Zaita Documentation¶
Zaita is an enterprise certificate lifecycle management (CLM), private PKI, and secrets management platform. It gives security teams a unified platform to manage the full lifecycle of X.509 certificates, operate a private PKI with hardware-grade cryptographic protection, and securely store and deliver secrets to every workload — all without compromising on cryptographic security.
What is Zaita?¶
Modern infrastructure depends on digital certificates for TLS, code signing, service identity, and mutual authentication. As environments scale, managing thousands of certificates across teams, networks, and cloud providers becomes error-prone and operationally risky. Expired or unknown certificates cause outages, weak algorithms create vulnerabilities, and manual workflows cannot keep pace.
At the same time, every application and service relies on secrets — API keys, database credentials, tokens, and configuration values. These are routinely hardcoded, over-shared, and delivered insecurely, creating a growing attack surface that is difficult to audit, rotate, or revoke at speed.
Zaita solves both problems by combining three tightly integrated capabilities:
- Certificate Lifecycle Management — a centralised inventory, automated discovery, policy enforcement, and automated provisioning and deployment to target systems.
- Private PKI — a fully managed certificate authority hierarchy, from root and intermediate CAs through to leaf certificate issuance, backed by a built-in FIPS 140-3 (Level 1) virtual HSM.
- Secrets Management — encrypted storage and delivery of credentials, API keys, and configuration secrets to applications and infrastructure via Couriers, Bridges, and Workloads.
Core Capabilities¶
Certificate Lifecycle Management¶
| Capability | Description |
|---|---|
| Centralised Inventory | Full metadata tracking across your entire certificate estate — issuer, SANs, validity dates, algorithm, key size, and status |
| Automated Discovery | Certificate Transparency log scanning and HTTPS endpoint scanning continuously surface new and unknown certificates |
| Certificate Provisioning | End-to-end workflows covering key pair generation, CSR creation, and issuance — manual or fully automated |
| Renewal & Revocation | Portal and API-driven renewal and revocation with immediate status propagation |
| Policy Engine | Domain-matched policies enforce algorithm, key size, and validity constraints with hard or soft failure modes |
Private PKI¶
| Capability | Description |
|---|---|
| Root CA Management | Create or import root certificate authorities; compliance enforcement ensures best-practice handling of root key material |
| Intermediate CA Management | Issue and manage intermediate CAs under any root, with full lifecycle tracking |
| Cryptographic Algorithms | RSA (2048–4096), Elliptic Curve (P-256, P-384, P-521), and a broad range of digest algorithms |
| Secured Back Control Plane | Built-in FIPS 140-3 (Level 1) cryptographic module in an isolated back control plane — private keys never reach internet-facing components |
| External HSM Integration | Integration with physical HSMs and cloud HSM services from Microsoft Azure and Amazon Web Services |
Secrets Management¶
| Capability | Description |
|---|---|
| Vault, Lockers & Secrets | Secrets organised into named Lockers within a per-tenant Vault; each Locker carries its own access control list for least-privilege delivery |
| End-to-End Encryption | Secrets stored exclusively as ciphertext in the Secured Back Control Plane; delivery uses ECDH (EC P-521) + AES-256-GCM with a fresh ephemeral key pair per delivery |
| Flexible Delivery | Courier (CLI/cron), Bridge (on-premises agent cache), Workload (runtime API pull), and Service Account API for infrastructure automation |
| Workload Identity | Credential-less authentication for applications via Azure Managed Identity, Azure Arc, SPIFFE/SPIRE, and OIDC/OAuth2 |
| Access Control & Audit | Per-entity (per-Courier, per-Bridge, per-Workload) Locker access grants; all creation, deletion, and download events recorded in the tamper-evident audit log |
Automation & Integration¶
| Capability | Description |
|---|---|
| Bridges | Lightweight on-premises agents (Docker/Kubernetes or binary) that connect outbound to Zaita — your network never accepts inbound connections from the platform |
| Couriers | CLI utilities scheduled via cron or CI/CD pipelines that pull certificates to target systems on demand |
| Target System Deployment | Push certificates directly to IIS, Windows, Nginx, Apache, and custom Linux targets via a Bridge |
| REST API | A versioned API for full programmatic control of certificate operations |
Identity & Access¶
| Capability | Description |
|---|---|
| Single Sign-On (SSO) | Integrate with your existing identity provider |
| Role-Based Access Control | Least-privilege access with configurable roles and permissions |
| Machine Accounts | Purpose-built non-human accounts for Bridges, Couriers, and API integrations |
| Federated Identity | Credential-less authentication via SPIFFE/SPIRE, Azure Workload Identity, and AWS IAM OIDC |
| IP Whitelisting | Restrict API access by source network for individual machine accounts |
Architecture Overview¶
Zaita separates user-facing services from cryptographic operations through two distinct control planes:
- The SaaS Control Plane handles the web portal, REST APIs, authentication, and authorisation.
- The Back Control Plane performs all cryptographic operations — key generation, CSR creation, certificate signing — in isolation, as the Secured Back Control Plane. No direct network path exists between the internet-facing SaaS plane and the Secured Back Control Plane or its key material.
Communication between the two planes is asynchronous. Even a full compromise of the SaaS control plane cannot expose key material held within the back control plane.
For full details, see Architecture.
Hosting Options¶
Zaita is available as a multi-tenant SaaS platform, hosted on the Akamai cloud across regions in Oceania, Europe, Asia, and North America.
For organisations that require dedicated isolation, single-tenant deployments are available on:
- Microsoft Azure
- Amazon Web Services
- EU specialist cloud providers
All traffic passes through a WAF configured with the OWASP Core Rule Set, rate limiting, and bot mitigation. A global CDN provides TLS termination at edge and DDoS absorption.
For full details, see Hosting Options.
Getting Started¶
- Create an account
- Sign in
- Set up your PKI
- Deploy a Bridge to connect your internal network
- Configure a Courier for automated certificate delivery
- Set up Secrets Management to securely store and deliver secrets to your workloads
Documentation Sections¶
| Section | Description |
|---|---|
| Certificate Lifecycle Management | Discovery, provisioning, renewal, revocation, Bridges, Couriers, and target system deployment |
| Public Key Infrastructure (PKI) | Root and intermediate CA management, cryptographic algorithms, and Secured Back Control Plane |
| Secrets Management | Encrypted secrets storage and delivery via Couriers, Bridges, Workloads, and the API |
| Overview | Full feature reference, architecture, security model, performance, and hosting options |
| User Management | Users, groups, roles, and permissions |
| Machine Accounts | Non-human authentication for automation and integrations |
| Getting Started | Account creation, sign-in, and initial setup |