#KEYMASTER: About Ephemeral and Short-Lived Certificates

Sven Rajala, International PKI Man of Mystery, and Tomas Gustavsson, Chief PKI Officer, discuss ephemeral certificates—short-lived certificates that do not require revocation checking and long-term tracking in a CA database. These certificates help reduce the database size while maintaining an audit trail.

Ephemeral certificates have existed long before the term became popular. They simplify some PKI use cases and are becoming a mainstream tool in security architectures.

Watch video on YouTube

Definition

Ephemeral certificates are short-lived (minutes to a few weeks) and often interchangeable with "short-lived certificates".

Use Cases

• Service Meshes & TLS: Common in workload identities and zero-trust architectures.
• Digital Signatures & Keyless Signing: This is often called “ephemeral key signing” since a key still exists but is not persistent.
• Device Certificates in Zero Trust: Short-lived certificates help manage billions of IoT devices efficiently.
• Throwaway CA Concept: Enables issuing certificates at scale without bloating CA databases.
• New Developments: Discussion on the IETF No Revocation Check Extension , which tells clients not to check CRLs or OCSP.

Learn more about Ephemeral Certificates

• Read blog: A Field Guide to PKI Encryption: 9 Types of Certificates Explained
• Watch tutorial: Configure EJBCA to issue short-lived (ephemeral) certificates
• Watch tutorial: Use an ephemeral CA to issue and revoke ephemeral certificates