Certificate Vendors Becoming Identity Platforms
Defakto
This shift means certificate vendors are trying to own the whole machine identity control plane, not just the renewal job. The product is expanding from keeping TLS certificates from expiring into discovering every workload, deciding what it is allowed to be, issuing short lived credentials at runtime, and feeding that identity into broader access and governance systems. That moves the budget from PKI operations toward core identity security.
-
Venafi is the clearest example of this move up-stack. CyberArk bought it in October 2024 and positioned the combined product as end to end machine identity security, spanning certificate lifecycle management, workload identity, SSH, code signing, and secrets management.
-
Smallstep started with certificate issuance, but its platform now covers devices, people, and workloads. In practice that means the same trust system can issue certs for a laptop joining Wi-Fi, a service in Kubernetes, or a developer connecting over SSH, which is much closer to an identity platform than a narrow PKI tool.
-
HashiCorp is approaching from the secrets side. Vault now supports SPIFFE based auth and on demand certificate issuance, but the operating model still routes identity through a vault and token policy layer. That is broader than certificate management, but different from a secretless model where workloads authenticate directly with short lived identities.
The next step is convergence between workload identity, secrets, and access governance. The vendors that win will be the ones that can discover every non human identity, issue credentials automatically in seconds, and plug that identity into the rest of the enterprise security stack without forcing teams back into long lived secrets.