Your own dedicated Certificate Authority — without the compliance program overhead

Private Compliance PKI is a cloud-hosted, WebTrust-audited CA hierarchy that belongs entirely to your organization. Your own Root CA and Issuing CA(s), HSM-backed keys, auditor-witnessed Key Ceremonies, and independently verified compliance controls — operated by SSL on the same infrastructure that underpins our public trust platform.

Request a discovery call Request a Quote

Dedicated CA infrastructure. Full control. Internal trust.

Private Enterprise PKI provides the same underlying platform as Private Compliance PKI — the same FIPS-hardened HSM infrastructure, the same unified REST API, the same enrollment protocols, and the same observability capabilities — without the WebTrust compliance program and its associated Key Ceremony audit requirements.

What you get:

Your own Root CA

A dedicated CA hierarchy — your Root and Issuing CAs are not shared with any other organization.

HSM-backed CA keys

CA keys generated and stored in FIPS 140-2 Level 3 certified Hardware Security Modules — never exportable in plaintext.

Full certificate lifecycle

Issuance, renewal, rekey, rollover, revocation via ACME, SCEP, EST, and REST API. Built for Kubernetes, MDM, DevOps pipelines.

Custom certificate profiles

Define profiles for your internal use cases — TLS, Client Auth, Code Signing, Device Identity.

What is different from Private Compliance PKI: No WebTrust independent audit coverage, no auditor-witnessed Key Ceremony, trust scope is internal only — certificates issued are not suitable for supply chain or partner ecosystem compliance claims. Lower cost.

Key benefits

Your own Root CA

Inherit SSL's WebTrust audit evidence for your PKI — without building or funding your own audit program.

FIPS 140-2 Level 3 HSMs

Partners, regulators, and customers can inspect your CA's audited governance — not just its certificates.

Full automation

ACME, SCEP, EST, REST API enrollment — built for DevSecOps, Kubernetes, MDM, and factory-floor issuance.

Unified REST API

All CA private keys generated and stored in certified hardware — never exportable in plaintext.

Custom certificate profiles

Hybrid post-quantum profiles (ML-KEM, ML-DSA, SLH-DSA) available at the Ecosystem/IoT tier.

Full observability

Same API used for public-trust certificates — no separate integration required.

Lower cost than audited tier

Certificate inventory, expiration forecasting, immutable audit logs, SIEM/SOAR integration.

Who Private Enterprise PKI is for

Private Enterprise PKI is the right choice when:

  • Your use cases are internal only and you do not need to demonstrate your PKI governance to external partners, regulators, or customers
  • You need a dedicated CA hierarchy — not a shared platform — for policy, naming, or organizational reasons
  • You are running internal mTLS, VPN/Wi?Fi authentication, internal device identity, or developer/staging certificate infrastructure
  • Your organization wants full CA control over certificate profiles and policies without the compliance overhead
  • You want to progress to Private Compliance PKI in the future — Private Enterprise PKI uses the same platform and can be upgraded

If you need to demonstrate independently audited CA governance externally — for supply chain requirements, regulated industry compliance, or partner ecosystem trust — choose Private Compliance PKI instead.

Service tiers

Pricing is indicative and subject to change. Contact us for a tailored quote.

Lab

Free
  • Developer & Testing
  • 25 active certs included
  • 1 CA (self-signed)
  • 100 OCSP responses / month
  • Dev, testing & automation prototyping
  • Not for production use

Pro

$2,000 / yr
  • Small Teams
  • 250 active certs included
  • 2 CAs
  • 10,000 OCSP responses / month
  • Internal mTLS, VPN/Wi?Fi (EAP?TLS), small device fleet
  • Or $200 / month (PAYG)
  • Overage applies above 250 active certs

Business

$5,000 / yr
  • Mid-Market
  • 5,000 active certs included
  • 5 CAs
  • 1,000,000 OCSP responses / month
  • Multiple use cases (TLS, Client Auth, Device Identity, Code Signing)
  • Or $500 / month (PAYG)
  • Overage applies above 5,000 active certs

Enterprise

$15,000 / yr
  • Large Organizations
  • 100,000 active certs included
  • 15 CAs
  • 10,000,000 OCSP responses / month
  • All use cases — Kubernetes, multi-cloud, Intune/Jamf MDM, high-volume device identity
  • Or $1,500 / month (PAYG)
  • Overage applies above 100,000 active certs

Strategic

Custom pricing
  • Government & Global Scale
  • Custom active cert volume
  • Custom CA hierarchy
  • Custom OCSP volume
  • Government, global enterprises, specialized deployments
  • Pricing available upon request

Active = Total Issued − Expired − Revoked. You are only billed for certificates currently valid.

