30-day free trial — no credit card required

Stop managing certificates. Start automating them.

Zaita is the only platform that discovers every certificate across your entire organisation, runs your private PKI with ironclad key protection, and automatically renews and deploys certificates to your servers — so expiry outages become a thing of the past.

Start Free Trial Talk to Sales

30 days free · Full enterprise limits · No credit card required

au.zaita.com/certificates
Zaita / Certificate Inventory
Acme Corp
2,847
Total Certificates
14
Expiring Soon
98.5%
Policy Compliant
Common Name
Status
Expires
Issuer
api.acmecorp.com
Valid
82 days
Zaita CA
mail.acmecorp.com
Expiring
8 days
Zaita CA
auth.acmecorp.com
Valid
47 days
Zaita CA
db.internal.acme
Valid
31 days
Zaita CA
*.acmecorp.com
Expired
0 days
Public CA
Showing 5 of 2,847 certificates
Zero outages
From automated certificate renewal
47 days
Max TLS cert lifespan by 2029
4 regions
Global hosting (AU, EU, AP, US)
Zero trust
Your private keys stay yours

The Mandate

Certificate lifespans are shrinking — fast

Global standards bodies are mandating shorter and shorter certificate lifespans. Manual renewal processes that barely hold together today will completely collapse within years — and the timeline is accelerating.

2024
398 days
Previous maximum lifespan
2026
200 days
Renewals double in frequency
2027
100 days
Manual processes become untenable
2029
47 days
Full automation is mandatory

Source: CA/Browser Forum Ballot SC-081 — Short-Lived Certificates

Platform

Every capability your security team has been asking for

Six deeply integrated capabilities covering the full certificate lifecycle — from finding certificates you didn't know existed, all the way to zero-touch automated renewal and deployment.

Certificate Discovery

Build a complete picture of every certificate across your organisation — including ones issued without your knowledge. New certificates are surfaced within 24 hours.

  • Automatically catch certificates issued without your knowledge
  • Scan across web, database, and mail services automatically
  • Scan internal networks securely — zero firewall changes required

Private PKI

Build a complete root and intermediate CA hierarchy — fully managed, with private keys protected in a dedicated, isolated signing system that never touches the internet.

  • Industry-standard encryption algorithms — you choose the strength
  • Take your root CA key offline for maximum security
  • Built-in ACME server for fully automated certificate issuance

Automation — Built for Every Environment

Three automation methods so no workload gets left behind. Push certificates to on-premises servers, pull from any cloud workload, or let any standards-compatible tool request its own certificates automatically.

  • Bridges: zero firewall changes — connects out, not in, and self-updates
  • Couriers: runs on a schedule, authenticates via cloud identity — no stored passwords
  • Private ACME: secure, standards-based issuance — every major client supported

Target System Deployment

Certificates land on your servers and services restart — automatically, every time. Credentials are only ever decrypted in memory and never written to disk or stored in transit.

  • Windows: IIS, Exchange, RDS Gateway, SQL Server, Windows Certificate Store
  • Linux: Nginx, Apache, HAProxy, Postfix, and any custom application
  • Least-privilege Windows deployments with Just Enough Administration (JEA)

Policy & Compliance

Stop non-compliant certificates from ever reaching production. Set your security standards once and Zaita enforces them — on every certificate, every time.

  • Set policies per domain — warn on violations or block them entirely
  • Fine-grained roles for every team — PKI, Deployment, Policy, Reporting, and more
  • Lock down which certificates each server is allowed to request

Audit & SIEM Integration

Every action in Zaita — logins, certificate issuance, deployments, admin changes — is captured in a tamper-proof audit log and fed directly into your security monitoring tools.

  • Complete audit trail — who did what, when, and from where
  • Feed your SIEM directly via a secure, IP-restricted API

How It Works

From discovery to deployment — fully automated

Whether you're cloud-native, on-premises, or somewhere in between — Zaita handles the entire certificate lifecycle so your team doesn't have to.

Step 1

Discover

Zaita continuously scans the internet and your internal networks to build a complete inventory of every certificate tied to your organisation — including ones you didn't issue.

Step 2

Issue & Manage

Issue certificates from your own private CA or connect an existing one. Every certificate is automatically checked against your security policies before it's signed — no exceptions.

