates and the accelerating countdown to post-quantum cryptography (PQC) adoption, we’ve seen some pivotal shifts.

These developments led many organizations to take a step back and reevaluate how they handle their PKI and certificate lifecycle management (CLM) practices. It’s been a year of growth, adaptation, and sometimes hard-earned lessons. As we look back, let’s dive into the standout events and insights from 2024 that can help set the stage for a more cyber resilient 2025.

1. Non-Human and Machine Identity Management Matters More Than Ever

Traditionally, Identity and Access Management (IAM) focused almost exclusively on human identities and their access. But times have changed. With the rise of cloud, IoT, and AI-driven environments, non-human and machine identities have become essential for automating processes and enabling secure machine-to-machine communication. In fact, our 2024 eBook survey with industry analyst, Enterprise Strategy Group (ESG) reveals that non-human identities (NHIs) outnumber human identities by over 20 times. This explosive growth has created a huge security blind spot, as many organizations still don’t have the right strategies or solutions in place to manage and secure NHIs effectively.

The eBook survey also revealed that two-thirds of enterprises have faced successful cyberattacks linked to compromised non-human identities. Without adequate security measures, NHIs are vulnerable—and these weaknesses could lead to major security breaches. With the stakes this high, the Board of Directors of enterprise organizations are now taking note, prioritizing NHI management and security in their budgets for 2025.

Strategies for 2025:
  • Plan to include NHI security and management in annual IAM budgets.
  • Invest in a comprehensive certificate lifecycle management (CLM) solution that offers visibility, automation, and policy control of non-human and machine identities.
Recommended Resources:

2. Post-Quantum Cryptography (PQC) Early Adoption Has Begun

Quantum computing has been a major technology topic in 2024. Advancements in qubit stability, error correction, and quantum cloud services have constantly grabbed headlines. Yet, the biggest news of the year came from NIST, which released the first set of finalized post-quantum encryption algorithm standards: FIPS 203, FIPS 204, and FIPS 205.

Amidst the threat of harvest-now, decrypt-later attacks, and Chinese researchers claiming to have broken RSA encryption with quantum computers, the news of PQC standardization is now kicking off PQC readiness projects. The new PQC standards include encryption algorithms designed to protect against attacks from both classical and quantum computers. NIST’s announcement marked the official start of PQC early adoption, prompting organizations to start preparing to transition to these new standards.

With the rapid pace of progress in the quantum world, Q-day—the day when quantum computers break the current widely-used encryption algorithms, such as RSA, DSA, ECDH, ECDSA, and EdDSA—could come sooner than expected. It’s important to begin preparing for PQC migration now, as sensitive systems and data may be at risk long before a CRQC (Cryptographically Relevant Quantum Computer) is fully developed.

Strategies for 2025:

While the transition to PQC is a major, multi-phase shift that will unfold over the next decade, PQC early adoption has already started. CISOs should start their PQC readiness journey now, which involves extensive planning, time, and resources. It is not just about adopting new encryption algorithms, but also about making widespread changes to cryptographic infrastructure, standards, and tools across industries. Enterprises need to gain visibility over all their crypto assets, implement automation and enable crypto-agility, select algorithms, and test private trust certificates for internal use cases and test environments ahead of the full scale transition to PQC certificates.

Recommended Resources:

3. Shorter TLS Certificate Lifespans Are Coming!

In March of 2023, Google announced its plans to reduce the maximum validity period for public TLS certificates from 398 days to 90 days to encourage automation, promote crypto-agility, and enhance Internet security. Following Google’s suit, Apple in October of 2024 introduced a draft ballot, proposing a gradual reduction of the maximum validity for public SSL/TLS certificates from 398 days to just 45 days by 2027.

Given the CA/Browser (CA/B) Forum’s track record of reducing public TLS certificate validity periods every 2-3 years, one of these proposals will likely be approved in the near future. If so, it could dramatically change how businesses handle and manage digital certificates in the years ahead.

Shorter validity periods essentially mean public TLS certificates will need to be renewed several times a year. That’s a massive shift from how TLS certificates are renewed and managed today. The added workload of frequent renewals will place tremendous pressure on IT, PKI, security, DevOps, and applications teams to stay on top of certificate expirations if they continue to rely on manual processes.

