30-day free trial — no credit card required

Stop managing certificates and secrets. Start automating them.

Zaita is the world-leading platform for X.509 certificate lifecycle management, private PKI, and secrets management. Discover every certificate, run your own CA hierarchy, automatically renew and deploy to your servers, and store and deliver secrets to every workload — all with data sovereignty in your chosen region.

Start Free Trial Talk to Sales

30 days free · Full enterprise limits · No credit card required

au.zaita.com/certificates
Zaita / Certificate Inventory
Acme Corp
2,847
Total Certificates
14
Expiring Soon
98.5%
Policy Compliant
Common Name
Status
Expires
Issuer
api.acmecorp.com
Valid
82 days
Zaita CA
mail.acmecorp.com
Expiring
8 days
Zaita CA
auth.acmecorp.com
Valid
47 days
Zaita CA
db.internal.acme
Valid
31 days
Zaita CA
*.acmecorp.com
Expired
0 days
Public CA
Showing 5 of 2,847 certificates
Zero outages
From automated certificate renewal
47 days
Max TLS cert lifespan by 2029
4 regions
Global hosting (AU, EU, AP, US)
Zero trust
Your private keys stay yours

The Platform

Three deeply integrated products. One platform.

Zaita covers the full security automation lifecycle — from discovering certificates you didn't know existed, to rotating every secret across every workload, with a private CA hierarchy protecting it all.

Certificate Lifecycle Management

Discover every certificate across your estate, automate renewal before expiry, and deploy directly to Windows and Linux servers. Built for the 47-day mandate and post-quantum crypto agility.

  • Certificate discovery & inventory
  • Automated renewal & deployment
  • Policy & compliance engine
  • Post-quantum readiness
Explore Certificate Lifecycle

Private PKI

Build a complete root and intermediate CA hierarchy — fully managed, with private keys protected in a dedicated, isolated signing system that never touches the internet.

  • Root & intermediate CA hierarchy
  • Isolated signing system architecture
  • Private ACME server
  • SSO, RBAC & machine accounts
Explore Private PKI

Secrets Management

Store, update, and deliver secrets to every workload automatically. Secret Lockers keep credentials, API keys, and tokens organised, versioned, and delivered without human involvement.

  • Secret Lockers — named, versioned vaults
  • API-driven rotation & delivery
  • Version history & audit trail
  • Full audit trail & SIEM integration
Explore Secrets Management

The Mandate

Certificate lifespans are shrinking — fast

Global standards bodies are mandating shorter and shorter certificate lifespans. Manual renewal processes that barely hold together today will completely collapse within years — and the timeline is accelerating.

2024
398 days
Previous maximum lifespan
2026
200 days
Renewals double in frequency
2027
100 days
Manual processes become untenable
2029
47 days
Full automation is mandatory

Source: CA/Browser Forum Ballot SC-081 — Short-Lived Certificates

Learn how Zaita handles it
Post-Quantum Readiness

The next cryptographic crisis is already underway

Quantum computers will break RSA and ECC — the algorithms protecting every certificate in your estate. Adversaries are harvesting encrypted traffic now to decrypt it later. Zaita's centralised CLM gives you crypto agility: update the algorithm policy once and Zaita re-issues and redeploys your entire estate in hours.

ML-KEM (FIPS 203) ML-DSA (FIPS 204) SLH-DSA (FIPS 205)
Read our full post-quantum readiness guide
Without a CLM

Algorithm migration across thousands of certificates takes months of manual coordination — with high risk of incomplete migration leaving vulnerable certs in production.

With Zaita CLM

Update the algorithm policy once. Zaita re-issues and redeploys every affected certificate automatically — across every server, every environment, in hours.

Secrets Management

Hardcoded secrets and manual rotation are your next breach

Credentials committed to repos, API keys shared via email, rotation deferred until after the audit — secrets sprawl is the rule, not the exception. Zaita's Secret Lockers give every application, pipeline, and workload exactly the secrets it needs, encrypted end-to-end, updated and delivered automatically, with every access recorded.

Secret Lockers Bridge Delivery Courier Delivery Workload Identity ECDH + AES-256-GCM
Explore Secrets Management
Without Zaita

Secrets live in config files, environment variables, and wikis. Rotation means finding every system that uses a credential, updating it manually, and hoping nothing breaks at 2am. One leaked key can cascade across your entire estate.

With Zaita Secrets Management

Every application pulls its Locker via Bridge, Courier, or Workload API — encrypted end-to-end, with zero plaintext on the wire. Rotate a secret once; Zaita delivers the new value everywhere, automatically, with a full audit trail.

Hosting

Deployed wherever your compliance requirements demand

Fully managed shared hosting or your own dedicated infrastructure — across globally distributed regions to meet data residency requirements anywhere in the world.

Multi-Tenant SaaS

Fully managed cloud hosting with strong isolation between customers. Available across multiple regions with offline backups for peace of mind.

Oceania (Sydney, Australia)
Europe - Coming Soon...
Asia - Coming Soon...
North America - Coming Soon...
Enterprise

Single-Tenant

Your own dedicated infrastructure — complete isolation for regulated industries and the strictest compliance requirements. EU specialist providers available.

Akamai, Azure, AWS, EU providers
Custom backup regions
Dedicated SLA

HSM Integration

Already have a Hardware Security Module? Connect it to Zaita for the ultimate in key protection and compliance assurance.

Azure Key Vault HSM
AWS CloudHSM
Physical HSM (contact for details)

Pricing

Start free. Grow at your pace.

There are no hidden fees or surprise overage charges. Our pricing is transparent and predictable, so you can focus on building your PKI and managing your secrets — not on managing your bill.

Personal
Coffee Tier
$5 /month

Everything you need to build and run a personal private PKI for the price of a coffee.