Tier comparison

  🔹 Lab 🔸 Pro 🔶 Business 🔺 Enterprise ⭐ Strategic
Annual fee Free $2,000 / yr $5,000 / yr $15,000 / yr Custom
Monthly (PAYG) Free $200 / mo $500 / mo $1,500 / mo Custom
CA hierarchy 1 (self-signed) 2 5 15 Custom
Included active certs 25 250 5,000 100,000 Custom
Included OCSP / month 100 10,000 1,000,000 10,000,000 Custom
Overage Above 250 Above 5,000 Above 100,000 Custom

Variable Overage Rates — applied when plan limits are exceeded:

  • Additional active certificate: $0.15 per certificate / month
  • Additional OCSP responses: $0.25 per 100,000 responses

Request a Quote →

Common use cases

Internal mTLS and service mesh

Medical devices, IIoT, automotive. Devices need an audited "birth certificate" for secure boot, firmware signing, and mTLS. The WebTrust audit proves the issuance process meets bank-grade security standards.

VPN/Wi-Fi authentication (EAP-TLS)

When government agencies or large enterprises require vendors to prove security infrastructure meets strict standards, the WebTrust seal on your dedicated PKI is the documented proof.

Internal device identity

The WebTrust-audited foundation pre-certifies the PKI component of your compliance audit. Signatures issued under an audited CA are legally defensible.

Kubernetes workload identity

Machine-to-machine service mesh, container identity, internal microservice mTLS. RBAC and dual-control enforced by the platform ensure no single person can issue a rogue certificate.

Developer and staging CAs

The Ecosystem tier supports hybrid PQC profiles combining RSA/ECC with ML-KEM, ML-DSA, and SLH-DSA. Use your dedicated environment to pilot quantum-safe certificates across internal workloads before broader rollout.

How onboarding works

1
Discovery & scoping
SSL’s enterprise team reviews your use cases, scale needs, and CA hierarchy requirements
2
CA hierarchy design
Root CA naming, Issuing CA structure, and certificate profiles agreed
3
Key Ceremony
Root CA private key generated in a documented ceremony using FIPS HSMs — standard, not auditor-witnessed
4
Platform provisioning
Enrollment endpoints, certificate profiles, and integrations deployed
5
Go-live
Your dedicated PKI is operational — enrollment begins
6
Ongoing operations
SSL operates the platform and manages CRL publication

Compliance & standards

WebTrust for CAs

SSL's dedicated PKI operations are covered by the same WebTrust audit as our public trust platform

FIPS 140-2 Level 3

All CA keys stored and generated in certified HSMs

RFC 5280 (X.509)

All certificates conform to X.509/RFC 5280

ACME RFC 8555

Native ACME support for automated lifecycle management

SCEP / EST

Supported for MDM, network device, and mobile certificate enrollment

NIST PQC standards

ML-KEM, ML-DSA, SLH-DSA hybrid profiles available (Ecosystem tier)

Frequently asked questions

Both give you a dedicated Root CA and Issuing CA(s) on the same FIPS-hardened platform. The difference is the WebTrust audit. Private Compliance PKI's Key Ceremony is witnessed by SSL's independent auditor, and your hierarchy is covered by the same audit program as our public trust operations — giving you "audit pass-through" for SOC2, HIPAA, supply chain, and partner compliance requirements. Private Enterprise PKI is the same infrastructure without the compliance program.

Managed PKI Certificates is a shared multi-tenant service — you don't own the Root CA. Private Enterprise PKI gives you a fully dedicated CA hierarchy with your own Root CA and custom certificate policies, not shared with any other tenant.

Yes — because both products are built on the same platform, upgrading to add WebTrust audit coverage is a process discussion, not an infrastructure migration.

Internal mTLS and service mesh, VPN/Wi-Fi authentication (EAP-TLS), internal device identity, developer and staging CAs, Kubernetes workload identity, and any scenario where you need a dedicated CA hierarchy for internal trust without external compliance requirements.

Ready to build your dedicated internal PKI?

Our enterprise team will scope your CA hierarchy, design certificate profiles for your use cases, and walk you through onboarding — before any commitment.
Request a discovery call

Related Products

Private Compliance PKI

Same dedicated infrastructure + WebTrust audit coverage — for regulated and compliance use cases.

Learn more

Managed PKI Certificates

WebTrust-audited private PKI on shared infrastructure — no dedicated Root CA, lower cost.

Learn more

Custom-Branded Issuing CA

Publicly trusted certificates under your brand — no Root CA management required.

Learn more

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.

Take Survey
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognizing you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

For more information read our Cookie and privacy statement.

3rd Party Cookies

This website uses Google Analytics & Statcounter to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping these cookies enabled helps us to improve our website.

Show details
Powered by  GDPR Cookie Compliance