Early Access: Private Enterprise PKI is currently in Early Access — get priority onboarding support, input into the product roadmap, and locked-in launch pricing.Join the waitlist →

Private Enterprise PKI

Your own Certificate Authority — provisioned by you, on your terms

Private Enterprise PKI gives your organization a privately owned CA hierarchy — your own Root CA and Issuing CA(s), HSM-backed keys, and full API-based certificate lifecycle management — that you provision and control yourself. Choose the use cases that apply to your organization, and start issuing certificates without waiting for a sales process. Ideal for organizations that need dedicated CA infrastructure for internal use cases where third-party audit evidence is not a requirement.

Request Early Access See pricing tiers

Dedicated CA infrastructure. Provisioned by you. Fully under your control.

Private Enterprise PKI provides the same underlying platform as Private Compliance PKI — the same FIPS-hardened HSM infrastructure, the same unified REST API, the same enrollment protocols, and the same observability capabilities — without the WebTrust compliance program and its associated Key Ceremony audit requirements.

This is a self-service product. You log in, provision your own Root CA and Issuing CA(s), select the use cases that apply to your hierarchy, and manage your PKI end-to-end. SSL.com provides all the certificate profiles needed for each use case you select — you don’t need to build or configure profiles yourself. SSL.com operates the underlying HSM infrastructure and OCSP/CRL publishing; everything above that — the CA hierarchy structure, the use case selection, the integrations — is controlled by your team.

What you get:

Your own Root CA

A dedicated CA hierarchy, your Root and Issuing CAs are not shared with any other organization.

HSM-backed CA keys

CA keys generated and stored in FIPS 140-2 Level 3 certified Hardware Security Modules, never exportable in plaintext.

Full certificate lifecycle

Issuance, renewal, rekey, rollover, revocation via ACME, SCEP, EST, and REST API. Built for Kubernetes, MDM, DevOps pipelines.

Custom certificate profiles

Define profiles for your internal use cases: TLS, Client Auth, Code Signing, Device Identity.

What is different from Private Compliance PKI: No WebTrust independent audit coverage, no auditor-witnessed Key Ceremony, trust scope is internal only, certificates issued are not suitable for supply chain or partner ecosystem compliance claims. Lower cost.

Key benefits

Your own Root CA

A dedicated CA hierarchy — your Root and Issuing CAs are not shared with any other organization.

Self-service provisioning

You create your CA hierarchy, name your CAs, and configure your certificate profiles yourself — no waiting for a sales or onboarding team.

You choose your use cases

Select the use cases that apply to your hierarchy — internal mTLS, VPN/Wi-Fi, device identity, code signing, and more.

Ready-to-use certificate profiles

SSL.com provides all the certificate profiles needed for every use case you select — no custom profile building required.

FIPS 140-2 Level 3 HSMs

CA keys generated and stored in certified hardware — never exportable in plaintext. Enterprise-grade key protection for your dedicated hierarchy.

Full observability

Full observability: certificate inventory dashboards, expiration forecasting, immutable audit logs with tamper-evident timestamping, and SIEM/SOAR integration for security operations visibility.

Lower cost than audited tier

All the dedicated infrastructure benefits of Private Compliance PKI without the WebTrust compliance program cost: the right choice when external audit evidence isn’t a requirement.

Who Private Enterprise PKI is for

Private Enterprise PKI is the right choice when:

  • Your use cases are internal only and you do not need to demonstrate your PKI governance to external partners, regulators, or customers
  • You need a dedicated CA hierarchy — not a shared platform — for policy, naming, or organizational reasons
  • You are running internal mTLS, VPN/Wi-Fi authentication, internal device identity, or developer/staging certificate infrastructure
  • Your team wants to self-provision and self-manage — stand up your CA hierarchy, select your use cases, and control your integrations without relying on a vendor’s professional services
  • You want to progress to Private Compliance PKI in the future — Private Enterprise PKI uses the same platform and can be upgraded

If you need to demonstrate independently audited CA governance externally — for supply chain requirements, regulated industry compliance, or partner ecosystem trust — choose Private Compliance PKI instead.

