Features¶
The Zaita platform delivers enterprise-grade certificate lifecycle management and private PKI through a security-first architecture. This page provides an overview of the platform's core capabilities.
Certificate Lifecycle Management¶
Certificate Inventory¶
Maintain a centralised inventory of all certificates across your organisation. The inventory captures full certificate metadata including common name, issuer, subject alternative names (SANs), validity dates, algorithm, key size, thumbprint, serial number, and current status. Certificates can be tracked from issuance through to expiry or revocation, providing a single pane of glass across your certificate estate.
Automated Discovery¶
The platform provides two complementary discovery mechanisms that continuously identify certificates across your environment:
- Certificate Transparency (CT) log scanning — automatically queries public CT logs for all certificates issued against your registered domains, importing discovered certificates into your inventory without requiring network access to the systems hosting them.
- HTTPS endpoint scanning — probes live endpoints to extract deployed certificate details, including subject, issuer, validity window, and expiry countdown.
Discovery runs on a configurable schedule, ensuring your inventory remains current and that unknown or unexpected certificates are surfaced promptly.
Certificate Provisioning¶
End-to-end certificate provisioning is supported through the web portal and API, covering three stages — key pair generation, certificate signing request (CSR) creation, and certificate issuance. Each stage can be executed in the location that best fits your security requirements:
| Stage | Execution Options |
|---|---|
| Key pair generation | Target system, Bridge, cloud HSM, or platform Secured Back Control Plane |
| CSR creation | Target system, Bridge, or platform back control plane |
| Certificate issuance | Platform CA or integrated external CA |
Provisioning modes include manual request workflows for ad-hoc issuance, and fully automated provisioning for zero-touch certificate delivery.
Certificate Renewal and Revocation¶
Certificates can be renewed or revoked through the web portal or API. Renewal workflows inherit the original certificate's configuration, reducing manual effort and the risk of misconfiguration. Revocation is immediate, with status propagated across the platform.
Policy Engine¶
Define and enforce organisation-wide certificate policies. Policies are matched automatically based on action type and domain, applying constraints to certificate attributes such as algorithm, key size, and validity period. Enforcement modes include hard failure (block issuance) and soft failure (warn and proceed), giving security teams control without impeding operational workflows.
Private PKI¶
Root Certificate Authority Management¶
Create, import, and manage root certificate authorities directly within the platform. Root CA certificates can be generated with configurable algorithms and key sizes, or uploaded from existing infrastructure. The platform enforces compliance checks — a root certificate is considered compliant only when its private key has been removed from the platform, the certificate has been downloaded, and at least one active intermediate certificate exists.
Intermediate Certificate Authority Management¶
Issue and manage intermediate CAs under any root CA in the platform. Intermediate certificates maintain a chain-of-trust relationship with their parent root, and the platform tracks status across the full lifecycle — active, revoked, expired, or invalid.
Supported Cryptographic Algorithms¶
The platform supports a broad range of modern cryptographic algorithms:
| Type | Options |
|---|---|
| RSA | 2048, 3072, 4096 bits |
| Elliptic Curve (EC) | P-256, P-384 (default), P-521 |
| Digest | SHA-256, SHA-384, SHA-512, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, BLAKE2b512, BLAKE2s256 |
Secured Back Control Plane¶
The platform includes a built-in Secured Back Control Plane for cryptographic key generation, storage, and signing. This is designed to be compliant with FIPS 140-3 (Level 1). Private key material never traverses internet-facing components.
For organisations with more stringent compliance or regulatory requirements, the platform supports integration with third-party physical HSMs and cloud-based HSM services from Microsoft Azure and Amazon Web Services.
Automation and Integration¶
Bridges¶
Bridges are lightweight, on-premises agents deployed inside your network that connect outbound to the Zaita platform. The platform never initiates inbound connections into your environment — all communication originates from the Bridge.
Bridges provide:
- Certificate discovery within your internal network
- Key pair and CSR generation on local hardware
- Certificate deployment to target systems
- Job execution for automated provisioning workflows
Bridges are available as Linux SystemD daemons or Windows Services containers. They use a rotating, single-use token trust model and are written in Rust. High availability is supported through multi-replica deployments.
Couriers¶
Couriers are lightweight command-line utilities that pull certificates from the platform to target systems. Unlike Bridges, Couriers are not persistent agents — they are scheduled via cron or integrated into CI/CD pipelines.
Couriers can generate key pairs and CSRs directly on the target system, submit CSRs to the platform for signing, and retrieve completed certificates. They support multiple credential-less authentication methods:
- SPIFFE/SPIRE
- Azure Workload Identity Federation
- AWS IAM OIDC Identity Provider
Legacy authentication via X.509 certificate or client ID/secret is also available. Couriers run on Windows and Linux.
Bring Your Own Courier (BYOC)¶
The platform exposes a documented API that enables organisations to build custom couriers in any language, providing full flexibility for integration with proprietary systems or non-standard deployment environments. OpenAPI definitions can be provided to customers who wish to build their own implementations.
