Build your own CA.
Own your PKI.
Zaita's Private PKI gives you a complete root and intermediate CA hierarchy — fully managed, with private keys protected in a dedicated, isolated signing system that never touches the internet.
30 days free · Full enterprise limits · No credit card required
Private PKI
A complete CA hierarchy — fully in your control
Issue certificates for any workload, on any schedule. You choose the algorithms, the key lengths, the policies, and the hierarchy depth.
Root & Intermediate CA Hierarchy
Build a multi-tier CA hierarchy with a root CA and multiple intermediate CAs scoped by department, environment, or certificate type. Take your root CA key offline for maximum security.
- Root CA + multiple Intermediate CAs (depending on plan)
- Scope intermediate CAs by domain, environment, or purpose
- CRL and OCSP endpoints generated automatically
- Cross-sign with existing external CAs if needed
Certificate Types & Profiles
Issue the right certificate for every use case — TLS/SSL, code signing, S/MIME, client authentication, and more. Profiles enforce consistent settings automatically.
- TLS/SSL — web, mail, database, and internal service certificates
- Client authentication — mTLS, VPN, and device certificates
- Code signing — sign binaries, scripts, and packages
- Custom profiles with enforced SANs, key usage, and validity
Algorithm Choice & Key Strength
Choose the cryptographic algorithms that match your security requirements. Industry-standard options today, post-quantum ready when you need it.
- RSA (2048, 3072, 4096-bit) and ECDSA (P-256, P-384, P-521)
- Post-quantum ready: ML-DSA, ML-KEM (NIST FIPS 203/204)
- Policy-enforced minimum key length across all certificate types
- Estate-wide algorithm migration in hours via policy update
Private ACME Server
Run your own private ACME endpoint backed by your Zaita CA. Any ACME-compatible client can request and renew certificates automatically — no custom scripts, no vendor lock-in.
- Works with Certbot, acme.sh, cert-manager, Caddy, Traefik, win-acme
- Secure client authentication — locked down ACME endpoint
- Restrict which domains each ACME account can request
- Multiple ACME servers — isolate by team, environment, or CA
Security Model
Your private keys are protected by architecture — not just policy
Zaita is built with a unique split-system architecture. The internet-facing platform never touches your private key material — ever. A physically separate, isolated signing system handles all cryptographic operations with no external network access.
Even a complete breach of the web platform cannot expose your private keys. That's not a policy promise — it's a physical impossibility.
Unique encryption keys per customer — your keys are yours alone, never shared
Full tenant isolation — every organisation's data is cryptographically separated
HSM integration available — Azure Key Vault HSM, AWS CloudHSM, and physical HSMs
Identity & Access
Enterprise-grade access control for every team
Fine-grained roles, SSO integration, cloud-native machine identity, and IP-based access controls — built for security-conscious organisations.
SSO / SAML
Connect your existing identity provider — Okta, Azure AD, Google Workspace, or any SAML 2.0-compatible IdP. Users authenticate through your IdP; Zaita enforces role assignments centrally.
- Single sign-on via your existing identity provider
- SAML 2.0 compatible — works with Okta, Azure AD, Google, and more
- JIT provisioning for new users on first login
Role-Based Access Control
Six distinct role types let you scope access precisely. PKI administrators, deployment engineers, policy owners, and read-only auditors each have exactly the access they need — nothing more.
- 6 role types: PKI, Deployment, Policy, Reporting, Admin, Read-Only
- Domain-scoped access — restrict teams to their own certificate domains
- All role changes captured in the immutable audit log
Machine Accounts
Cloud-native identity for automated workloads. No passwords stored anywhere — Couriers and service integrations authenticate using your cloud platform's built-in identity.
- Azure Workload Identity — for Azure VMs and Arc-enabled servers
- AWS IAM — for EC2, ECS, EKS, and Lambda workloads
- SPIFFE/SPIRE — for Kubernetes and service mesh environments
IP Whitelisting
Restrict API and SIEM access to approved IP ranges. Ensure that only your own networks, monitoring systems, and approved DevOps tools can interact with Zaita programmatically.
- Per-account IP allow lists for API and SIEM endpoints
- Supports CIDR notation — restrict to /24 or any subnet
- Blocked access attempts logged and alerted in real time
Hosting
Deployed wherever your compliance requirements demand
Fully managed shared hosting or your own dedicated infrastructure — across globally distributed regions to meet data residency requirements anywhere in the world.
Multi-Tenant SaaS
Fully managed cloud hosting with strong isolation between customers. Available across multiple regions with offline backups.
Single-Tenant
Your own dedicated infrastructure — complete isolation for regulated industries. EU specialist providers available.
HSM Integration
Connect your existing Hardware Security Module to Zaita for the ultimate in key protection and compliance assurance.
Build a PKI your organisation can trust
Start your 30-day free trial and build your first CA hierarchy today — no credit card required.
30 days · Full enterprise limits · No credit card required