Loading
Loading
Buyer's guide
47-day certificates, the post-quantum transition, sovereignty requirements: choosing a certificate lifecycle management platform has never been more consequential. Here are the criteria that truly matter.
Beyond "EU SaaS": real sovereignty means being able to self-host (VM, Kubernetes, private cloud) and keep your keys yourself. Check the deployment model and where the keys actually live.
A CLM must drive YOUR existing authorities (Vault, ADCS, EJBCA, DigiCert…) without locking you in. Require native connectors and a generic one, so you depend on no single vendor.
ACME for the web, EST and SCEP for IoT and devices, and CMP for industrial and telecom. Missing CMP is a common blind spot that will cost you later.
Many advertise "PQC readiness." Ask for proof: ML-DSA and hybrid (RSA/ECDSA + ML-DSA) issuance actually in production, aligned with the hybridization recommended by France's ANSSI.
With 47-day TLS certificates and domain validation reusable for only 10 days, manual DCV won't hold. Require continuous, multi-DNS-provider pre-validation. See our 47-day guide.
Role-based approvals (RBAC), immutable audit trail, SIEM export (CEF/Syslog). Essential in regulated environments — and to prove compliance during audits.
You only protect what you can see: a centralized certificate inventory is the prerequisite, ideally complemented by a cryptographic-health audit. audit.zetacert.com.
Full sovereignty, multi-CA without lock-in, ACME/EST/SCEP/CMP, ML-DSA & hybrid issuance in production, automated DCV. The best way to verify: a demo on your own context.
Book a demo