Private Enterprise PKI

Your own dedicated Certificate Authority, without the compliance program overhead

Private Compliance PKI is a cloud-hosted, WebTrust-audited CA hierarchy that belongs entirely to your organization. Your own Root CA and Issuing CA(s), HSM-backed keys, auditor-witnessed Key Ceremonies, and independently verified compliance controls, operated by SSL on the same infrastructure that underpins our public trust platform.

Request Information Request a Quote

Dedicated CA infrastructure. Full control. Internal trust.

Private Enterprise PKI provides the same underlying platform as Private Compliance PKI, the same FIPS-hardened HSM infrastructure, the same unified REST API, the same enrollment protocols, and the same observability capabilities, without the WebTrust compliance program and its associated Key Ceremony audit requirements.

What you get:

Your own Root CA

A dedicated CA hierarchy, your Root and Issuing CAs are not shared with any other organization.

HSM-backed CA keys

CA keys generated and stored in FIPS 140-2 Level 3 certified Hardware Security Modules, never exportable in plaintext.

Full certificate lifecycle

Issuance, renewal, rekey, rollover, revocation via ACME, SCEP, EST, and REST API. Built for Kubernetes, MDM, DevOps pipelines.

Custom certificate profiles

Define profiles for your internal use cases, TLS, Client Auth, Code Signing, Device Identity.

What is different from Private Compliance PKI: No WebTrust independent audit coverage, no auditor-witnessed Key Ceremony, trust scope is internal only, certificates issued are not suitable for supply chain or partner ecosystem compliance claims. Lower cost.

Key benefits

Your own Root CA

Inherit SSL's WebTrust audit evidence for your PKI, without building or funding your own audit program.

FIPS 140-2 Level 3 HSMs

Partners, regulators, and customers can inspect your CA's audited governance, not just its certificates.

Full automation

ACME, SCEP, EST, REST API enrollment, built for DevSecOps, Kubernetes, MDM, and factory-floor issuance.

Unified REST API

The same SSL.com Web Services (SWS) REST API used for public-trust certificates: no separate SDK, no separate authentication, no parallel integration required for internal and external certificate workflows.

Custom certificate profiles

Hybrid post-quantum profiles (ML-KEM, ML-DSA, SLH-DSA) available at the Ecosystem/IoT tier.

Full observability

Full observability: certificate inventory dashboards, expiration forecasting, immutable audit logs with tamper-evident timestamping, and SIEM/SOAR integration for security operations visibility.

Lower cost than audited tier

All the dedicated infrastructure benefits of Private Compliance PKI without the WebTrust compliance program cost: the right choice when external audit evidence isn’t a requirement.

Who Private Enterprise PKI is for

Private Enterprise PKI is the right choice when:

  • Your use cases are internal only and you do not need to demonstrate your PKI governance to external partners, regulators, or customers
  • You need a dedicated CA hierarchy, not a shared platform, for policy, naming, or organizational reasons
  • You are running internal mTLS, VPN/Wi?Fi authentication, internal device identity, or developer/staging certificate infrastructure
  • Your organization wants full CA control over certificate profiles and policies without the compliance overhead
  • You want to progress to Private Compliance PKI in the future, Private Enterprise PKI uses the same platform and can be upgraded

If you need to demonstrate independently audited CA governance externally, for supply chain requirements, regulated industry compliance, or partner ecosystem trust, choose Private Compliance PKI instead.

Service tiers

Pricing is indicative and subject to change. Contact us for a tailored quote.

Lab

Free
  • Developer & Testing
  • 25 active certs included
  • 1 CA (self-signed)
  • 100 OCSP responses / month
  • Dev, testing & automation prototyping
  • Not for production use

Pro

$2,000 / yr
  • Small Teams
  • 250 active certs included
  • 2 CAs
  • 10,000 OCSP responses / month
  • Internal mTLS, VPN/Wi-Fi (EAP-TLS), small device fleet
  • Or $200 / month (PAYG)
  • Overage applies above 250 active certs

Business

$5,000 / yr
  • Mid-Market
  • 5,000 active certs included
  • 5 CAs
  • 1,000,000 OCSP responses / month
  • Multiple use cases (TLS, Client Auth, Device Identity, Code Signing)
  • Or $500 / month (PAYG)
  • Overage applies above 5,000 active certs

Enterprise

$15,000 / yr
  • Large Organizations
  • 100,000 active certs included
  • 15 CAs
  • 10,000,000 OCSP responses / month
  • All use cases, Kubernetes, multi-cloud, Intune/Jamf MDM, high-volume device identity
  • Or $1,500 / month (PAYG)
  • Overage applies above 100,000 active certs

Strategic

Custom pricing
  • Government & Global Scale
  • Custom active cert volume
  • Custom CA hierarchy
  • Custom OCSP volume
  • Government, global enterprises, specialized deployments
  • Pricing available upon request

Active = Total Issued − Expired − Revoked. You are only billed for certificates currently valid.

