Entrust Issues Digital Certificates. The Certificate Is a Stored Credential.
by Nick Clark | Published March 28, 2026
Entrust provides digital certificates, PKI infrastructure, and identity verification solutions used by enterprises, financial institutions, and governments worldwide. The certificate authority infrastructure is mature and trusted. But every digital certificate is a stored credential with a fixed lifetime. It must be issued by a trusted authority, stored securely by the holder, rotated before expiration, and revoked if compromised. Certificate lifecycle management is a permanent operational burden. The structural gap is between well-managed certificates and an identity model that does not require issuing, storing, or revoking credential material.
Entrust's certificate authority infrastructure and identity verification capabilities serve critical functions in global commerce and government identity. The gap described here is about the certificate model, not about Entrust's operational reliability.
Certificate lifecycle is permanent overhead
Every certificate Entrust issues begins a lifecycle: issuance, deployment, monitoring, renewal, and eventual expiration or revocation. Across an enterprise with thousands of certificates for TLS, code signing, email, and device identity, the lifecycle management overhead is substantial. Expired certificates cause outages. Compromised certificates require emergency revocation.
Automated certificate management tools reduce the operational burden but do not eliminate the underlying model: identity depends on a time-limited credential that must be continuously maintained.
Revocation is a structural weakness
When a certificate is compromised, revocation must propagate to all relying parties. CRL distribution and OCSP responses have latency. During the propagation window, a revoked certificate may still be trusted by parties that have not yet received the revocation update. The revocation model is eventually consistent at best.
Certificate pinning, stapling, and short-lived certificates mitigate revocation latency but add complexity. Each mitigation addresses a symptom of the underlying structural dependency on stored, time-limited credentials.
What keyless identity addresses
Keyless identity eliminates the certificate lifecycle entirely. Identity derives from accumulated behavioral continuity, not from issued credentials. There is no issuance, no expiration, no revocation, and no renewal. The identity continuously validates through trust slope functions. Compromise of a device does not require revocation because the compromised device's behavioral continuity diverges from its accumulated history, and the trust slope validation detects the divergence.