Step 3

Automate & Deploy

Certificates are pushed or pulled directly to your servers, databases, and load balancers — and services restart automatically. Renewals happen silently in the background, every time.

Automation

Three ways to automate. Every environment covered.

Purpose-built for on-premises, cloud, and everything in between — Zaita's automation tools eliminate every last manual certificate operation across your infrastructure.

Bridges
On-premises deployment agent

A small, self-contained agent you deploy on-premises. Bridges reach out to Zaita for work — all communication is outbound. No inbound connections, no firewall changes, no headaches.

  • Windows installer, Linux packages, standalone binary, or Docker
  • Deploys to Windows and Linux servers automatically
  • Security tokens rotate automatically every 24 hours
  • Self-updating — run multiple agents for built-in high availability
  • Doubles as a secure relay for air-gapped environments
Couriers
Pull-based certificate delivery CLI

A lightweight scheduled tool that runs silently every 12 hours — no background service required. Couriers request, renew, and deliver certificates to the local application, then trigger service restarts automatically.

  • No stored passwords — authenticates via cloud identity (Azure, AWS) or SPIFFE
  • Private keys are generated and stay on the host — never transmitted
  • Automatically restarts services on success, or triggers alerts on failure
  • Connects directly to Zaita, or via a Bridge for air-gapped environments
  • Works with CI/CD: GitHub Actions, GitLab CI, and more
Private ACME Server
Standards-based automated issuance

Run your own private ACME endpoint backed by your Zaita CA. Any ACME-compatible tool — from Certbot to Kubernetes cert-manager — can request and renew certificates automatically. No custom scripts needed.

  • Works with every major ACME client: Certbot, acme.sh, cert-manager, Caddy, Traefik, win-acme
  • Secure client authentication keeps your ACME endpoint locked down
  • Restrict which domains each client account is allowed to request
  • Open standard — works with any ACME client, no vendor lock-in
  • Multiple servers per account — isolate by environment or team

Security Model

Your private keys are protected by architecture — not just policy

Zaita is built with a unique split-system architecture. The internet-facing platform never touches your private key material — ever. A physically separate, air-gapped signing system handles all cryptographic operations with no external network access.

Even a complete breach of the web platform cannot expose your private keys. That's not a policy promise — it's a physical impossibility.

Web Platform
Web portal, API, user authentication, certificate management — internet-facing. No access to private key material.
Async — encrypted only
Isolated Signing System
All key generation and certificate signing happens here — completely air-gapped from the internet.
Unique keys per customer
Your encryption keys are yours alone — never shared
Full tenant isolation
Every organisation's data is cryptographically separated
SSO / SAML
Single sign-on via your existing identity provider
Role-Based Access
Scoped roles for PKI, Deployment, and Policy teams
Machine Accounts
Cloud-native identity for Azure, AWS, and Kubernetes
IP Whitelisting
Restrict access to approved IP ranges

Hosting

Deployed wherever your compliance requirements demand

Fully managed shared hosting or your own dedicated infrastructure — across globally distributed regions to meet data residency requirements anywhere in the world.

Multi-Tenant SaaS

Fully managed cloud hosting with strong isolation between customers. Available across multiple regions with offline backups for peace of mind.

Oceania (Sydney, Australia)
Europe - Coming Soon...
Asia - Coming Soon...
North America - Coming Soon...
Enterprise

Single-Tenant

Your own dedicated infrastructure — complete isolation for regulated industries and the strictest compliance requirements. EU specialist providers available.

Akamai, Azure, AWS, EU providers
Custom backup regions
Dedicated SLA

HSM Integration

Already have a Hardware Security Module? Connect it to Zaita for the ultimate in key protection and compliance assurance.

Azure Key Vault HSM
AWS CloudHSM
Physical HSM (contact for details)

Pricing

Start free. Grow at your pace.

There are no hidden fees or surprise overage charges. Our pricing is transparent and predictable, so you can focus on building your PKI — not on managing your bill.

Personal
Coffee Tier
$5 /month

Everything you need to build and run a personal private PKI for the price of a coffee.

