NextPKI
Pillar 01

Find every certificate.
Even the ones nobody told you about.

You cannot renew what you cannot see. Discovery is where every NextPKI engagement starts.

Sensor
Rust
AGPL-3.0, public source
Cloud
3 providers
AWS · Azure · GCP
CAs
6 supported
DigiCert · Sectigo · GlobalSign · LE · ZeroSSL · SwissSign
CT logs
All known
Watched continuously
Sources

Four independent sources.
One reconciled inventory.

No single source sees everything. We run all four and deduplicate the overlap, so a missing certificate has to be missing from your network, your cloud, your CA portals, and the public logs at the same time. It usually is not.

N Network

The sensor

A small agent that walks the CIDR ranges you configure, performs TLS handshakes against open ports, and reports the certificates it finds. Runs in your network, talks only to your NextPKI tenant over mutual TLS.

  • Open source under AGPL-3.0, written in Rust
  • Read-only. Never holds private keys.
  • Sends only certificate metadata, never payload
  • Bootstrap via single-use mTLS token
C Cloud

Cloud connectors

Read-only API integrations with the cloud certificate stores you already use. We pull what is issued, what is bound to load balancers, and what is expiring on your behalf.

  • AWS ACM and AWS IAM Server Certificates
  • Azure Key Vault
  • Google Cloud Certificate Manager
  • Role-scoped IAM, no write permission required
A CA

CA account sync

Every certificate you have ever ordered from a public CA shows up in the CA portal. We pull that inventory through the CA APIs so old orders, expiring orders, and orders someone else placed on the same account are all visible.

  • DigiCert · Sectigo · GlobalSign · SwissSign
  • Let's Encrypt and ZeroSSL via ACME account state
  • Token-scoped, read-only API keys
  • Maps every order to its deployment, if we can see it
T Public

Certificate Transparency

Every TLS certificate from a publicly trusted CA lands in a CT log. We watch the logs continuously for issuance against your domains, so a certificate someone provisioned without telling you still shows up within minutes.

  • Catches shadow IT and ex-employee orders
  • Catches mis-issuance against your domains
  • Alerts within minutes of log inclusion
  • Works for domains we do not yet have a CA account for
Data shape

What we capture per certificate.

Enough to reason about it, never the private key. Every cert in the inventory carries the public-side metadata plus where in your estate it was actually seen.

  • Subject, issuer, SAN list, serial, fingerprints
  • NotBefore, NotAfter, validity window, days remaining
  • Key algorithm, key size, signature algorithm
  • Every endpoint where we saw it deployed (host, port, source)
  • Chain reconstruction with all observed intermediates
inventory.api.acme.eu
{
  "common_name": "api.acme.eu",
  "sans":        ["api.acme.eu", "v2.api.acme.eu"],
  "issuer":      "Let's Encrypt R10",
  "not_after":   "2026-06-08T07:14:22Z",
  "days_left":   14,
  "key":         "ECDSA P-256",
  "sig_alg":     "ecdsa-with-SHA256",
  "seen_at": [
    { "source": "sensor", "endpoint": "10.4.7.12:443" },
    { "source": "aws-acm", "arn": "...alb-prod" },
    { "source": "ct-log",  "log": "Argon 2026" }
  ]
}
Security model

A scanner you can actually let in.

The sensor sits inside your network, so it is the part of NextPKI your security team will scrutinise hardest. We optimised the design accordingly.

01

Open source under AGPL-3.0

Source is public. Your security team can read it, fork it, audit it, run their own build, and verify the binary they actually deploy.

02

Read-only, by design

The sensor never holds, parses, or transmits a private key. It opens TCP connections, completes the TLS handshake, and inspects the public side. That is all.

03

Outbound only, mTLS

The sensor opens an outbound mutual-TLS connection to NextPKI. No inbound ports. Bootstrap is a one-shot token, scoped to a single tenant.

Pilot programme

Discovery scan on us, results in two weeks.

Up to 25 000 endpoints. Inventory delivered as CSV plus audit report. Yours to keep, no obligation.

Apply for the pilot Read the security baseline