Skip to content

Zaita Documentation

Zaita is an enterprise certificate lifecycle management (CLM), private PKI, and secrets management platform. It gives security teams a unified platform to manage the full lifecycle of X.509 certificates, operate a private PKI with hardware-grade cryptographic protection, and securely store and deliver secrets to every workload — all without compromising on cryptographic security.


What is Zaita?

Modern infrastructure depends on digital certificates for TLS, code signing, service identity, and mutual authentication. As environments scale, managing thousands of certificates across teams, networks, and cloud providers becomes error-prone and operationally risky. Expired or unknown certificates cause outages, weak algorithms create vulnerabilities, and manual workflows cannot keep pace.

At the same time, every application and service relies on secrets — API keys, database credentials, tokens, and configuration values. These are routinely hardcoded, over-shared, and delivered insecurely, creating a growing attack surface that is difficult to audit, rotate, or revoke at speed.

Zaita solves both problems by combining three tightly integrated capabilities:

  • Certificate Lifecycle Management — a centralised inventory, automated discovery, policy enforcement, and automated provisioning and deployment to target systems.
  • Private PKI — a fully managed certificate authority hierarchy, from root and intermediate CAs through to leaf certificate issuance, backed by a built-in FIPS 140-3 (Level 1) virtual HSM.
  • Secrets Management — encrypted storage and delivery of credentials, API keys, and configuration secrets to applications and infrastructure via Couriers, Bridges, and Workloads.

Core Capabilities

Certificate Lifecycle Management

Capability Description
Centralised Inventory Full metadata tracking across your entire certificate estate — issuer, SANs, validity dates, algorithm, key size, and status
Automated Discovery Certificate Transparency log scanning and HTTPS endpoint scanning continuously surface new and unknown certificates
Certificate Provisioning End-to-end workflows covering key pair generation, CSR creation, and issuance — manual or fully automated
Renewal & Revocation Portal and API-driven renewal and revocation with immediate status propagation
Policy Engine Domain-matched policies enforce algorithm, key size, and validity constraints with hard or soft failure modes

Private PKI

Capability Description
Root CA Management Create or import root certificate authorities; compliance enforcement ensures best-practice handling of root key material
Intermediate CA Management Issue and manage intermediate CAs under any root, with full lifecycle tracking
Cryptographic Algorithms RSA (2048–4096), Elliptic Curve (P-256, P-384, P-521), and a broad range of digest algorithms
Secured Back Control Plane Built-in FIPS 140-3 (Level 1) cryptographic module in an isolated back control plane — private keys never reach internet-facing components
External HSM Integration Integration with physical HSMs and cloud HSM services from Microsoft Azure and Amazon Web Services

Secrets Management

Capability Description
Vault, Lockers & Secrets Secrets organised into named Lockers within a per-tenant Vault; each Locker carries its own access control list for least-privilege delivery
End-to-End Encryption Secrets stored exclusively as ciphertext in the Secured Back Control Plane; delivery uses ECDH (EC P-521) + AES-256-GCM with a fresh ephemeral key pair per delivery
Flexible Delivery Courier (CLI/cron), Bridge (on-premises agent cache), Workload (runtime API pull), and Service Account API for infrastructure automation
Workload Identity Credential-less authentication for applications via Azure Managed Identity, Azure Arc, SPIFFE/SPIRE, and OIDC/OAuth2
Access Control & Audit Per-entity (per-Courier, per-Bridge, per-Workload) Locker access grants; all creation, deletion, and download events recorded in the tamper-evident audit log

Automation & Integration

Capability Description
Bridges Lightweight on-premises agents (Docker/Kubernetes or binary) that connect outbound to Zaita — your network never accepts inbound connections from the platform
Couriers CLI utilities scheduled via cron or CI/CD pipelines that pull certificates to target systems on demand
Target System Deployment Push certificates directly to IIS, Windows, Nginx, Apache, and custom Linux targets via a Bridge
REST API A versioned API for full programmatic control of certificate operations

Identity & Access

Capability Description
Single Sign-On (SSO) Integrate with your existing identity provider
Role-Based Access Control Least-privilege access with configurable roles and permissions
Machine Accounts Purpose-built non-human accounts for Bridges, Couriers, and API integrations
Federated Identity Credential-less authentication via SPIFFE/SPIRE, Azure Workload Identity, and AWS IAM OIDC
IP Whitelisting Restrict API access by source network for individual machine accounts

Architecture Overview

Zaita separates user-facing services from cryptographic operations through two distinct control planes:

  • The SaaS Control Plane handles the web portal, REST APIs, authentication, and authorisation.
  • The Back Control Plane performs all cryptographic operations — key generation, CSR creation, certificate signing — in isolation, as the Secured Back Control Plane. No direct network path exists between the internet-facing SaaS plane and the Secured Back Control Plane or its key material.

Communication between the two planes is asynchronous. Even a full compromise of the SaaS control plane cannot expose key material held within the back control plane.

For full details, see Architecture.


Hosting Options

Zaita is available as a multi-tenant SaaS platform, hosted on the Akamai cloud across regions in Oceania, Europe, Asia, and North America.

For organisations that require dedicated isolation, single-tenant deployments are available on:

  • Microsoft Azure
  • Amazon Web Services
  • EU specialist cloud providers

All traffic passes through a WAF configured with the OWASP Core Rule Set, rate limiting, and bot mitigation. A global CDN provides TLS termination at edge and DDoS absorption.

For full details, see Hosting Options.


Getting Started

  1. Create an account
  2. Sign in
  3. Set up your PKI
  4. Deploy a Bridge to connect your internal network
  5. Configure a Courier for automated certificate delivery
  6. Set up Secrets Management to securely store and deliver secrets to your workloads

Documentation Sections

Section Description
Certificate Lifecycle Management Discovery, provisioning, renewal, revocation, Bridges, Couriers, and target system deployment
Public Key Infrastructure (PKI) Root and intermediate CA management, cryptographic algorithms, and Secured Back Control Plane
Secrets Management Encrypted secrets storage and delivery via Couriers, Bridges, Workloads, and the API
Overview Full feature reference, architecture, security model, performance, and hosting options
User Management Users, groups, roles, and permissions
Machine Accounts Non-human authentication for automation and integrations
Getting Started Account creation, sign-in, and initial setup