Loading
Language
Master your PKI.
Orchestrate every certificate authority. Issue across classical and post-quantum natively. Govern at scale. A sovereign European platform, classical and post-quantum.
Available for proof of concept and integration projects.
Real problems. Concrete answers.
Orphan certificates
Certificates with no owner, no team, no renewal process. When an employee leaves, their certificates stay. Until they expire.
Zero PKI visibility
Certificates scattered across multiple CAs, manual files, disparate tools. No single view. No single source of truth.
Single-CA dependency
One certificate authority for everything. One point of failure. One vendor lock-in. One problem when it goes down.
Multi-entity governance
Multiple business units, multiple CISOs, multiple policies. One PKI that cannot segment or delegate.
PQC transition complexity
New algorithms, new key sizes, new trust chains. No tooling to inventory, plan, or execute the migration.
Built for teams that manage PKI
From security teams to global enterprises, the platform adapts to your organization.
CISO / Security
Full visibility and compliance across your entire certificate estate.
PKI Teams
Lifecycle automation, multi-CA, zero manual intervention.
GRC / Audit
Immutable audit trail, quality scoring, compliance exports.
Large Enterprises
Multi-org, data isolation, centralized governance.
Two products. Zero blind spots.
End-to-end PKI control, from certificate issuance to multi-CA orchestration, engineered for crypto-agility — classical today, post-quantum ready.
CLM Orchestrator
PKIFactor
Take control of every certificate authority, public and private, from one governance platform. No more spreadsheets. No more surprises.
- Multi-CA Orchestration
- ACME & EST Automation
- Audit & Regulatory Compliance
Certificate Authority
ZetaCA
Post-quantum native certificate authority — RSA, ECDSA and ML-DSA from day one. Validated on Utimaco u.trust GP, PKCS#11-compatible. Starter edition free and perpetual, Enterprise and Quantum on license.
- Classical & post-quantum issuance
- Universal HSM compatibility
- On-premise & air-gapped deployment
ZetaCA standalone, or with PKIFactor
Pick your level of orchestration: ZetaCA as a standalone CA for isolated or air-gapped environments, or paired with PKIFactor for multi-CA centralised governance.
PKIFactor + ZetaCA
Cryptographic power meets orchestration intelligence. The complete enterprise PKI stack.
Cryptography
Orchestration
One console. Every certificate.
Real-time operations console for PKIFactor, ZetaCA, and your existing CAs. Built for Security, DevOps, and GRC teams.
Real-time visibility
Detect expiry, incidents, and policy drift the second they happen, across every certificate you own.
Centralized command
Enforce policies, trigger renewals, and revoke certificates without leaving this console.
Public tool · Free
Audit your certificates. For free, no account.
CryptoAudit runs the same detector chain we use in ZetaCert Research against an individual certificate or a hostname. No account, no data retention. Answer in seconds.
Batch GCDFermat factorisationModulus lengthCA mis-issuance
Run an audit at audit.zetacert.comFAQ
Frequently Asked Questions
Everything you need to know about ZetaCert, deployment options, and integration.
What is the difference with a traditional PKI (ADCS, EJBCA)?
PKIFactor is an orchestrator (CLM), not a PKI. Unlike ZetaCA, ADCS, or EJBCA, it does not sign certificates. It connects to these authorities to manage the certificate lifecycle.
Does ZetaCert replace my existing solutions?
No, PKIFactor complements them. It acts as a conductor above your PKIs (like ZetaCA or ADCS) to unify visibility and automation.
How does the network scan work?
Our discovery agent scans your defined IP ranges and ports to identify all exposed SSL/TLS certificates, whether managed or not (shadow IT). No agent is required on target servers for passive scanning.
Can I install it on my own infrastructure (On-Premise)?
Absolutely. ZetaCert is designed to be deployed On-Premise (VM, Kubernetes) or in a Private Cloud to ensure complete data sovereignty and proximity to your internal PKIs.
Which automation protocols do you support?
We natively support ACME (RFC 8555), EST (RFC 7030), and have a full REST API. Integration with common web servers (IIS, Nginx, Apache) is available.
Does ZetaCert escrow my private keys?
No. ZetaCert does not escrow any private key. PKIFactor accepts CSRs signed elsewhere and never stores the associated private key. ZetaCA generates its CA keys inside a PKCS#11 HSM, where they never leave. Key escrow (S/MIME recovery, ediscovery, legal hold) belongs in a dedicated KMS/IDM product — not in a PKI nor a CLM. This is a deliberate architecture choice to preserve non-repudiation and limit the blast radius of a compromise.
How can I check the cryptographic health of my own certificates?
We operate a free, accountless public service at audit.zetacert.com. Submit a hostname or upload a PEM certificate: the service runs the same detector chain used by ZetaCert Research (batch GCD, Fermat close-prime factorisation, modulus length check, public-exponent verification, notAfter plausibility, CA mis-issuance). No data is retained beyond the request.
Stop managing certificates. Start governing them.
30 min. Your PKI challenges. Our solutions. No commitment.
Classical & Post-Quantum
Sovereign & On-Premise
European Infrastructure
Available for proof of concept and integration projects.