Ready for the 47-day certificate mandate

End certificate chaos.
Automate the entire lifecycle.

Zaita discovers every certificate across your estate, issues from your own private CA, automates renewal, and deploys directly to Windows and Linux servers — with full post-quantum readiness built in.

Start Free Trial Talk to Sales

30 days free · Full enterprise limits · No credit card required

The Mandate

Certificate lifespans are shrinking — fast

Global standards bodies are mandating shorter and shorter certificate lifespans. Manual renewal processes that barely hold together today will completely collapse within years — and the timeline is accelerating.

2024
398 days
Previous maximum lifespan
2026
200 days
Renewals double in frequency
2027
100 days
Manual processes become untenable
2029
47 days
Full automation is mandatory

Source: CA/Browser Forum Ballot SC-081 — Short-Lived Certificates

More renewals per certificate by 2029 compared to 2024
Zero
Tolerance for missed renewals — expired certs cause immediate outages
Hours
How fast Zaita migrates your entire estate to a new algorithm

Capabilities

Every CLM capability your security team needs

From discovering certificates you didn't know existed, to zero-touch automated renewal and deployment — Zaita covers the entire certificate lifecycle.

Certificate Discovery

Build a complete picture of every certificate across your organisation — including ones issued without your knowledge. New certificates are surfaced within 24 hours.

  • Certificate Transparency log scanning — catch rogue certs automatically
  • Active HTTPS endpoint scanning across your networks
  • Scan internal networks securely — zero firewall changes required
  • Email alerts when unknown or expiring certificates appear

Policy & Compliance

Stop non-compliant certificates from ever reaching production. Set your security standards once and Zaita enforces them on every certificate, every time.

  • Set policies per domain — warn on violations or block them entirely
  • Enforce key algorithm, minimum key length, and SAN requirements
  • Lock down which certificates each server is allowed to request
  • Fine-grained roles for every team — PKI, Deployment, Policy, Reporting

Audit & SIEM Integration

Every action in Zaita is captured in a tamper-proof audit log and fed directly into your security monitoring tools. Know exactly who did what, when, and from where.

  • Complete audit trail — logins, issuance, deployments, admin changes
  • Feed your SIEM via webhook, S3/Azure/GCS, syslog, or REST API
  • IP-restricted SIEM API endpoint — secure, programmatic log access
  • Real-time alerting on certificate expiry and policy violations

How It Works

From discovery to deployment — fully automated

Whether you're cloud-native, on-premises, or somewhere in between — Zaita handles the entire certificate lifecycle so your team doesn't have to.

Step 1

Discover

Zaita continuously scans the internet and your internal networks to build a complete inventory of every certificate tied to your organisation — including ones you didn't issue.

Step 2

Issue & Manage

Issue certificates from your own private CA or connect an existing one. Every certificate is automatically checked against your security policies before it's signed — no exceptions.

Step 3

Automate & Deploy

Certificates are pushed or pulled directly to your servers, databases, and load balancers — and services restart automatically. Renewals happen silently in the background, every time.

Automation

Three ways to automate. Every environment covered.

Purpose-built for on-premises, cloud, and everything in between — Zaita's automation tools eliminate every last manual certificate operation across your infrastructure.

Bridges
On-premises deployment agent

A small, self-contained agent you deploy on-premises. Bridges reach out to Zaita for work — all communication is outbound. No inbound connections, no firewall changes, no headaches.

  • Windows installer, Linux packages, standalone binary, or Docker
  • Deploys to Windows and Linux servers automatically
  • Security tokens rotate automatically every 24 hours
  • Self-updating — run multiple agents for built-in high availability
  • Doubles as a secure relay for air-gapped environments
Couriers
Pull-based certificate delivery CLI

A lightweight scheduled tool that runs silently every 12 hours — no background service required. Couriers request, renew, and deliver certificates to the local application, then trigger service restarts automatically.

