The certificate that breaks you
is the one you didn't know existed.

Automate public certificates at the edge.
Issue and control private identity across your systems.

The reason certificates fail isn't operational.
The trust model itself is wrong.

Early access is free. We're working with a small number of teams to shape the platform.

01 // The Problem

Certificate renewal was already a ticking clock

Every server certificate has an expiry date. Miss it, and a service goes down.
The question isn't if a renewal will fail – it's when.

Certbot configs drift.
Every service renews differently.
Nobody has full visibility.

Scaling Pressure

10 → manageable

100 → fragile

500 → inevitable failure

You don't miss certificates because you're careless.
You miss them because the system doesn't scale.

02 // The Dual Threat

Now, two forces are breaking
certificate management.

One is operational. The other is architectural.

Public SSL/TLS Server Certificates

The Timeline Collapse

Certificate lifetimes dropped to 200 days in March 2026. This is the first compression – not the last. In March 2027, lifetimes fall to 100 days. By March 2029, 47 days.

Public Cert Lifetimes

200d

Now

100d

Mar 2027

47d

Mar 2029

The Hidden Multiplier

Domain Validation reuse periods are also shrinking. By 2029, every renewal will require a new check. Every failure point, every time.

200d

Now

100d

Mar 2027

10d

Mar 2029

Public Client Certificates

The Client Auth Exit

Public CAs are removing client authentication from their certificates. If your services need to prove identity – not just encrypt traffic – you can't rely on public infrastructure for it.

There's no public alternative. If your services rely on certificate-based identity, you need private trust infrastructure (PKI) – on a timeline you didn't choose.

Removed

Client authentication

Sectigo (Sep 2025)

DigiCert (following)

Chrome trust store (Mar 2027)

Required

FAPI 2.0 mTLS

PSD2

Zero-trust (mTLS)

Compliance audits

The capability is removed at the exact moment it's mandated.

A perfect storm.Two pressures converge on the same fragile trust model.
One compressing certificate lifecycles, the other removing client authentication from public trust.
As the web moved away from certificate-based identity, infrastructure now depends on it.
And certificate management appears to be broken.

03 // The Pivot

This is not a certificate management problem.

We are using the
wrong trust model.

The model didn't break.
It was never designed for this.

Public trust should be the exception – not the default.

You're applying it where it doesn't belong.
And relying on capabilities that are being removed.

Not every endpoint needs a public certificate.

Two trust models. One choice.

Public Trust (Web PKI)

Designed for the Internet

•Browser-facing
•Short-lived certificates
•No reliable revocation
•Global trust

Private Trust (Your Infrastructure)

Built for your infrastructure

•Internal systems
•Known identities
•Controlled trust
•Policy + revocation

Stop borrowing trust from the internet.

03 // The Platform

One platform.
Three trust domains.

Public Trust at the edge. Private Trust everywhere else.

[cyphrs]^™ Hub is the control plane for trust – governing public certificates, private identity, and machine-to-machine authentication.

Internet / Edge

Public Trust

Web PKI / Edge

Certificate lifecycles and domain validation –
only where global trust is required.

[cyphrs]^™ Hub

Control Plane

Internal Systems

Private Trust

Your Infrastructure

Identity issuance and trust control –
within your own boundaries.

Service Identity

mTLS Identity

Service Identity

System identity between services –
without shared certificates or global trust.

04 // System

How it works in practice

From fragile certificates to controlled trust.

Replace expiry risk, manual renewal, and blind trust – with visibility, control, and enforced identity across your infrastructure.

[cyphrs]^™ Hub operates in three stages:

DISCOVER

See every certificate
across your infrastructure

CONTROL

Apply the right trust model
automatically

ENFORCE

Automate identity and lifecycle
across every system

Most teams start here: ACME automation

[cyphrs]^™ Trust CA

Define and control trust inside your infrastructure

Issue identities to internal services

Define exactly who and what is trusted

Set lifetimes that match your systems

Revoke access immediately when needed

[cyphrs]^™ ACME ARI

Renew Public Certificates Automatically

Renewal triggered by the CA – not cron

New certs live before old ones expire

Validation handled automatically

No downtime during rotation

[cyphrs]^™ mTLS

Every service proves its identity

Services authenticate before communicating

Identity replaces network trust

Secure service-to-service becomes default

Zero-trust becomes operational

This isn't certificate management.
It's trust infrastructure.

One control plane. Three modules. No blind spots.

Enforcement. Visibility. Control.

Built into the system.

Right trust model. Automatically.

Internal services use Trust CA. External endpoints use ACME – no manual classification.

Certificates renew before they fail

CA-signalled timing, zero-downtime swaps – no restarts or connection drops.

See every certificate. Instantly.

Renewal posture, expiry risk, and CA signals – across every environment.

Problems surface before they escalate

Escalating retries, early warnings, automatic resolution – no silent failures.

Every action is recorded – and explainable

Timestamp, provider, trigger reason, outcome – compliance-ready out of the box.

Define policy once. Enforce it everywhere.

Renewal strategy, providers, and deploy windows – applied across your entire fleet.

No blind spots. No expiry surprises. No borrowed trust.

Take control of your trust infrastructure.

Start with discovery. See everything. Understand your trust model. Then take control.

Get Early Access