A standard Managed PKI is a subscription service that allows you to retrieve SSL/TLS certificates and S/MIME (email) certificates at any time. Certificates can be issued manually or automatically (over dedicated interfaces, e.g. a REST API or the ACME protocol). It is best combined with a Certificate Lifecycle Management (CLM) solution.

All types of Internet SSL/TLS certificates can be issued:

• Validation levels: Domain Validated (DV), Organization Validated (OV – with organization entry) and Extended Validated (EV – with organization entry plus additional features)

• Variants: single-domain, multi-domain (SAN) and wildcard

Email certificates of the types:

• Mailbox Validated (MV – email address only)

• (coming soon) Organization Validated (OV – email address plus organization entry)

• Sponsor Validated (SV – email address plus organization entry plus person as holder)

For Private Managed PKI see next FAQ.

A Private Managed PKI (also called PKI as a Service) means outsourcing the operation of your certificate infrastructure to a specialised provider while maintaining control over your certificate policies and issuance rules. Instead of running your own CA servers, HSMs, and certificate management software on premise, you access PKI capabilities through APIs and management interfaces.

The key difference: with an internal PKI, your team handles server maintenance, security updates, compliance audits, HSM management, and disaster recovery. With a Private Managed PKI, the provider handles infrastructure operations while you focus on certificate policies and integration. You get enterprise PKI capabilities without the operational overhead.

Like the standard Managed PKI the Private Managed PKI is best combined with a Certificate Lifecycle Management (CLM) solution.

The platform handles both publicly trusted certificates (from SwissSign's public CA) and private certificates for internal-only use cases:

• The standard SwissSign Managed PKI supports certificates for the Internet (see "What is a SwissSign Managed PKI?")

• The Private Managed PKI can issue any type of (X.509) certificate, e.g. SSL/TLS certificates for internal use, client certificates for user authentication or device certificates for IoT and industrial equipment

PKI automation uses protocols like ACME (Automatic Certificate Management Environment) to issue, renew, and revoke certificates without manual intervention. With ACME, your servers or devices communicate directly with the Certificate Authority (CA) to request certificates, prove domain ownership automatically, and receive certificates within seconds.

SwissSign's REST API provides additional flexibility for custom integrations, allowing you to manage certificates programmatically across your entire infrastructure. This eliminates manual CSR generation, reduces human error, and ensures smooth certificate renewal.

SwissSign MPKI integrates with leading certificate lifecycle management (CLM) platforms and enterprise tools through standard protocols. SwissSign also offers a proper full CLM, powered by innovative French company Evertrust.

Further integration options include:

• ACME protocol support for automated certificate workflows

• REST API for custom integrations and programmatic management

• Direct integration capabilities with major CLM vendors

Therefore, the platform supports certificate deployment across web servers, load balancers, API gateways, IoT devices, and container environment.

Certificate deployment varies by infrastructure type but follows automated workflows. For web servers and load balancers, ACME clients or Certificate Lifecycle Management tools - like our proper CLM - handle deployment directly. In Kubernetes and container environments, cert-manager or similar operators automate certificate injection - they can be integrated into a CLM. IoT devices use SCEP or custom API integration for bulk provisioning.

The key is establishing the initial connection between your infrastructure, the MPKI platform and the CLM - after that, certificate issuance, deployment, and renewal happen automatically based on your defined policies. Learn more about how Certificate Lifecycle Management works here.

The managed PKI service period is generally one year and automatically renews for another year if the contract is not cancelled. If the contract is cancelled, any active certificates will be withdrawn ("revoked") as of the cancellation date.

You can obtain as many certificates as you need. If you have issued more certificates than were included in the pre-invoice, you will receive a post-invoice based on the number of active certificates as of the yearly renewal date of your contract.

Your first contract year: You will receive a pre-invoice that takes into account all available discounts. The higher your annual turnover, the lower the price per certificate. This order amount forms the basis for the price to be paid.

You can also issue more certificates than you have ordered. You will then receive a post-invoice based on the number of active certificates as of the yearly renewal date of your contract. This new order amount will then form the new basis for the following annual pre-invoice.

Basically, the higher your annual turnover, the lower the price per certificate. Up to an annual turnover of 20,000 CHF / EUR, you can calculate and order your certificate prices including discounts directly on our ordering platform. If you need more certificates, please contact us and we will make you an attractive individual offer.

Three months before the end of your annual contract and its automatic renewal.