Strategies for 2025:

For organizations managing hundreds to thousands of certificates, automating certificate lifecycle management is the only way to ensure timely renewals and prevent outages and vulnerabilities. Automation removes the risk of oversight, centralizes certificate visibility, and simplifies the renewal process, making it scalable even as the frequency of renewals increases. With a CLM solution that offers visibility, automation, and policy control, your organization can be better prepared to handle shorter certificate validity periods or any other changes.

Recommended Resources:

Explainer Video: Get Ready for 90-day TLS Certificates with AppViewX

Webinar: Crypto-Agility Automation: Prepare Now for Google’s 90-Day TLS Validity Proposal

Informative Document: AVX ONE CLM Insights to Prepare for Google’s 90-Day Proposal

4. CA Agility is an Overlooked Security Best Practice

When a CA compromise or distrust incident occurs, manually switching CAs and replacing impacted certificates becomes complex, time-consuming, and resource-intensive. For large organizations with extensive IT infrastructures, the challenge can feel overwhelming: tracking down every affected certificate, onboarding a new CA, provisioning new certificates, and revoking the old certificates in time. Since disruptions in the PKI and cryptography world are often sudden, it’s crucial to be crypto-agile. Being able to adapt quickly to these changes can help you minimize the impact and keep everything running smoothly.

Strategies for 2025:
  • Build Crypto and CA agility: Invest in a CA-agnostic CLM solution to ensure your organization has the capability to quickly and seamlessly switch to a new CA without the heavy lifting, operational overhead, and disruption associated with a CA incident.
  • Diversify your CA portfolio to maintain the flexibility to choose from multiple CAs based on business needs and avoid CA lock-in.
Recommended Resources:

AVX ONE Certificate Lifecycle Management (CLM): Seamless CA Switch Capability

5. CLM Automation is Critical to Preventing Outages

Despite the increased focus on certificate lifecycle management, many organizations still faced certificate-related outages this year. From the Bank of England to Alaska Airlines, the outages were widespread, disrupting critical operations and essential public services for several hours. The root cause? Lack of automation and ineffective certificate lifecycle management. Manually monitoring hundreds or thousands of certificates for expiry and ensuring that they are renewed and provisioned on time has become hugely challenging for PKI and IT teams today. The process is laborious, time-consuming, and error-prone, leading to costly outages and security vulnerabilities. And, with Google proposing 90-day TLS certificates and Apple proposing a timeline for 45-day TLS certificates by 2027, this is a problem that will only get worse without a CLM automation strategy.

Strategies for 2025:
  • Gain complete visibility of the certificate landscape to identify and remediate certificate issues proactively
  • Implement automated alerting capabilities to stay on top of certificate expirations
  • Automate end-to-end certificate lifecycle management to streamline renewals, ensure accurate and timely certificate provisioning, reduce human error, and improve efficiency
  • Enforce clear policies around certificate issuance and management for robust security and continuous compliance
Recommended Resources:

Blog: Don’t Let an Expired Certificate Cause Critical Downtime. Prevent Outages with a Smart CLM

6. CLM in Kubernetes Must be Simple, Automated, and Integrated

The shift to containers and Kubernetes has brought significant change in infrastructure and increased complexity, opening up a whole new attack surface. According to a 2023 Red Hat Kubernetes survey, 90% of surveyed respondents experienced at least one security incident in their Kubernetes environments in the last 12 months. As Kubernetes isn’t inherently secure, there is now a greater focus on securing Kubernetes environments with TLS certificates that can also support DevOps speed and agility. However, managing TLS certificates at scale and speed in a dynamic and ephemeral environment like Kubernetes has become a huge challenge for DevOps, CloudOps, PlatformOps, and security teams. Legacy and open source certificate management tools in Kubernetes don’t measure up to the requirements of DevOps and security teams.

Strategies for 2025:
  • Gain complete visibility of all certificates in your Kubernetes clusters
  • Automate CLM for multiple Kubernetes TLS Use cases (Ingress TLS, Service Mesh mTLS, K8s Infrastructure mTLS, Ephemeral pods)
  • Enable self-service capabilities to bring CLM up to DevOps speed
  • Simplify and enforce consistent PKI policies across Kubernetes clusters and workloads
  • Invest in a certificate lifecycle management solution that integrates tightly with DevOps or container management tools.
Recommended Resources:

Whitepaper: A How-To Guide for Hardening Kubernetes Security with Certificate Lifecycle Management

Webinar: Simplifying Certificate Lifecycle Management for Kubernetes Environments

7. PKI Should Be Scalable and Flexible to Navigate Disruptions

PKI is continuously evolving to secure new and emerging use cases, such as cloud application access, DevOps, IoT, containers, and more. With increasing use cases, scaling in-house PKI to meet growing certificate needs has become a daunting challenge. Legacy infrastructure, certificate sprawl, scattered CAs, scarcity of PKI expertise, and high costs have turned running an internal PKI into a complex, resource-heavy process that pulls focus away from core business activities.

