Private Compliance PKI

A fully audited Certificate Authority, dedicated to your organization

Private Compliance PKI is a cloud-hosted, WebTrust-audited CA hierarchy that belongs entirely to your organization. Your own Root CA and Issuing CA(s), HSM-backed keys, auditor-witnessed Key Ceremonies, and independently verified compliance controls, operated by SSL on the same infrastructure that underpins our public trust platform.

Compare Product Tiers Request a Discovery Call

WebTrust governance. Your hierarchy. Your policies.

Private Compliance PKI is managed PKI-as-a-service built for organizations that need the flexibility of a private CA combined with the independently audited rigor of a public trust operation.

What sets it apart from a standard private CA:

WebTrust audit coverage

The same independent CPA audit that certifies SSL's public CA operations covers your dedicated hierarchy. You inherit the audit evidence without building the audit program yourself.

Auditor-witnessed Key Ceremonies

Your Root CA private key is generated in a formal, documented ceremony conducted by SSL's PKI team and witnessed by the independent auditor.

HSM-backed root keys

The Root CA key lives in a FIPS 140-2 Level 3 HSM, offline, activated only by multi-party dual control.

Documented chain of trust

Every policy and procedure governing your hierarchy is documented, audited, and available as compliance evidence.

The result: your PKI satisfies SOC2, HIPAA, banking, energy, and supply chain compliance requirements, because the audit already happened.

Key benefits

Audit pass-through

Inherit SSL's WebTrust audit evidence for your PKI, without building or funding your own audit program.

Supply chain trust

Partners, regulators, and customers can inspect your CA's audited governance, not just its certificates.

Automation at scale

ACME, SCEP, EST, REST API enrollment, built for DevSecOps, Kubernetes, MDM, and factory-floor issuance.

FIPS 140-2 Level 3 HSMs

All CA private keys generated and stored in certified hardware, never exportable in plaintext.

PQC-Ready

PQC-ready: hybrid post-quantum certificate profiles (ML-KEM, ML-DSA, SLH-DSA) available at the Ecosystem/IoT tier: prepare your PKI for NIST post-quantum mandates without rebuilding.

Unified REST API

The same SSL.com Web Services (SWS) REST API used for public-trust certificates: one integration covers both private and public PKI without separate code paths or credentials.

Full observability

Full observability: certificate inventory dashboards, expiration forecasting for fleet planning, immutable audit logs with tamper-evident timestamping, and SIEM/SOAR integration.

Service tiers

Pricing is indicative and subject to change. Contact us for a tailored quote.

Professional

$20,000/yr
  • Compliance-Focused
  • 500 Certs included
  • $10,000 one-time setup fee
  • 1 Root + 1 Issuing CA
  • Single use case (TLS Auth, Client Auth, Device Identity, or Code Signing)
  • Overage: $2.10 / active cert / month above 500

Enterprise

Pricing available upon request
  • Automation & Zero Trust
  • 5,000 Certs included
  • One-time setup fee applies
  • 1 Root + 1 Issuing CA
  • Multiple Use Cases (TLS Auth, Client Auth, Device Identity, Code Signing)
  • Overage applies above 5,000 active certificates

Ecosystem / IoT

Pricing available upon request
  • High Scale
  • 100,000 Certs included
  • One-time setup fee applies
  • 1 Root CA + up to 3 Issuing CAs (additional ICAs available)
  • Use for TLS Auth, Client Auth, Device Identity, or Code Signing
  • Overage applies above 100,000 active certificates
  • CPS & profile customization (optional add-on)
Ā  🔹 Professional 🔸 Enterprise 🔺 Ecosystem / IoT
Annual hosting fee $20,000 / year Upon request Upon request
One-time setup / Root Ceremony $10,000 Applicable Applicable
CPS & profile customization ā€” ā€” Optional add-on
Included active certificates 500 5,000 100,000
CA hierarchy 1 Root CA + 1 Issuing CA 1 Root CA + 1 Issuing CA 1 Root CA + up to 3 Issuing CAs (additional ICA available)
Use cases Single (TLS Auth, Client Auth, Device Identity, or Code Signing) Multiple (TLS Auth, Client Auth, Device Identity, Code Signing) All use cases
Overage $2.10 / active cert / month above 500 Applies above 5,000 Applies above 100,000

Common use cases

High-Assurance IoT & Device Identity

Medical devices, IIoT, automotive. Devices need an audited "birth certificate" for secure boot, firmware signing, and mTLS. The WebTrust audit proves the issuance process meets bank-grade security standards.