  • No stored passwords — authenticates via cloud identity (Azure, AWS) or SPIFFE
  • Private keys are generated and stay on the host — never transmitted
  • Automatically restarts services on success, or triggers alerts on failure
  • Connects directly to Zaita, or via a Bridge for air-gapped environments
  • Works with CI/CD: GitHub Actions, GitLab CI, and more
Private ACME Server
Standards-based automated issuance

Run your own private ACME endpoint backed by your Zaita CA. Any ACME-compatible tool — from Certbot to Kubernetes cert-manager — can request and renew certificates automatically. No custom scripts needed.

  • Works with every major ACME client: Certbot, acme.sh, cert-manager, Caddy, Traefik, win-acme
  • Secure client authentication keeps your ACME endpoint locked down
  • Restrict which domains each client account is allowed to request
  • Multiple servers per account — isolate by environment or team

Deployment

Certificates land on your servers — automatically

Bridges deploy certificates directly to Windows and Linux servers and trigger service restarts. Credentials are only ever decrypted in memory — never written to disk or stored in transit.

Windows Server Targets
Internet Information Services (IIS)
Web server TLS binding, automatic service restart
Windows Certificate Store
Machine and user store deployment, full chain import
Microsoft Exchange Server
Front-end, back-end, and SMTP service bindings
RDS Gateway
Remote Desktop Services SSL listener certificate
SQL Server
Encrypted connections and replication certificate

JEA (Just Enough Administration) — least-privilege Windows deployments. No local admin rights required.

Linux Server Targets
Nginx
TLS certificate and key deployment with reload trigger
Apache HTTP Server
Virtual host certificate binding with graceful restart
HAProxy
Combined PEM file deployment and reload
Postfix / Dovecot
Mail server TLS certificate renewal
Custom Application
Script hook — run any command after certificate delivery

SSH deployment — Bridges connect over SSH with scoped credentials. Private keys never leave the host.

Post-Quantum Threat

The next cryptographic crisis is already underway

Quantum computers will break RSA and ECC — the algorithms protecting every certificate in your estate today. The threat isn't hypothetical: adversaries are harvesting encrypted traffic now to decrypt it once quantum arrives.

"Harvest Now, Decrypt Later"

Nation-state actors are recording encrypted traffic today. When a cryptographically-relevant quantum computer arrives, every intercepted session becomes readable. Data stolen today is the target.

RSA & ECC Will Be Broken

Every TLS certificate, code-signing certificate, and S/MIME certificate in your estate is signed with an algorithm that a sufficiently large quantum computer will break in hours — not years.

The Standards Are Ready

NIST finalised the first post-quantum cryptography standards in August 2024: ML-KEM, ML-DSA, and SLH-DSA. The replacement algorithms exist. The bottleneck is migration speed across your estate.

Crypto Agility

The organisations that survive will be the ones that can move quickly

Crypto agility is the ability to rapidly swap cryptographic algorithms across your entire certificate estate — without downtime, without a war room, without months of manual effort.

Without a CLM, migrating thousands of certificates to post-quantum algorithms means locating every certificate manually, contacting every team that owns one, and re-issuing them one by one. At best, it takes months.

Zaita gives you centralised control over your entire certificate estate. When the time comes to migrate to post-quantum algorithms, you update the policy, define the new algorithm, and Zaita re-issues and redeploys every affected certificate automatically — across every server, every environment, in hours.

Without a CLM
  • No central inventory — hunting for certificates across teams and spreadsheets
  • Each certificate re-issued manually — weeks of coordination per team
  • Algorithm migration across thousands of certs: months to years
  • High risk of incomplete migration leaving RSA/ECC certs in production
With Zaita CLM
  • Complete certificate inventory — every cert, every server, visible in one place
  • Update algorithm policy once — Zaita re-issues and redeploys estate-wide
  • Mass algorithm migration: hours, not months
  • Full audit trail confirms every certificate migrated — nothing left behind

NIST Post-Quantum Cryptography standards finalised August 2024:

ML-KEM (FIPS 203) ML-DSA (FIPS 204) SLH-DSA (FIPS 205)

Source: NIST IR 8413 / FIPS 203–205

The certificate crisis is coming. Zaita is ready. Are you?

Get started with a 30-day free trial — no credit card needed, full enterprise features from day one.

Start Free Trial Contact Sales

30 days · Full enterprise limits · No credit card required