Target System Deployment¶
Certificates can be pushed directly to target systems via a Bridge. Supported target systems include:
| Target System | Authentication Method |
|---|---|
| Microsoft IIS | Windows Remote Management |
| Microsoft Windows | Windows Remote Management |
| Linux — Nginx | SSH |
| Linux — Apache | SSH |
| Linux — Bash (custom) | SSH |
External Certificate Authority Integration¶
The platform supports integration with external certificate authorities, enabling organisations to use their existing CA infrastructure alongside the platform's built-in PKI capabilities. External CAs are configured and managed through the web portal.
REST API¶
A versioned REST API provides programmatic access to certificate operations including generation, renewal, revocation, and upload. The API supports the same authentication methods available to machine accounts, enabling full automation of certificate lifecycle workflows.
Identity and Access Management¶
Single Sign-On (SSO)¶
Integrate with your existing identity provider to authenticate users through single sign-on. SSO centralises access governance and enables enforcement of your organisation's authentication policies, including multi-factor authentication.
Role-Based Access Control (RBAC)¶
Access is governed by a role-based permissions model. Roles define the scope of actions a user may perform, ensuring least-privilege access across the platform. Administrators can create users, assign roles, and manage permissions through the web portal.
Machine Accounts¶
Machine accounts provide non-human authentication for Bridges, Couriers, and custom API integrations. Machine accounts are purpose-built for programmatic access and support federated identity authentication — enabling CI/CD platforms and pipeline tooling to authenticate without storing long-lived credentials.
IP whitelisting can be enforced on individual machine accounts to restrict the network locations from which authenticated API calls may originate.
Federated Identity¶
Machine accounts support federated identity via OpenID Connect and cloud-native workload identity providers. By eliminating static credentials, federated identity reduces the risk of credential leakage and removes the operational burden of credential rotation.
Security¶
Architectural Isolation¶
The platform separates user-facing services from cryptographic operations through distinct control planes. The SaaS control plane handles web portal and API access; the back control plane performs all cryptographic operations in isolation. Communication between the two planes is asynchronous — there is no direct network path from external interfaces to the Secured Back Control Plane or its key material. For full details, see the Architecture page.
Tenant Segregation¶
In multi-tenant deployments, tenant segregation is enforced through individual customer encryption keys. Each tenant's data is encrypted with their own key, ensuring data cannot be decrypted or accessed by other tenants or platform operators. For complete workload isolation, single-tenant deployments provide dedicated control planes, data planes, and infrastructure. See Hosting Options for more information.
Audit Logging and SIEM Integration¶
Comprehensive audit logs capture all significant actions across the platform — user authentication events, certificate lifecycle operations, machine account activity, administrative changes, and security-sensitive operations such as root certificate key management. Audit logs can be exported and integrated with external SIEM platforms for correlation with your broader security monitoring ecosystem.
For a complete overview of the platform's security properties, see the Security page.
Infrastructure and Performance¶
Global Availability¶
The platform is deployed across multiple geographic regions with hosting available in Oceania, Europe, Asia, and North America. A global CDN provides TLS termination at edge, geographic routing, and DDoS absorption.
Asynchronous Job Processing¶
Certificate lifecycle operations are processed asynchronously through a distributed job system. This provides a non-blocking user experience, independent scaling of back-end workers, and automatic retry with backpressure management.
Web Application Firewall (WAF)¶
All traffic passes through a web application firewall configured with the OWASP Core Rule Set, rate limiting, bot mitigation, and support for custom rules.
Kubernetes-Native Deployment¶
The platform runs on Kubernetes with horizontal pod autoscaling, workload isolation, and rolling deployments — ensuring high availability and zero-downtime updates.
Feature Summary¶
| Category | Capability |
|---|---|
| Certificate Lifecycle | Centralised inventory, automated discovery (CT logs + endpoint scanning), provisioning, renewal, revocation |
| Private PKI | Root and intermediate CA management, configurable algorithms (RSA, EC), compliance enforcement |
| Cryptographic Security | Built-in FIPS 140-3 Level 1 compliance, third-party HSM integration (Azure, AWS, physical) |
| Policy Engine | Domain-matched policies with hard/soft enforcement on certificate attributes |
| Automation | Bridges (on-premises agents), Couriers (CLI pull-based), CI/CD pipeline integration, REST API |
| Target Systems | Push deployment to IIS, Windows, Nginx, Apache, Linux via Bridge |
| Identity & Access | SSO, RBAC, machine accounts, federated identity (OIDC, SPIFFE, Azure, AWS), IP whitelisting |
| Encryption | Customer-managed encryption keys, data encrypted at rest, private keys never exposed to SaaS plane |
| Tenant Isolation | Encryption-based segregation (multi-tenant), dedicated infrastructure (single-tenant) |
| Audit & Compliance | Comprehensive audit logging, SIEM integration, FIPS 140-3 compliance |
| Infrastructure | Multi-region hosting, global CDN, WAF, Kubernetes-native, async job processing |
| Hosting Flexibility | Multi-tenant SaaS, single-tenant on Akamai, Azure, AWS, or EU specialist providers |