Early Access: Managed PKI Certificates is currently in Early Access — get priority onboarding support, input into the product roadmap, and locked-in launch pricing.Join the waitlist →

Managed PKI Certificates

High-assurance, WebTrust-audited PKI — without the infrastructure overhead

Managed PKI Certificates is a fully managed, cloud-hosted certificate platform for users, devices, workloads, and services. Built for regulated and high-compliance environments, it gives you WebTrust-audited private certificates — with audit pass-through for SOC2, HIPAA, and supply chain requirements — delivered as a shared-service subscription. No CA infrastructure to operate.

Request Early Access See pricing tiers

What are Managed PKI Certificates?

Managed PKI Certificates are digital identities issued from a managed, cloud-hosted platform that utilizes a highly secure, multi-tenant architecture. This product is uniquely governed by a continuous WebTrust audit, providing customers with a shared, high-assurance infrastructure that maintains strict logical isolation for certificate issuance, policy enforcement, and lifecycle automation.

Key Value Propositions

Security by Design

Security by design: shared hardware-rooted trust via FIPS 140-2 Level 3 HSMs, strong policy enforcement through template-based issuance, and tamper-evident audit trails for compliance evidence.

Operational Efficiency

Operational efficiency via automated enrollment, renewal, and rotation with turnkey integrations for your ecosystem: Active Directory, Kubernetes, MDM platforms, and SIEM systems.

Compliance and Governance

Compliance and governance with mapped controls and documented procedures aligned to SOC 2, HIPAA, PCI DSS, ISO 27001, and NIST SP 800-53 frameworks commonly required by auditors.

Enterprise Scale

Enterprise scale with high availability and geo-resilience for bulk issuance across a global customer base: sub-second certificate issuance at multi-million-unit volumes per product cycle.

Core Capabilities: Issued from a dedicated private root of trust outside the CA/Browser Forum. WebTrust-compliant issuance governed by the same audit standards as public roots. Supports SCEP, EST, ACME, and REST API enrollment. All keys are HSM-backed with FIPS 140-2/3 alignment. High-availability OCSP and CRLs for real-time verification.

Key benefits

Root of Trust

Inherit SSL's WebTrust audit evidence for your PKI, without building or funding your own audit program.

WebTrust-Compliant

Partners, regulators, and customers can inspect your CA's audited governance, not just its certificates.

HSM-Backed Security

ACME, SCEP, EST, REST API enrollment, built for DevSecOps, Kubernetes, MDM, and factory-floor issuance.

Namespace Protection

All CA private keys generated and stored in certified hardware, never exportable in plaintext.

Automated Enrollment

Hybrid post-quantum profiles (ML-KEM, ML-DSA, SLH-DSA) available at the Ecosystem/IoT tier.

Validation Services

Same API used for public-trust certificates, no separate integration required.

Elastic billing

Certificate inventory, expiration forecasting, immutable audit logs, SIEM/SOAR integration.

Request Early Access

Join the Early Access programme to start using Managed PKI Certificates, lock in launch pricing, and shape the product roadmap. Indicate your tier and primary use cases — Professional and Enterprise tier accounts are being onboarded now; Ecosystem/IoT accounts are available on request.

Common Use Cases

High-Assurance IoT & Device Identity

High-assurance IoT and device identity for secure boot, firmware updates, and mutual TLS in industrial IoT, medical devices, automotive systems, and critical infrastructure.

Supply Chain Trust

Supply chain trust: providing cryptographic proof of trust for third-party onboarding, partner extranets, and supplier authentication in B2B ecosystems.

Regulatory Compliance

Regulatory compliance: meeting SOC 2 Type II, HIPAA Security Rule, GDPR Article 32, and PCI DSS v4 requirements via audit-ready certificate infrastructure with documented controls.

Zero Trust Architecture

Zero Trust architecture: securing machine-to-machine communication with audited governance. Every workload, service, and device gets a cryptographically verified identity enforced at connection time.

PQC Transition

PQC transition: testing quantum-resistant certificate profiles (ML-KEM, ML-DSA, SLH-DSA) to future-proof internal systems before NIST PQC mandates become production requirements.

Platform Architecture

1
Onboarding
SSL provisions your tenant, vets and reserves your private namespaces, and configures RBAC for your team
2
Integrate
Configure your ACME client, MDM, Kubernetes cert-manager, or REST API integration to use your SSL tenant endpoint
3
Issue certificates
Your enrollment system requests certificates, SSL’s platform validates against your namespace policy and issues
4
Lifecycle management
Renewals, rekeys, and revocations are handled automatically or via API, inventory and expiration alerts keep you ahead of expirations
5
Compliance
Access SSL’s WebTrust audit reports to satisfy SOC2, HIPAA, or industry-specific requirements

Compliance & standards

WebTrust for CAs

SSL's dedicated PKI operations are covered by the same WebTrust audit as our public trust platform.

FIPS 140-2 Level 3

FIPS 140-2 Level 3: all CA root and intermediate keys are generated and stored in certified HSMs, never exportable in plaintext: the protection profile required by federal procurement.

RFC 5280 (X.509)

All certificates conform to X.509 v3 / RFC 5280 structure: compatible with every PKI-capable operating system, device, and application in production use today.