Strategies for 2025:

Consider shifting to PKI-as-a-Service (PKIaaS), a cloud-based solution that shifts PKI management to a specialized third-party service provider. Externally hosted and fully managed by the service provider, PKIaaS offers several advantages, such as streamlined PKI operations, fully integrated CLM, higher IT efficiency, enhanced security, and low total cost of ownership—proving to be an ideal fit for modern private PKI needs.

Recommended Resources:

8. Mature Code Signing Processes Are a Must for Secure Software Development

Misuse of code signing certificates in supply chain attacks is a rising threat. These certificates verify software authenticity, integrity, and security, making them prime targets for attackers. When code signing keys, certificates, or processes aren’t well-managed, bad actors can carry out attacks, such as impersonating trusted developers to spread malware.

In February this year, popular remote access solution, AnyDesk, suffered a cyberattack that compromised its production systems, prompting password resets and code signing certificate replacement.

To counter this threat, the CA/Browser Forum introduced stricter baseline requirements in June 2023, emphasizing private key protection. However, many organizations still struggle to implement robust code signing practices and meet these new mandates. Striking a balance between security and efficiency in code signing is still a challenge for many.

Strategies for 2025:

Make code signing:

  • Secure: Store private keys securely in FIPS 140-2 certified HSMs as mandated by the CA/B Forum, and manage key access and usage centrally to minimize the risk of private key compromises.
  • Seamless: Integrate code signing into DevOps workflows, enabling developers to sign code from anywhere and from any signing tool without worrying about key management and storage.
  • Controlled: Enforce policies to give security teams full oversight of code signing keys, certificates, and signing events across the enterprise.
Recommended Resources:

As we head into 2025, it’s clear that redefining your IAM strategies and certificate lifecycle management is crucial. If 2024 taught us anything, it’s that crypto-agility should be at the forefront of every organization’s digital security approach—it’s the key to tackling both today’s challenges and tomorrow’s uncertainties with confidence. Automation can be a game-changer in transitioning to post-quantum cryptography and helping teams keep up with shorter-lived certificates without a hitch. The time is now to turn these insights into action and set the stage for a stronger, more resilient and secure future.

AppViewX AVX ONE: The Most Advanced Certificate Lifecycle Management and PKI Platform for All Non-Human and Machine Identity Management Needs

The AppViewX AVX ONE Platform is built to address the modern-day challenges of managing PKI and certificates for enterprise PKI, IAM, security, DevOps, cloud, platform and application teams. With visibility, automation, and control of certificates and keys, AVX ONE streamlines certificate lifecycle management and enables crypto-agility across complex hybrid multi-cloud environments.

In one unified platform, AppViewX provides instant value via enterprise-wide CLM, non-human and machine identity management, Kubernetes and container TLS automation, scalable PKI-as-a-Service, easy PKI modernization, secure code signing, IoT identity security, SSH management, and Post-Quantum Cryptography (PQC) readiness.

If you would like to know more, talk to one of our experts today.

Tags

  • certificate lifecycle management (CLM)
  • CLM solution
  • Kubernetes
  • PKI
  • PKI-as-a-Service (PKIaaS)
  • Post-quantum cryptography (PQC)
  • PQC certificates
  • SSL/TLS certificates

About the Author

Krupa Patil

Product Marketing Manager

A content creator focused on providing readers and prospective buyers with accurate, useful, and latest product information to help them make better informed decisions.

More From the Author →

Related Articles

Apple’s Revised Proposal for 47-Day TLS Certificate Lifespans

| 6 Min Read

A Closer Look at NIST’s Legacy Encryption Algorithm Transition Plans and Finalized PQC Algorithm Standards

| 8 Min Read

The Entrust Distrust Deadline is Closing In. Are you Prepared?

| 4 Min Read