Service tiers

Pricing is indicative and subject to change. Contact us for a tailored quote.

Lab

Free
  • Developer & Testing
  • 25 active certs included
  • 1 CA (self-signed)
  • 100 OCSP responses / month
  • Dev, testing & automation prototyping
  • Not for production use

Pro

$2,000 / yr
  • Small Teams
  • 250 active certs included
  • 2 CAs
  • 10,000 OCSP responses / month
  • Internal mTLS, VPN/Wi-Fi (EAP-TLS), small device fleet
  • Or $200 / month (PAYG)
  • Overage applies above 250 active certs

Business

$5,000 / yr
  • Mid-Market
  • 5,000 active certs included
  • 5 CAs
  • 1,000,000 OCSP responses / month
  • Multiple use cases (TLS, Client Auth, Device Identity, Code Signing)
  • Or $500 / month (PAYG)
  • Overage applies above 5,000 active certs

Enterprise

$15,000 / yr
  • Large Organizations
  • 100,000 active certs included
  • 15 CAs
  • 10,000,000 OCSP responses / month
  • All use cases, Kubernetes, multi-cloud, Intune/Jamf MDM, high-volume device identity
  • Or $1,500 / month (PAYG)
  • Overage applies above 100,000 active certs

Strategic

Custom pricing
  • Government & Global Scale
  • Custom active cert volume
  • Custom CA hierarchy
  • Custom OCSP volume
  • Government, global enterprises, specialized deployments
  • Pricing available upon request

Request Early Access

Join the Early Access programme to provision your own CA hierarchy, lock in launch pricing, and shape the product roadmap. Indicate your tier and primary use cases — for Lab and Pro tiers, accounts are provisioned automatically. For Business and Enterprise, we’ll confirm tier fit before issuing credentials.

Common use cases

Internal mTLS and service mesh

Medical devices, IIoT, automotive. Devices need an audited "birth certificate" for secure boot, firmware signing, and mTLS. The WebTrust audit proves the issuance process meets bank-grade security standards.

VPN/Wi-Fi authentication (EAP-TLS)

When government agencies or large enterprises require vendors to prove security infrastructure meets strict standards, the WebTrust seal on your dedicated PKI is the documented proof.

Internal device identity

The WebTrust-audited foundation pre-certifies the PKI component of your compliance audit. Signatures issued under an audited CA are legally defensible.

Kubernetes workload identity

Machine-to-machine service mesh, container identity, internal microservice mTLS. RBAC and dual-control enforced by the platform ensure no single person can issue a rogue certificate.

Developer and staging CAs

The Ecosystem tier supports hybrid PQC profiles combining RSA/ECC with ML-KEM, ML-DSA, and SLH-DSA. Use your dedicated environment to pilot quantum-safe certificates across internal workloads before broader rollout.

How it works — self-service setup

Private Enterprise PKI is a self-service product. After your Early Access request is approved and your account is provisioned, you control everything from the dashboard and API — no SSL.com involvement required for day-to-day operations.

StepWhat you do
1 — Sign up & select your tierRequest Early Access, indicate your tier and intended use cases, and receive account credentials.
2 — Provision your CA hierarchyLog in and create your Root CA — name it, set the validity period, and choose your key algorithm. Add Issuing CAs under it to match your intended use cases.
3 — Select your use casesChoose which use cases apply to your hierarchy (e.g. internal mTLS, VPN/Wi-Fi, device identity, code signing). SSL.com activates the corresponding certificate profiles on your Issuing CAs — no profile building required.
4 — Configure enrollmentEnable the enrollment protocols your environment needs — ACME, SCEP, EST, or REST API. Connect your IdP, MDM, or Kubernetes cluster.
5 — Go liveStart issuing certificates. Your dedicated PKI is operational.
6 — Ongoing self-managementManage certificate lifecycle, monitor inventory and expiration, and review audit logs — all from the dashboard or API.