What's included
  • One user account
  • 1 Root CA + 2 Intermediate CA certificates
  • 5 leaf certificates per month
  • CT log scanning for 1 domain (24-hr monitoring)
  • Web portal + 1 private ACME server
  • Courier agent (direct SaaS connection, cron-scheduled)
Start Free Trial

No credit card required · start trial today

Most Popular
Home-Lab Tier
$15 /month

More certificates and more domains for active users. Perfect for home-lab use.

Everything in Coffee Tier, plus
  • One user account
  • 20 leaf certificates per month
  • CT log scanning for up to 2 domains
  • 2 private ACME servers
  • Courier agent (direct SaaS connection)
  • Email support
Get Started

Monthly billing · cancel anytime

Frequently asked questions

Common questions from security and infrastructure teams evaluating Zaita.

Does Zaita ever have access to my private keys?
No — never. Private keys are handled exclusively by a physically isolated signing system that has no network path to the internet. The web platform never sees key material in plaintext. Even if someone compromised the web platform entirely, your private keys would remain safe.
What is a Bridge and why does it need no inbound firewall rules?
A Bridge is a lightweight application you deploy on-premises. It polls the Zaita control plane for pending jobs — all communication is outbound HTTPS (port 443) initiated by the Bridge. Zaita never initiates a connection inward. This means you only need a standard outbound HTTPS rule, which almost every corporate firewall already permits. Bridges support high-availability by running multiple replicas, rotate cryptographic trust tokens on every poll, and self-update automatically.
How does Zaita handle the 47-day certificate mandate?
Zaita is purpose-built for short-lived certificates. Couriers run on a schedule (typically every 12 hours via cron or Task Scheduler) and automatically renew certificates when they approach the configured renewal threshold — without human involvement. With a 47-day certificate and a 14-day renewal window, every renewal happens automatically. You set the policy once; Zaita handles it indefinitely. Service restarts after renewal are triggered via configurable on-success hooks.
What authentication methods do Courier agents support?
Couriers support five authentication methods. The three recommended methods require no stored passwords or secrets — they use your cloud platform's native identity: SPIFFE/SPIRE (for Kubernetes and service mesh environments), Azure Workload Identity (for Azure VMs and Arc-enabled servers), and AWS IAM (for EC2, ECS, EKS, and more). Traditional certificate and client ID/secret authentication are also supported for legacy environments.
Which target systems can Zaita deploy certificates to automatically?
Bridges deploy certificates directly to Windows and Linux servers. On Windows, supported targets include IIS, Windows Certificate Store, Exchange Server, RDS Gateway, and SQL Server. On Linux, Zaita supports Nginx, Apache, HAProxy, Postfix, and any custom application via a script hook. Windows deployments support least-privilege access using Just Enough Administration (JEA). Certificates and private keys are only ever decrypted in Bridge memory — never written to disk in plaintext.
🇳🇿 Built in New Zealand · Est. June 2021

Security expertise,
homegrown in Aotearoa

Simply Cyber Security Limited was founded in June 2021 with a clear mandate: bring world-class, independent security consulting and tooling to organisations across New Zealand and beyond — built entirely by New Zealanders, for the world.

We believe security should be practical, not performative. Our team focuses on genuine risk reduction — not checkbox compliance or boilerplate reports. When you work with us, you're working with specialists who've done this across government, finance, healthcare, and critical infrastructure.

Every line of Zaita's code is written, reviewed, and supported right here in New Zealand. No offshore handoffs, no outsourced support queues — just a team that's accountable, reachable, and deeply invested in the product.

Simply Cyber Security Limited
New Zealand Registered Business — NZBN: 9429049397420

Get in touch

Compliance & Standards Expertise

Deep practitioner experience across all major frameworks — from initial gap analysis through to certification and ongoing assurance.

ISO 27001 PCI-DSS NZ Information Security Manual Essential 8 NIST NZ Privacy Act 2020 Australian Privacy Act GDPR

100% New Zealand Team

Every engineer, consultant, and support agent is based in New Zealand. No outsourcing, no exceptions.

The certificate crisis is coming. Zaita is ready. Are you?

Get started with a 30-day free trial — no credit card needed, full enterprise features from day one.

Start Free Trial Contact Sales

30 days · Full enterprise limits · No credit card required