What a billion dollars is actually buying
An expired certificate does not care how large your company is. When one lapses on a payment gateway at two in the morning, the checkout page simply stops trusting itself, cards get declined, and the first anyone hears of it is a spike in abandoned carts. The unglamorous work of making sure that never happens is what Summit Partners just valued at more than a billion dollars.
On July 6 Keyfactor announced a strategic growth investment of over 1 billion dollars led by Summit Partners, with existing backers Insight Partners and Sixth Street Growth keeping significant stakes. The company issues and manages billions of machine identities each year for more than 2,500 customers, and its reach is telling: it secures certificates for half of the largest banks in the US and Europe, 80 percent of leading US retailers, and over 40 percent of the Fortune 100. The stated use of the money is product, geographic expansion, and acquisitions.
Private equity does not write billion-dollar cheques for housekeeping. The size of this round is the signal, not the logo on it: certificate and machine-identity management has quietly moved from a task a systems administrator handled between other jobs into a capitalised infrastructure category with its own budget line. The market has decided this is where enterprise trust is bought, and it has priced it accordingly.
Why certificates became a board problem
The first force is arithmetic. The CA/Browser Forum, the body that sets the rules browsers enforce, voted to cut the maximum life of a public TLS certificate from 398 days to 200 in March 2026, to 100 in March 2027, and to 47 by March 2029. A certificate that lives 47 days must be replaced roughly eight times a year. Multiply that by the thousands of certificates a mid-sized enterprise runs across its sites, APIs, and internal services, and manual renewal stops being tedious and starts being impossible.
The second force is quantum. NIST finalised its post-quantum encryption standards in 2024 and set a path toward retiring today's RSA and elliptic-curve algorithms around 2030. In practice that means nearly every certificate an organisation holds will have to be reissued with quantum-safe cryptography, and the encrypted traffic being copied and stored today can be decrypted later once the hardware arrives. The clock on that migration is already running whether or not it is on anyone's roadmap.
The third force is scale. Every AI agent, container, workload, and service now needs its own identity to prove what it is before it is trusted, and the count of these machine identities has raced far past the number of human ones. Trust that used to be granted by a person logging in is now granted thousands of times a second by software, and each grant rests on a certificate that has to be valid, current, and accounted for.
What an operator should do before the clock runs out
Start with an inventory, because the certificates that cause outages are the ones nobody knew existed - the one a contractor installed two years ago, the one buried in a load balancer, the one on an internal service that quietly became load-bearing. You cannot automate what you cannot see, so the first project is finding every certificate you own and when it expires. Only then does automated issuance and renewal earn its keep.
In Europe this is no longer optional hygiene. NIS2 makes certificate and cryptographic discipline part of a company's security obligations, and eIDAS governs the qualified certificates that underpin cross-border trust. The billion-dollar round is the market saying the bill for machine identity comes due either way - on a schedule you plan and control, or during the outage that plans it for you.
Read next: Nvidia and Intel Backed an Off-Lab Way to Train AI | SK Hynix Raised $26.5B in a Record Nasdaq Debut



