CLM Orchestration That Actually Works
PKIFactor is a pure orchestrator. It doesn't issue certificates. It orchestrates your existing PKIs (ADCS, ZetaCA, Vault) to automate every issuance, renewal, and revocation.
Loading
Language
Govern every PKI.
PKIFactor connects to every certificate authority and orchestrates them from a single platform. Regardless of the CA. One governance layer. Zero blind spots.
Available for proof of concept and integration projects.
Lifecycle
Four steps. Nothing slips through.
From request to revocation, every certificate is tracked, governed and automated.
1
Request
Submit via portal, API or ACME / EST / SCEP / CMP protocol. Multi-level approval before issuance.
2
Issuance
Certificate issued by the CA of your choice. Template, algorithm and validity applied automatically.
3
Renewal
Automatic renewal before expiration. Alerts, scoring and audit at every rotation.
4
Revocation
Immediate revocation with CRL/OCSP propagation. Full traceability in the audit trail.
1
Request
Submit via portal, API or ACME / EST / SCEP / CMP protocol. Multi-level approval before issuance.
2
Issuance
Certificate issued by the CA of your choice. Template, algorithm and validity applied automatically.
3
Renewal
Automatic renewal before expiration. Alerts, scoring and audit at every rotation.
4
Revocation
Immediate revocation with CRL/OCSP propagation. Full traceability in the audit trail.
Problem3 PKIs. 100k+ certificates.0 visibility.
Manual management is a ticking time bomb
Solution
Total governance.
One platform. Every certificate under control.
ADCS
Public
Private
Cloud
How it works
PKIFactor connects to any certificate authority. Provide the cryptographic endpoints and PKIFactor orchestrates the rest: lifecycle, policies, audit, renewals.
PKIFactor
CLM Orchestrator
ACME / EST / SCEP / CMP / API
ZetaCA
ADCS
Vault
Other CAs
One platform to govern every certificate, across every certificate authority.
01Centralization & Automation
pkifactor://profiles/active
Certificate Profiles
Define issuance parameters and policies
Name
PKI
ACME
Status
Internal mTLS
Vault PKI Engine
vault - CA: pki_int
Enabled
Active
IoT Device Identity
Vault PKI Engine
vault - CA: pki_int
Disabled
Active
Code Signing
EJBCA Community
ejbca - CA: MgmtCA
Disabled
Draft
Wildcard Certificate
Microsoft ADCS
adcs - CA: Corp-SubCA
Enabled
Active
New Certificate Profile
Web Server Production
Vault PKI Engine
RSA 4096
Enable ACME
Allow Wildcards
02Governance & Compliance
Continuous Audit. Zero Gaps.
Every action logged. Every policy enforced. Real-time alerts on compliance violations. No certificate escapes your governance.
pkifactor://governance/audit-trail
Audit Trail
Real-time governance and compliance logging
Range: Last 24h
System Agent
Auto-Renewal Success *.app.internal.io
Alice Chen (DevOps)
New Certificate Request api.staging.com
Policy Engine
Compliance Violation Blocked wildcard-prod.key
Policy WarningID: #REQ-9281
Wildcard Certificate Request
Requested by frontend-team
Violation: Wildcard certificates are unrestricted in Production environment. Manual approval is required by SecOps.
Common Name
*.pki.io
Key Type
ECDSA P-256
PKIFactor
Dashboard
Certificates
Trust Chains
New Request
Infrastructure
Profiles
PKI Connectors
Key Stores
PQC Transition
Crypto Inventory
System
Users
Audit Trail
SIEM
Settings
Logout
Dashboard
J
1,284
Total Certificates
1,147
Active
23
Expiring < 90d
4
Connectors
PKI Connectors
Microsoft ADCS
Connected
HashiCorp Vault
Connected
EJBCA
Connected
Sectigo SCM
Syncing
Certificates Expiring Soon
monitoring.internal
2 daysdicom.health.corp
4 dayspatient-portal.prod
9 daysapi-gateway.internal
21 daysmail.corp.local
34 daysProtocols & Capabilities
ACME (RFC 8555)
Fully automated certificate issuance
EST (RFC 7030)
Secure enrollment for IoT and mobile devices
SSO / OIDC
Enterprise identity federation out of the box
Post-Quantum (PQC)
Hybrid and quantum-resistant certificate models
KMS Encryption
Hardware-backed key management and envelope encryption
Public Certificate Authorities
Direct integration with major public certificate authorities
Native Connectors & Integrations
PKIFactor natively integrates with your certificate authorities, protocols and existing infrastructure.
Certificate Authorities
- Microsoft ADCS
- EJBCA
- Sectigo
- DigiCert
- Let's Encrypt
- GlobalSign
Protocols
- ACME v2
- EST
- REST API
Security & HSM
- PKCS#11
- Utimaco CryptoServer
- TPM 2.0
- KMIP
Infrastructure
- HashiCorp Vault
- Kubernetes
- LDAP / AD
- SIEM
Technology Partnership
PKIFactor & Utimaco
Hardware vault for the keys of every certificate you orchestrate.
ZetaCert
×
PKIFactor relies on Utimaco u.trust GP HSMs (CryptoServer firmware) as a KMS-grade backbone via PKCS#11 R3, for the generation, storage and rotation of the keys behind every orchestrated certificate. Private keys stay in hardware, never exposed in memory, and managed centrally regardless of which Certificate Authority is in use.
HSM-native generation
Keys for certificates issued via PKIFactor are generated directly inside the Utimaco HSM, never in application memory.
Centralized custody
All keys reside in a single hardware vault. End of key sprawl across endpoints.
Automated rotation
PKIFactor orchestrates large-scale key rotation without manual intervention, with guaranteed service continuity.
Cryptographic auditability
Every key operation (generation, signing, rotation) is logged by the HSM. Audit and compliance ready out of the box.
Built for every security stakeholder
Use Case 01
DevOps & Cloud Architects
Certificates on demand via API and ACME. Kill the manual tickets. Embed PKI directly into your CI/CD pipelines.
API-First Architecture
ACME & EST Protocols
Full REST API (60+ endpoints)
CI/CD Pipeline Compatible
PKIFactor Editions
Stop enduring your PKI. Choose your level of control.
Starter to evaluate. Enterprise for production. Quantum to stay ahead of the quantum threat.
Compare EditionsAvailable for proof of concept and integration projects.