Tier comparison

  🔹 Lab 🔸 Pro 🔶 Business 🔺 Enterprise ⭐ Strategic
Annual fee Free $2,000 / yr $5,000 / yr $15,000 / yr Custom
Monthly (PAYG) Free $200 / mo $500 / mo $1,500 / mo Custom
CA hierarchy 1 (self-signed) 2 5 15 Custom
Included active certs 25 250 5,000 100,000 Custom
Included OCSP / month 100 10,000 1,000,000 10,000,000 Custom
Overage ā€” Above 250 Above 5,000 Above 100,000 Custom

Variable Overage Rates: applied when plan limits are exceeded:

  • Additional active certificate: $0.15 per certificate / month
  • Additional OCSP responses: $0.25 per 100,000 responses

Request a Quote →

Request Information

Contact our PKI solution architects to design a Managed PKI deployment tailored to your environment. Our team will confirm your service tier fit, namespace requirements, and integration options for your enrollment systems (ACME, SCEP, EST, REST API).

Common use cases

Internal mTLS and service mesh

Medical devices, IIoT, automotive. Devices need an audited "birth certificate" for secure boot, firmware signing, and mTLS. The WebTrust audit proves the issuance process meets bank-grade security standards.

VPN/Wi-Fi authentication (EAP-TLS)

When government agencies or large enterprises require vendors to prove security infrastructure meets strict standards, the WebTrust seal on your dedicated PKI is the documented proof.

Internal device identity

The WebTrust-audited foundation pre-certifies the PKI component of your compliance audit. Signatures issued under an audited CA are legally defensible.

Kubernetes workload identity

Machine-to-machine service mesh, container identity, internal microservice mTLS. RBAC and dual-control enforced by the platform ensure no single person can issue a rogue certificate.

Developer and staging CAs

The Ecosystem tier supports hybrid PQC profiles combining RSA/ECC with ML-KEM, ML-DSA, and SLH-DSA. Use your dedicated environment to pilot quantum-safe certificates across internal workloads before broader rollout.

How onboarding works

1
Discovery & scoping
SSL’s enterprise team reviews your use cases, scale needs, and CA hierarchy requirements
2
CA hierarchy design
Root CA naming, Issuing CA structure, and certificate profiles agreed
3
Key Ceremony
Root CA private key generated in a documented ceremony using FIPS HSMs, standard, not auditor-witnessed
4
Platform provisioning
Enrollment endpoints, certificate profiles, and integrations deployed
5
Go-live
Your dedicated PKI is operational, enrollment begins
6
Ongoing operations
SSL operates the platform and manages CRL publication

Compliance & standards

WebTrust for CAs

SSL's dedicated PKI operations are covered by the same WebTrust audit as our public trust platform

FIPS 140-2 Level 3

FIPS 140-2 Level 3: all CA root and intermediate keys are generated and stored in certified HSMs, never exportable in plaintext: enterprise-grade key protection.

RFC 5280 (X.509)

All certificates conform to X.509 v3 / RFC 5280: compatible with every PKI-capable OS, device, and application in enterprise environments.

ACME RFC 8555

Native ACME v2 (RFC 8555) support for automated certificate lifecycle management: works with cert-manager, Caddy, Traefik, and every standard ACME client.

SCEP / EST

SCEP and EST (RFC 7030) support for MDM platforms (Intune, Jamf), network device enrollment, and mobile certificate provisioning at enterprise scale.

NIST PQC standards

NIST Post-Quantum Cryptography standards: ML-KEM (key encapsulation), ML-DSA (digital signatures), and SLH-DSA (stateless hash-based signatures) hybrid profiles on the Ecosystem tier.

Frequently asked questions

Both give you a dedicated Root CA and Issuing CA(s) on the same FIPS-hardened platform. The difference is the WebTrust audit. Private Compliance PKI's Key Ceremony is witnessed by SSL's independent auditor, and your hierarchy is covered by the same audit program as our public trust operations, giving you "audit pass-through" for SOC2, HIPAA, supply chain, and partner compliance requirements. Private Enterprise PKI is the same infrastructure without the compliance program.

Managed PKI Certificates is a shared multi-tenant service, you don't own the Root CA. Private Enterprise PKI gives you a fully dedicated CA hierarchy with your own Root CA and custom certificate policies, not shared with any other tenant.

Yes, because both products are built on the same platform, upgrading to add WebTrust audit coverage is a process discussion, not an infrastructure migration.

Internal mTLS and service mesh, VPN/Wi-Fi authentication (EAP-TLS), internal device identity, developer and staging CAs, Kubernetes workload identity, and any scenario where you need a dedicated CA hierarchy for internal trust without external compliance requirements.

Ready to build your dedicated internal PKI?

Our enterprise team will scope your CA hierarchy, design certificate profiles for your use cases, and walk you through onboarding, before any commitment.
Request a discovery call

Related Products

Private Compliance PKI

Same dedicated infrastructure + WebTrust audit coverage, for regulated and compliance use cases.

Learn more

Managed PKI Certificates

WebTrust-audited private PKI on shared infrastructure, no dedicated Root CA, lower cost.

Learn more

Custom-Branded Issuing CA

Custom-Branded Issuing CA: publicly trusted certificates under your brand with no Root CA management required. Your organization name appears as issuer.
Learn more

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.

Take Survey
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognizing you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

For more information read ourĀ Cookie and privacy statement.

3rd Party Cookies

This website uses Google Analytics & Statcounter to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping these cookies enabled helps us to improve our website.

Show details
Powered by  GDPR Cookie Compliance