Managed PKI Certificates

Managed PKI Certificates

A modern, scalable cloud-hosted, high-assurance, fully WebTrust-audited Public Key Infrastructure certificate product for users, devices, workloads, and services

Request a discovery call Request a Quote

What are Managed PKI Certificates?

Managed PKI Certificates are digital identities issued from a managed, cloud-hosted platform that utilizes a highly secure, multi-tenant architecture. This product is uniquely governed by a continuous WebTrust audit, providing customers with a shared, high-assurance infrastructure that maintains strict logical isolation for certificate issuance, policy enforcement, and lifecycle automation.

Key Value Propositions

Security by Design

Shared hardware-rooted trust (HSM), strong policy enforcement, and tamper-evident audit trails.

Operational Efficiency

Automated enrollment, renewal, and rotation with integrations to your ecosystem.

Compliance and Governance

Mapped controls and documented procedures aligned to common frameworks.

Enterprise Scale

High availability and geo-resilience for bulk issuance across a global customer base.

Core Capabilities: Issued from a dedicated private root of trust outside the CA/Browser Forum. WebTrust-compliant issuance governed by the same audit standards as public roots. Supports SCEP, EST, ACME, and REST API enrollment. All keys are HSM-backed with FIPS 140-2/3 alignment. High-availability OCSP and CRLs for real-time verification.

Key benefits

Root of Trust

Inherit SSL's WebTrust audit evidence for your PKI — without building or funding your own audit program.

WebTrust-Compliant

Partners, regulators, and customers can inspect your CA's audited governance — not just its certificates.

HSM-Backed Security

ACME, SCEP, EST, REST API enrollment — built for DevSecOps, Kubernetes, MDM, and factory-floor issuance.

Namespace Protection

All CA private keys generated and stored in certified hardware — never exportable in plaintext.

Automated Enrollment

Hybrid post-quantum profiles (ML-KEM, ML-DSA, SLH-DSA) available at the Ecosystem/IoT tier.

Validation Services

Same API used for public-trust certificates — no separate integration required.

Elastic billing

Certificate inventory, expiration forecasting, immutable audit logs, SIEM/SOAR integration.

Service Tiers and Features

Pricing is indicative and subject to change. Contact us for a tailored quote.

Professional

$12,500/yr

Internal mTLS, VPN/Wi-Fi, or baseline compliance
500 Certs included
No setup fee
Overage: $30.00 / active cert

Enterprise

Pricing available upon request

Automated environments (Kubernetes, MDM, Intune)
5,000 Certs included
No setup fee
Includes Hybrid PQC readiness

Ecosystem / IoT

Pricing available upon request

High-volume device identity
100,000 Certs included
No setup fee
Includes high-throughput APIs and custom OID support

Active = Total Issued ? (Expired + Revoked). You are only billed for certificates that are currently valid. This model is favorable for DevOps and IoT scenarios where you issue frequently but many certificates expire quickly.

Pricing for Enterprise and Ecosystem tiers is available upon request. Request a Quote ?

Common Use Cases

High-Assurance IoT & Device Identity

Medical devices, IIoT, automotive. Devices need an audited "birth certificate" for secure boot, firmware signing, and mTLS. The WebTrust audit proves the issuance process meets bank-grade security standards.

Supply Chain Trust

When government agencies or large enterprises require vendors to prove security infrastructure meets strict standards, the WebTrust seal on your dedicated PKI is the documented proof.

Regulatory Compliance

The WebTrust-audited foundation pre-certifies the PKI component of your compliance audit. Signatures issued under an audited CA are legally defensible.

Zero Trust Architecture

Machine-to-machine service mesh, container identity, internal microservice mTLS. RBAC and dual-control enforced by the platform ensure no single person can issue a rogue certificate.

PQC Transition

The Ecosystem tier supports hybrid PQC profiles combining RSA/ECC with ML-KEM, ML-DSA, and SLH-DSA. Use your dedicated environment to pilot quantum-safe certificates across internal workloads before broader rollout.

Platform Architecture

Onboarding

SSL provisions your tenant, vets and reserves your private namespaces, and configures RBAC for your team

Integrate

Configure your ACME client, MDM, Kubernetes cert-manager, or REST API integration to use your SSL tenant endpoint

Issue certificates

Your enrollment system requests certificates — SSL’s platform validates against your namespace policy and issues

Lifecycle management

Renewals, rekeys, and revocations are handled automatically or via API — inventory and expiration alerts keep you ahead of expirations

Compliance

Access SSL’s WebTrust audit reports to satisfy SOC2, HIPAA, or industry-specific requirements

Compliance & standards

WebTrust for CAs

SSL's dedicated PKI operations are covered by the same WebTrust audit as our public trust platform

FIPS 140-2 Level 3

All CA keys stored and generated in certified HSMs

RFC 5280 (X.509)

All certificates conform to X.509/RFC 5280

ACME RFC 8555

Native ACME support for automated lifecycle management

SCEP / EST

Supported for MDM, network device, and mobile certificate enrollment

NIST PQC standards

ML-KEM, ML-DSA, SLH-DSA hybrid profiles available (Ecosystem tier)

Frequently asked questions

How does Managed PKI Certificates differ from Dedicated PKI?

Managed PKI Certificates is a shared multi-tenant service — SSL retains the Root CA and the infrastructure is shared across customers with strict logical isolation. Dedicated PKI gives you your own Root CA and a private CA hierarchy that belongs entirely to your organization. Managed PKI Certificates is lower cost and requires no setup fee; Dedicated PKI gives you full hierarchy ownership and custom Certificate Policy support.

How are certificates from different tenants kept separate?

Your private namespaces are vetted and reserved — no other tenant can be issued certificates for your namespaces. Certificate-signing keys are cryptographically isolated per customer within the HSMs. RBAC restricts API access to your tenant only. All operations are audit-logged.

What is "Active" billing?

Active = Total Issued ? (Expired + Revoked). You are only billed for certificates that are currently valid in your environment. This model is favorable for DevOps and IoT scenarios where you issue frequently but many certificates expire quickly — you're never paying for stale inventory.

Does my subscription include the WebTrust audit report?

Yes — all tiers include access to SSL's WebTrust for CAs audit reports. These reports can be used as compliance evidence for SOC2, HIPAA, or specialized industry requirements.

Can I migrate to Dedicated PKI later?

Yes — if your needs grow to require a dedicated Root CA hierarchy or custom Certificate Policy, SSL can discuss a migration or upgrade path to Dedicated PKI products.

Ready to get started with Managed PKI Certificates?

Our enterprise team will provision your tenant, vet your namespaces, and configure your enrollment integrations — before any commitment.

Request a discovery call

Private Compliance PKI

Need a dedicated Root CA + WebTrust audit — own your hierarchy.

Learn more

Private Enterprise PKI

Need a dedicated Root CA for internal use — without the audit overhead.

Learn more

Custom-Branded Issuing CA

Need publicly trusted certificates carrying your brand name.

Learn more

Name	Provider	Purpose	Expiration
Google Analytics	Google	Collect anonymous information such as the number of visitors to the site, and the most popular pages.	365 days
StatCounter Analytics	StatCounter	Collect anonymous information such as the number of visitors to the site, and the most popular pages.	365 days

Products

Industries

Become An SSL.com Partner

Careers

Contact Us