SSL.com’s role: We operate the underlying HSM infrastructure, OCSP responders, CRL distribution, and provide the certificate profiles for every supported use case. You own and control your CA hierarchy, choose which use cases apply, and manage your integrations.

Compliance & standards

WebTrust for CAs

SSL's dedicated PKI operations are covered by the same WebTrust audit as our public trust platform.

FIPS 140-2 Level 3

FIPS 140-2 Level 3: all CA root and intermediate keys are generated and stored in certified HSMs, never exportable in plaintext: enterprise-grade key protection.

RFC 5280 (X.509)

All certificates conform to X.509 v3 / RFC 5280: compatible with every PKI-capable OS, device, and application in enterprise environments.

ACME RFC 8555

Native ACME v2 (RFC 8555) support for automated certificate lifecycle management: works with cert-manager, Caddy, Traefik, and every standard ACME client.

SCEP / EST

SCEP and EST (RFC 7030) support for MDM platforms (Intune, Jamf), network device enrollment, and mobile certificate provisioning at enterprise scale.

NIST PQC standards

NIST Post-Quantum Cryptography standards: ML-KEM (key encapsulation), ML-DSA (digital signatures), and SLH-DSA (stateless hash-based signatures) hybrid profiles on the Ecosystem tier.

Frequently asked questions

For Lab and Pro tiers, Early Access accounts are provisioned automatically — you can provision your CA hierarchy and start issuing certificates without any SSL.com involvement. Business and Enterprise accounts go through a lightweight intake step to confirm tier fit and issue credentials, after which everything is self-managed. Strategic accounts involve a brief scoping call given their custom nature.

No. SSL.com provides all the certificate profiles needed for each use case you select. You choose which use cases apply to your hierarchy — internal mTLS, VPN/Wi-Fi, device identity, code signing, and so on — and the corresponding profiles are activated on your Issuing CAs automatically.

Both give you a dedicated Root CA and Issuing CA(s) on the same FIPS-hardened platform. The difference is the WebTrust audit. Private Compliance PKI's Key Ceremony is witnessed by SSL.com's independent auditor, and your hierarchy is covered by the same audit program as our public trust operations — giving you "audit pass-through" for SOC2, HIPAA, supply chain, and partner compliance requirements. Private Enterprise PKI is the same infrastructure without the compliance program.

Managed PKI Certificates is a shared multi-tenant service — you don't own the Root CA. Private Enterprise PKI gives you a fully dedicated CA hierarchy with your own Root CA, not shared with any other tenant.

Yes — because both products are built on the same platform, upgrading to add WebTrust audit coverage is a process discussion, not an infrastructure migration.

Supported use cases include: internal mTLS and service mesh, VPN/Wi-Fi authentication (EAP-TLS), internal device identity, developer and staging CAs, Kubernetes workload identity, and code signing. You select which of these apply to your hierarchy, and SSL.com provisions the appropriate certificate profiles on your Issuing CAs.

Yes. Your tier determines how many CAs you can create. Business customers can create up to 6 CAs — a common pattern is one Issuing CA per use case (e.g., one for TLS, one for Client Auth, one for device identity) under a shared Root CA.

Ready to provision your own dedicated internal PKI?

Join the Early Access programme — get priority onboarding, input into the product roadmap, and locked-in launch pricing. No commitment required.

Related Products

Private Compliance PKI

Same dedicated infrastructure + WebTrust audit coverage, for regulated and compliance use cases.

Learn more

Managed PKI Certificates

WebTrust-audited private PKI on shared infrastructure, no dedicated Root CA, lower cost.

Learn more

Custom-Branded Issuing CA

Custom-Branded Issuing CA: publicly trusted certificates under your brand with no Root CA management required. Your organization name appears as issuer.
Learn more

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.

Take Survey
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognizing you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

For more information read our Cookie and privacy statement.

3rd Party Cookies

This website uses Google Analytics & Statcounter to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping these cookies enabled helps us to improve our website.

Show details
Powered by  GDPR Cookie Compliance