Supply Chain & Ecosystem Trust

When government agencies or large enterprises require vendors to prove security infrastructure meets strict standards, the WebTrust seal on your dedicated PKI is the documented proof.

Regulatory Compliance (SOC2, HIPAA, GDPR)

The WebTrust-audited foundation pre-certifies the PKI component of your compliance audit. Signatures issued under an audited CA are legally defensible.

Zero Trust Architecture

Machine-to-machine service mesh, container identity, internal microservice mTLS. RBAC and dual-control enforced by the platform ensure no single person can issue a rogue certificate.

Post-Quantum Transition

The Ecosystem tier supports hybrid PQC profiles combining RSA/ECC with ML-KEM, ML-DSA, and SLH-DSA. Use your dedicated environment to pilot quantum-safe certificates across internal workloads before broader rollout.

How onboarding works

1
Discovery & scoping
SSL’s enterprise team reviews your compliance requirements, use cases, and scale needs
2
CA hierarchy design
Root CA naming, Issuing CA structure, certificate profiles, and CPS scope agreed
3
Key Ceremony
Root CA private key generated in an auditor-witnessed ceremony using FIPS HSMs and M-of-N dual control
4
Platform provisioning
Enrollment endpoints (ACME/SCEP/EST/REST), RA configuration, and integrations deployed
5
Go-live
Your dedicated PKI is operational, enrollment begins against your Issuing CA
6
Ongoing operations
SSL operates the platform, manages CRL/OCSP, and provides compliance reports

Compliance & standards

WebTrust for CAs

SSL's dedicated PKI operations are covered by the same WebTrust audit as our public trust platform

FIPS 140-2 Level 3

FIPS 140-2 Level 3: all CA root and intermediate keys are generated and stored in certified HSMs, never exportable in plaintext: the protection profile required by regulated industries.

RFC 5280 (X.509)

All certificates conform to X.509 v3 / RFC 5280: compatible with every PKI-capable OS, device, and application used in enterprise environments.

ACME RFC 8555

Native ACME v2 (RFC 8555) support for automated certificate lifecycle management: works with cert-manager, Caddy, Traefik, and every standard ACME client.

SCEP / EST

SCEP and EST (RFC 7030) support for MDM platforms (Intune, Jamf), network device enrollment, and mobile certificate provisioning at enterprise scale.

NIST PQC standards

NIST Post-Quantum Cryptography standards: ML-KEM (key encapsulation), ML-DSA (digital signatures), and SLH-DSA (stateless hash-based signatures) hybrid profiles on the Ecosystem tier.

Frequently asked questions

The key difference is the WebTrust audit. Private Compliance PKI operates under SSL's independent audit program. Private Enterprise PKI uses the same HSM infrastructure without the compliance program. Choose Private Compliance PKI if you need to demonstrate independently audited governance to partners, regulators, or enterprise customers.

Managed PKI Certificates is a shared multi-tenant service, you don't own the Root CA. Private Compliance PKI gives you a fully dedicated Root CA and Issuing CA hierarchy with custom certificate policies and naming.

No. The Root CA is generated within SSL's audited infrastructure as part of a formally witnessed Key Ceremony. Introducing an externally managed root would break the audit boundary. Cross-certification options can be discussed.

An independent CPA has verified that SSL's data centers, personnel, and cryptographic processes meet the WebTrust Principles and Criteria for Certification Authorities, providing an audit pass-through for your SOC2, HIPAA, or industry requirements.

No. SSL's Unified REST API covers both your public-trust certificates and your dedicated PKI hierarchy.

Ready to build your compliant PKI?

Our enterprise team will scope your CA hierarchy, walk you through the Key Ceremony process, and design certificate profiles for your requirements, before any commitment.
Request a discovery call

Related Products

Private Enterprise PKI

Same dedicated infrastructure, without the WebTrust audit, lower cost for internal-only use.

Learn more

Managed PKI Certificates

WebTrust-audited private PKI on shared infrastructure, no dedicated Root CA, lower cost.

Learn more

Custom-Branded Issuing CA

Custom-Branded Issuing CA: publicly trusted certificates under your brand with no Root CA management required. Your organization appears as issuer while inheriting SSL.com’s trusted root.
Learn more

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.

Take Survey
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognizing you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

For more information read ourĀ Cookie and privacy statement.

3rd Party Cookies

This website uses Google Analytics & Statcounter to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping these cookies enabled helps us to improve our website.

Show details
Powered by  GDPR Cookie Compliance