What's included
  • One user account
  • 1 Root CA + 2 Intermediate CA certificates
  • 5 leaf certificates per month
  • CT log scanning for 1 domain (24-hr monitoring)
  • Web portal + 1 private ACME server
  • Courier agent (direct SaaS connection, cron-scheduled)
  • 10 secret lockers
Start Free Trial

No credit card required · start trial today

Most Popular
Home-Lab Tier
$15 /month

More certificates and more domains for active users. Perfect for home-lab use.

Everything in Coffee Tier, plus
  • One user account
  • 20 leaf certificates per month
  • CT log scanning for up to 2 domains
  • 2 private ACME servers
  • Courier agent (direct SaaS connection)
  • Email support
  • 20 secret lockers
Get Started

Monthly billing · cancel anytime

Frequently asked questions

Common questions from security and infrastructure teams evaluating Zaita.

Does Zaita ever have access to my private keys?
No — never. Private keys are handled exclusively by a physically isolated signing system that has no network path to the internet. The web platform never sees key material in plaintext. Even if someone compromised the web platform entirely, your private keys would remain safe.
What is a Bridge and why does it need no inbound firewall rules?
A Bridge is a lightweight application you deploy on-premises. It polls the Zaita control plane for pending jobs — all communication is outbound HTTPS (port 443) initiated by the Bridge. Zaita never initiates a connection inward. This means you only need a standard outbound HTTPS rule, which almost every corporate firewall already permits. Bridges support high-availability by running multiple replicas, rotate cryptographic trust tokens on every poll, and self-update automatically.
How does Zaita handle the 47-day certificate mandate?
Zaita is purpose-built for short-lived certificates. Couriers run on a schedule (typically every 12 hours via cron or Task Scheduler) and automatically renew certificates when they approach the configured renewal threshold — without human involvement. With a 47-day certificate and a 14-day renewal window, every renewal happens automatically. You set the policy once; Zaita handles it indefinitely. Service restarts after renewal are triggered via configurable on-success hooks.
Is Zaita prepared for post-quantum cryptography?
The hardest part of migrating to post-quantum algorithms isn't the new algorithms — it's finding and updating every certificate in your estate quickly. Zaita's centralised control is the enabler of crypto agility: when your CA supports post-quantum algorithms such as ML-KEM, ML-DSA, or SLH-DSA (NIST FIPS 203–205), you update the policy in Zaita once and it re-issues and redeploys the entire estate automatically.
What authentication methods do Courier agents support?
Couriers support five authentication methods. The three recommended methods require no stored passwords or secrets — they use your cloud platform's native identity: SPIFFE/SPIRE (for Kubernetes and service mesh environments), Azure Workload Identity (for Azure VMs and Arc-enabled servers), and AWS IAM (for EC2, ECS, EKS, and more). Traditional certificate and client ID/secret authentication are also supported for legacy environments.
Which target systems can Zaita deploy certificates to automatically?
Bridges deploy certificates directly to Windows and Linux servers. On Windows, supported targets include IIS, Windows Certificate Store, Exchange Server, RDS Gateway, and SQL Server. On Linux, Zaita supports Nginx, Apache, HAProxy, Postfix, and any custom application via a script hook. Windows deployments support least-privilege access using Just Enough Administration (JEA).
What is a Secret Locker and how is it different from a generic secrets vault?
A Secret Locker is a named, access-controlled collection of secrets inside your tenant's Vault. Where a generic secrets vault typically grants access at the vault level, Zaita grants access at the Locker level — meaning each Courier, Bridge, or Workload can be given access only to the specific Locker it needs. An application running in production can pull its Locker without ever being able to read the database credentials held in a different team's Locker. All Lockers are versioned, and any individual secret within a Locker can be rolled back to a previous value instantly.
How are secrets encrypted in transit and at rest?
Secrets are stored exclusively as ciphertext inside the Secured Back Control Plane — the same isolated system that handles private key operations for certificates. The web portal and API layer (Front Control Plane) never hold plaintext secret values. When a Courier, Bridge, or Workload requests a Locker, delivery uses ECDH key exchange (EC P-521) with AES-256-GCM symmetric encryption. A fresh ephemeral key pair is generated for every delivery, providing forward secrecy — a captured delivery cannot be decrypted even if long-term keys were later compromised.
🇳🇿 Built in New Zealand · Est. June 2021

Security expertise,
homegrown in Aotearoa

Simply Cyber Security Limited was founded in June 2021 with a clear mandate: bring world-class, independent security consulting and tooling to organisations across New Zealand and beyond — built entirely by New Zealanders, for the world.

We believe security should be practical, not performative. Our team focuses on genuine risk reduction — not checkbox compliance or boilerplate reports. When you work with us, you're working with specialists who've done this across government, finance, healthcare, and critical infrastructure.

Every line of Zaita's code is written, reviewed, and supported right here in New Zealand. No offshore handoffs, no outsourced support queues — just a team that's accountable, reachable, and deeply invested in the product.

Simply Cyber Security Limited
New Zealand Registered Business — NZBN: 9429049397420

Get in touch

Compliance & Standards Expertise

Deep practitioner experience across all major frameworks — from initial gap analysis through to certification and ongoing assurance.

ISO 27001 PCI-DSS NZ Information Security Manual Essential 8 NIST NZ Privacy Act 2020 Australian Privacy Act GDPR

100% New Zealand Team

Every engineer, consultant, and support agent is based in New Zealand. No outsourcing, no exceptions.

Certificates expiring. Secrets sprawling. Zaita solves both.

Automate your entire certificate lifecycle, run your own private CA, and deliver secrets to every workload — all from one platform. Start a 30-day free trial with full enterprise features and no credit card required.

Start Free Trial Contact Sales

30 days · Full enterprise limits · No credit card required