NextPKI
Pillar 02

Renew automatically.
Through whichever CA you trust.

Your CA is a commodity. The lifecycle management around it should not lock you to one.

CAs
6 today
More on request
Protocols
ACME · API
RFC 8555 plus vendor-specific
CA switch
Config change
Not a migration project
Audit trail
Portable
Yours to keep, in any CA scenario
CA-agnostic by design

Every CA, equally first-class.

CA-bundled CLM tools (DigiCert TLM, Sectigo SCM) work beautifully, as long as you stay with that CA. The moment you want to renegotiate, the moment a CA gets distrusted by browsers, the moment compliance forces a change, you migrate the platform too. We separate the platform from the CA so a switch costs you nothing.

DigiCert
Full automation, reseller
Sectigo
Full automation, reseller
GlobalSign
Full automation, reseller
Let's Encrypt
ACME-native, free CA
ZeroSSL
ACME-native
SwissSign
Full automation, reseller
Renewal flow

From expiry alert to deployed cert.

The same workflow runs whether the underlying CA is DigiCert, Let's Encrypt, or anything else we support. Your operators see one console, one approval queue, one audit log.

  1. 1

    Trigger

    A discovered cert crosses its renewal threshold, or an operator clicks renew manually. The cert is already in the inventory, with its issuer, SANs, key spec, and deployment endpoints.

  2. 2

    Approval

    Optional. Per-team, per-domain, or per-CA approval policies. Auto-approve for routine renewals, require sign-off for high-blast-radius certs.

  3. 3

    Issuance

    We submit the order through your chosen CA over ACME or the vendor API. DCV runs automatically against the same DNS or HTTP method you used last time.

  4. 4

    Deploy

    Push the new cert to the cloud store, the load balancer, or your secrets manager. Confirm the deployment via the sensor. Log the chain change to the audit trail.

Reseller layer

One invoice. Six CAs. Zero lock-in.

You buy certificate volume through us. We hold the CA accounts. You get one invoice, one contract, one support contact, while your renewal logic, ACME endpoints, and audit trail stay portable.

If you ever decide NextPKI is not the right fit, the CA relationships are yours to take with you. We help you transfer them.

What you get
  • Volume discounts pass through
    CA tier pricing we negotiate goes to you. We mark up the platform, not the certs.
  • One contract, one DPA
    No separate procurement cycle per CA. Add a CA, remove a CA, change ratios; all under the same paperwork.
  • Portable, by contract
    Account ownership is yours. Exit clause documented. We help you migrate out, not the other way around.
Pilot programme

Switch a workload to automated renewal in week two.

Pick one CA, one set of certs, one renewal flow. We get it automated, then you decide whether to expand the scope.

Apply for the pilot See pricing approach