ACME RFC 8555

Native ACME v2 (RFC 8555) support for automated certificate lifecycle management: works with cert-manager, Caddy, Traefik, Certbot, and every standard ACME client out of the box.

SCEP / EST

SCEP (Simple Certificate Enrollment Protocol) and EST (Enrollment over Secure Transport, RFC 7030) support for MDM platforms, network device enrollment, and mobile certificate provisioning.

NIST PQC standards

NIST Post-Quantum Cryptography standards: ML-KEM (key encapsulation), ML-DSA (digital signatures), and SLH-DSA (stateless hash-based signatures) hybrid profiles available on the Ecosystem tier.

Service tiers

Pricing is indicative during Early Access — lock in launch pricing by joining the waitlist.

Professional

Pricing available upon request
  • Internal mTLS, VPN, baseline compliance
  • Up to 500 active certificates
  • WebTrust audit pass-through
  • HSM-backed signing keys
  • SCEP, EST, ACME, REST API
  • Namespace validation included

Enterprise

Pricing available upon request
  • Automated environments (Kubernetes, MDM, Intune)
  • Up to 5,000 active certificates
  • Includes Hybrid PQC (Post-Quantum) readiness
  • Lower effective per-cert cost
  • Lower per-cert overage rate
  • Everything in Professional

Ecosystem / IoT

Pricing available upon request
  • High-volume device "birth certificates"
  • Up to 100,000 active certificates
  • High-throughput APIs
  • Custom OIDs for device metadata
  • Best volume amortisation
  • Everything in Enterprise

Subscription logic & benefits

  • Active inventory billing. Pricing is based on concurrent “Active” certificates rather than total issuance, supporting high-velocity DevOps workflows where certificates rotate frequently. Active = Total Issued − (Expired + Revoked).
  • Audit inheritance. Your subscription includes access to SSL.com’s WebTrust for CAs audit reports, allowing you to satisfy SOC2, HIPAA, or specialised industry requirements by passing through the compliance of our audited data centres and processes.
  • Namespace validation. Every tier includes rigorous vetting and reservation of your private namespaces (e.g., *.internal.yourcompany.com) to ensure your identities are unique and protected from overlap with other tenants.
  • HSM-backed security. All private keys are generated and stored in FIPS 140-2 Level 3 Hardware Security Modules — a core requirement for high-assurance use cases.

Frequently asked questions

Managed PKI Certificates is currently in Early Access. Join the waitlist to get priority onboarding, input into the roadmap, and locked-in launch pricing. Professional and Enterprise tier accounts are being onboarded now; Ecosystem/IoT accounts are available on request.

In this shared environment, you utilize a high-assurance infrastructure shared between different customers to reduce overhead. This grants you "audit pass-through" capabilities to meet SOC2 mandates by inheriting the provider's certified operational rigor.

This audited status ensures your private certificates provide documented proof of governance through auditor-witnessed Key Ceremonies and tamper-evident logs — essential for securing supply chains and ensuring the legal non-repudiation of digital signatures.

We use an Elastic Inventory model: Active = Total Issued − (Expired + Revoked). You are only billed for what is currently valid and usable in your environment.

All keys used to sign your certificates are stored in FIPS 140-2 Level 3 Hardware Security Modules (HSMs). While the physical hardware may be shared, keys are cryptographically isolated per customer and protected by strict RBAC and dual-control requirements.

Three subscription tiers (Professional, Enterprise, Ecosystem/IoT) with included active certificate thresholds of 500, 5,000, and 100,000 respectively. Pricing is indicative and subject to change while the product is in Early Access. The effective per-certificate cost decreases at higher tiers, and the per-certificate overage rate also drops at higher tiers — so customers running close to the threshold get cheaper overages on the higher tiers.

Managed PKI Certificates is a shared multi-tenant service — you don't own the Root CA, and the platform is fully operated by SSL.com. Private Enterprise PKI and Private Compliance PKI give you a fully dedicated CA hierarchy with your own Root CA. Choose Managed PKI Certificates when you need WebTrust audit pass-through at lower cost without CA infrastructure overhead; choose a dedicated product when you need your own Root CA or full self-service CA control.

Ready to start using Managed PKI Certificates?

Join the Early Access programme — get priority onboarding, input into the product roadmap, and locked-in launch pricing. No commitment required.

Related Products

Private Compliance PKI

Private Compliance PKI: need a dedicated Root CA plus WebTrust audit. Own your hierarchy with audit evidence that regulators accept for SOC 2, HIPAA, and industry-specific programs.
Learn more

Private Enterprise PKI

Need a dedicated Root CA for internal use, without the audit overhead.

Learn more

Custom-Branded Issuing CA

Custom-Branded Issuing CA: need publicly trusted certificates carrying your brand name. Your organization appears as issuer while inheriting SSL.com’s globally trusted root.
Learn more

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.

Take Survey
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognizing you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

For more information read our Cookie and privacy statement.

3rd Party Cookies

This website uses Google Analytics & Statcounter to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping these cookies enabled helps us to improve our website.

Show details
Powered by  GDPR Cookie Compliance