Skip to main content
[cyphrs] Trust CA

Own your trust infrastructure.

Issue and control private certificates across your systems. Define identity, enforce policy, and remove dependency on public CAs.

Get Early Access Back to Hub
01 // Control

What you control

Internal certificates under your control

Identity for every service, agent, and user

Policy-driven issuance and lifecycle

Immediate revocation inside your network

No dependency on public certificate authorities

02 // Identity

Certificates become identity

Every entity in your system receives a certificate-based identity.

Service

APIs, workloads, microservices

Agent

Monitoring, automation, A2A

User

Admin tools and privileged access

Emergency

Short-lived break-glass credentials

Identity is issued, scoped, rotated, and revoked automatically.

03 // Issuance

Issuance is policy-driven

Define certificate behaviour once:

Lifetimes

Set validity periods per identity type and use case.

Key types and strength

Choose algorithms and key sizes per certificate profile.

SAN and domain constraints

Restrict which names and domains each profile can issue.

Identity types and usage

Map certificate profiles to service, agent, user, or emergency roles.

Every certificate follows policy. No drift. No manual decisions.

04 // Lifetimes

Controlled lifetimes

Certificates match your systems–not browser rules.

Long-lived for stable internal services

Short-lived for sensitive access

No forced renewal cycles

Not defined by browser rules. Defined by your systems.

05 // Revocation

Immediate revocation

Revoke any certificate instantly.

No CRL propagation delays

No external dependency

Enforcement happens inside your network

Revocation is enforced instantly–not eventually.

06 // Client & Server

Client and server certificates

Trust CA issues both:

Server certificates

Secure endpoints

Client certificates

Prove identity

Public CAs don't issue client identity.
Trust CA does.

Every service proves who it is before communication begins.

This enables mutual TLS (mTLS) across your infrastructure.

Learn more about mTLS
07 // How It Works

Once defined, the system handles everything

1
Identity created

Entity is defined and scoped

2
Policy applied

Validated against your trust rules

3
Key generated locally

Private key created on the machine

4
CSR sent to Trust CA

Signing request submitted securely

5
Certificate deployed

Issued and installed automatically

6
Rotation automated

Renewal and rotation handled by policy

Private keys never leave the machine.

08 // Lifecycle

Policy-enforced lifecycle

Every certificate follows the same model:

Issued
Deployed
Rotated
Revoked

All actions are enforced by policy and recorded automatically.

Nothing operates outside the system.

09 // Architecture

Two-tier PKI. Zero external dependencies.

[cyphrs] Trust CA runs a proper two-tier certificate hierarchy – a Root CA that never touches end-entity certificates, and an Intermediate CA that handles all issuance. The root key stays isolated. The intermediate rotates without re-establishing trust across your fleet. One key compromised doesn't mean starting over.

Everything runs inside your network. Rust core. PostgreSQL persistence. No SaaS callbacks, no phone-home telemetry. Your keys never leave your perimeter – because they were never supposed to.

[cyphrs] Root CA
10-year validity · Offline · Signs intermediate only
[cyphrs] Intermediate CA
5-year validity · pathlen:0 · Signs all end-entity certs
Server TLS
47d – 365d
Client mTLS
6h – 365d
RA/CA separation

Registration Authority validates requests and enforces policy before the CA signs. The API layer cannot bypass policy.

Algorithm choices

ECDSA P-256 / P-384 / RSA-4096. All FIPS 140-3 approved. ECDSA P-256 default – smallest key, fastest handshake.

Key locality

Server and client private keys generated on the machine that will use them. Trust CA signs a CSR you submit. No key escrow.

Encrypted storage

CA private keys encrypted with AES-256-CBC via HKDF-SHA256. Zeroized from memory on process exit.

[cyphrs] Scout

Scout runs on every managed endpoint. It generates private keys locally, submits CSRs to Trust CA, receives signed certificates, and deploys them to the service. Stale agents are auto-disabled. Orphaned credentials are revoked. The agent that discovered your certificates is the same agent that manages them.

10 // Use Cases

Where it's used

Trust CA is used wherever identity matters:

Internal APIs

Authenticate and encrypt internal service communication.

Microservices

Identity for every service in your mesh.

Kubernetes workloads

Short-lived certificates scoped to namespace and workload.

Private networks (RFC1918)

Certificates for internal IPs and private domains.

Admin access

Certificate-based identity for privileged systems.

Service-to-service auth

Mutual authentication between every communicating pair.

If it doesn't need browser trust–it shouldn't use a public CA.

11 // Control Plane

Part of the system

Trust CA operates inside [cyphrs] Hub:

1
Discovery

Identifies certificates across your estate

2
Classification

Assigns the right trust model

3
Trust CA

Issues internal identity

4
ACME

Handles public certificates

Explore Hub · ACME ARI · mTLS · Scout

Own your trust infrastructure

Early access is free. We're working with a small number of teams to shape the platform.

Get Early Access Explore Hub