Service mesh mTLS
Short-lived workload certs for Kubernetes, Istio, Linkerd, Consul. SPIFFE/SPIRE-compatible issuance.
Pillar 03
Your own CA.
HSM-backed. Audited. Yours.
Public CAs cannot issue what you need inside your perimeter. We can.
Key storage
HSM only
Keys never leave the device
Audit
Third-party
Per release of the signing path
Issuance
ACME + EST
RFC 8555 and RFC 7030
Trust anchor
Yours
Roll your own, or BYO root
Use cases
What private PKI is for.
Use cases where a publicly trusted CA either cannot issue (non-public hostnames, internal-only systems) or is the wrong trust anchor.
Device identity
Workstations, laptops, IoT, network gear. Issue at provisioning, renew on a heartbeat, revoke on offboard.
Internal code signing
Signed builds for internal CLI tools, container images, and scripts your engineers run with elevated privilege.
VPN client certificates
Workload and human VPN auth without shared secrets. Tied to your IdP, revocable per device.
S/MIME for employees
Internal mail signing and encryption tied to your directory. New CA/B S/MIME BR profiles supported.
Custom trust anchors
Bring your own offline root, or roll a new one with us. Intermediate rotation built into the workflow.
Why this signer is different
The highest-blast-radius component in your stack.
A bug in the signing path turns into a mis-issuance, and mis-issuance against a trust root that thousands of your services depend on is an incident from which recovery is measured in weeks. We treat it accordingly.
01 · Dedicated review
Every signing-path change reviewed.
No single-engineer commit on the signer. Two-person review with explicit attestation, even for typos.
02 · Third-party audit
External audit before each release.
Independent code review of every release of the signing path, with the report shared on request to enterprise customers under NDA.
03 · HSM isolation
Private keys never see software.
All signing operations happen inside the HSM. The application sees the signed bytes back, never the private key, even in memory.
HSM integrations
Bring the HSM you already trust.
PKCS#11 is the protocol; the device is your call. We test against three classes of HSM out of the box, with more on request.
SoftHSM 2
Development and CI
YubiHSM 2
Small footprint, on-prem
PKCS#11 cluster HSMs
Thales Luna, Entrust nShield, Utimaco
Cloud HSM
AWS CloudHSM, GCP Cloud HSM
Pilot programme
Stand up an internal CA in week two.
We bring up a working signer on SoftHSM, get ACME flowing to one workload, then walk you through promoting it to the HSM you actually want to use.