Zaita Documentation¶
Zaita is an enterprise certificate lifecycle management (CLM) and private PKI platform. It gives security teams a single place to discover, provision, renew, revoke, and automate certificates across their entire environment — from internal services to internet-facing systems — without compromising on cryptographic security.
What is Zaita?¶
Modern infrastructure depends on digital certificates for TLS, code signing, service identity, and mutual authentication. As environments grow, managing hundreds or thousands of certificates across teams, networks, and cloud providers becomes error-prone and operationally risky. Expired or unknown certificates cause outages. Weak algorithms create vulnerabilities. Manual workflows don't scale.
Zaita solves this by combining two tightly integrated capabilities:
- Certificate Lifecycle Management — a centralised inventory, automated discovery, policy enforcement, and automated provisioning and deployment to target systems.
- Private PKI — a fully managed certificate authority hierarchy, from root and intermediate CAs through to leaf certificate issuance, backed by a built-in FIPS 140-3 (Level 1) virtual HSM.
Core Capabilities¶
Certificate Lifecycle Management¶
| Capability | Description |
|---|---|
| Centralised Inventory | Full metadata tracking across your entire certificate estate — issuer, SANs, validity dates, algorithm, key size, and status |
| Automated Discovery | Certificate Transparency log scanning and HTTPS endpoint scanning continuously surface new and unknown certificates |
| Certificate Provisioning | End-to-end workflows covering key pair generation, CSR creation, and issuance — manual or fully automated |
| Renewal & Revocation | Portal and API-driven renewal and revocation with immediate status propagation |
| Policy Engine | Domain-matched policies enforce algorithm, key size, and validity constraints with hard or soft failure modes |
Private PKI¶
| Capability | Description |
|---|---|
| Root CA Management | Create or import root certificate authorities; compliance enforcement ensures best-practice handling of root key material |
| Intermediate CA Management | Issue and manage intermediate CAs under any root, with full lifecycle tracking |
| Cryptographic Algorithms | RSA (2048–4096), Elliptic Curve (P-256, P-384, P-521), and a broad range of digest algorithms |
| Secured Back Control Plane | Built-in FIPS 140-3 (Level 1) cryptographic module in an isolated back control plane — private keys never reach internet-facing components |
| External HSM Integration | Integration with physical HSMs and cloud HSM services from Microsoft Azure and Amazon Web Services |
Automation & Integration¶
| Capability | Description |
|---|---|
| Bridges | Lightweight on-premises agents (Docker/Kubernetes or binary) that connect outbound to Zaita — your network never accepts inbound connections from the platform |
| Couriers | CLI utilities scheduled via cron or CI/CD pipelines that pull certificates to target systems on demand |
| Target System Deployment | Push certificates directly to IIS, Windows, Nginx, Apache, and custom Linux targets via a Bridge |
| REST API | A versioned API for full programmatic control of certificate operations |
Identity & Access¶
| Capability | Description |
|---|---|
| Single Sign-On (SSO) | Integrate with your existing identity provider |
| Role-Based Access Control | Least-privilege access with configurable roles and permissions |
| Machine Accounts | Purpose-built non-human accounts for Bridges, Couriers, and API integrations |
| Federated Identity | Credential-less authentication via SPIFFE/SPIRE, Azure Workload Identity, and AWS IAM OIDC |
| IP Whitelisting | Restrict API access by source network for individual machine accounts |
Architecture Overview¶
Zaita separates user-facing services from cryptographic operations through two distinct control planes:
- The SaaS Control Plane handles the web portal, REST APIs, authentication, and authorisation.
- The Back Control Plane performs all cryptographic operations — key generation, CSR creation, certificate signing — in isolation, as the Secured Back Control Plane. No direct network path exists between the internet-facing SaaS plane and the Secured Back Control Plane or its key material.
Communication between the two planes is asynchronous. Even a full compromise of the SaaS control plane cannot expose key material held within the back control plane.
For full details, see Architecture.
Hosting Options¶
Zaita is available as a multi-tenant SaaS platform, hosted on the Akamai cloud across regions in Oceania, Europe, Asia, and North America.
For organisations that require dedicated isolation, single-tenant deployments are available on:
- Microsoft Azure
- Amazon Web Services
- EU specialist cloud providers
All traffic passes through a WAF configured with the OWASP Core Rule Set, rate limiting, and bot mitigation. A global CDN provides TLS termination at edge and DDoS absorption.
For full details, see Hosting Options.
Getting Started¶
- Create an account
- Sign in
- Set up your PKI
- Deploy a Bridge to connect your internal network
- Configure a Courier for automated certificate delivery
Documentation Sections¶
| Section | Description |
|---|---|
| Overview | Full feature reference, architecture, security model, performance, and hosting options |
| PKI | Root and intermediate CA management, cryptographic algorithms, and Secured Back Control Plane |
| Certificate Lifecycle Management | Discovery, provisioning, Bridges, Couriers, and target system deployment |
| User Management | Users, groups, roles, and permissions |
| Machine Accounts | Non-human authentication for automation and integrations |
| Getting Started | Account creation, sign-in, and initial setup |