Your infrastructure. Your trust boundaries. Your CA.
Internal certificate authority for systems that should never have used public trust. Issue identities, define policies, control lifetimes – on your hardware.
What Trust CA does
A certificate authority built for internal infrastructure. Every capability is designed around the reality of private trust.
Instant certificate issuance
Issue certificates to any internal system in seconds. No approval queues, no waiting on external providers.
Trust policies that fit your architecture
Define who can request what, which SANs are permitted, and which intermediates sign which workloads.
Lifetimes from hours to years
Short-lived tokens for ephemeral workloads. Long-lived certificates for stable infrastructure. You decide.
Real-time revocation
CRL and OCSP built in. Revoke a certificate and every relying party knows immediately – not at next renewal.
Keys generated on your hardware
Private keys never leave your infrastructure. Generate, store, and use them on hardware you control.
FIPS 140-3 validated cryptography
Cryptographic modules validated to FIPS 140-3. Meet compliance requirements without bolting on third-party libraries.
How it works
A hierarchical trust model where every certificate traces back to a root you own.
Service or agent submits a CSR
Validated against your trust rules
Signed by the correct intermediate
Delivered and installed automatically
Trust CA issues short-lived certificates to Kubernetes workloads and service mesh sidecars. Identities rotate automatically on your schedule – no manual intervention, no external dependency.
These certificates power mTLS between your services – mutual authentication where both sides prove their identity before exchanging a single byte.
Built for internal infrastructure
Issue server and client certificates for internal APIs. Services like api.internal and auth.service authenticate with certificates you control – not tokens that expire unpredictably.
Both server and client certificates from the same CA. No external dependency.
Every pod gets a cryptographic identity. Trust CA issues short-lived certificates scoped to namespace and service account – revocable, auditable, and rotated automatically.
Works with Istio, Linkerd, and custom service mesh configurations.
Internal IP ranges and .local / .internal domains can't get public certificates. Trust CA issues them directly – no workarounds, no split-horizon DNS hacks.
[cyphrs] Scout classifies which endpoints need Trust CA vs ACME.
Part of [cyphrs]™ Hub
Trust CA doesn't operate in isolation. It connects to every other module in the platform.
Trust CA issues the certificates. mTLS enforces mutual authentication between services – both sides prove identity before any data flows.
Internal endpoints use Trust CA. Public endpoints use ACME ARI for automated renewal. Hub routes each certificate to the right authority automatically.
Scout discovers and classifies your TLS estate, then deploys as the Trust CA client – generating CSRs, receiving signed certificates, and managing deployment to endpoints.
Own your trust infrastructure
Early access is free. We're working with a small number of teams to shape the platform.