What is Futurex Enterprise Certificate Authority?

Digital communication is a staple of the modern business world, and as such, that communication often involves sensitive data. Businesses must protect this data by building a strong framework for safe communication, typically through building and expanding a robust public key infrastructure (PKI) to secure devices, documents, emails, and users. The KMES Series 3 does just this, serving organizations as an Enterprise Certificate Authority. The diverse functionality and integration capabilities of a PKI infrastructure built with Futurex technology includes a wide-ranging number of use cases including: certificate management, Certificate/CA Management, the Certificate Lifecycle, Windows Client Certificate Enrollment (WCCE), Registration Authority (RA), OCSP/Online CRL, SCEP, Authentication (Local, LDAP), Automation, Third Party CA Integration, and more, which can all be implemented with the Futurex KMES Series 3.

What is a public key infrastructure (PKI)?

A public key infrastructure, often referred to by its acronym PKI, is the most secure solution for ensuring that shared data is only accessible by authorized recipients. A PKI uses a key pair (a public and private key) to encrypt and decrypt data, through asymmetric encryption. The public key can be widely distributed without fear of exposing sensitive data because the public is either protecting data or verifying the signature of authenticity of data. The private key must be kept secure as it is used to decrypt the data or signing the authenticity of the data. When users or devices wish to communicate securely, they begin by exchanging public keys. Each party uses the public key they received to encrypt the message, then sends that encrypted value to the other person. Once that value is received, it is decrypted with the corresponding private key. This process allows for information to be shared easily while maintaining full security, because if the message falls into the wrong hands, it cannot be read.

What are the certificate authority capabilities?

It is recommended that organizations who elect a self-managed PKI support a hierarchical PKI deployment. This allows organizations to more easily expand the infrastructure to support future scenarios. The hierarchy consists of an Offline Root CA and Issuing CA(s). The KMES Series 3 supports both roles, managing certificate trees, private keys, signing requests, and more. It integrates with tools like Venafi for enhanced machine identity protection and supports USB Backup HSMs for secure key backups.

What is Registration Authority (RA)?

A registration authority (RA) is a subset of a certificate authority (CA) and is responsible for verifying certificate signing requests. It validates the requester’s identity and forwards approved requests to the CA for certificate issuance. This structure supports secure, scalable certificate management within PKI environments.

How do CAs and RAs work together?

RAs verify users’ identities and forward certificate requests to the CA. The CA then signs and issues the certificates. This separation of duties enhances security and scalability in enterprise PKI implementations.

What is Online Certificate Status Protocol (OSCP)/Online CRL?

Part of the certificate lifecycle is the revocation of certificates. Revocation or deletion of certificates, prior to their expiration date, is necessary for a number of reasons: if a certificate is compromised, if user privileges change, or if there is a cease of operations. A certificate authority manages this process through certificate revocation lists (CRLs). A common alternative is the Online Certificate Status Protocol (OCSP), a web-based protocol used to manage CRLs and revoke keys and certificates in real time. OCSP responses are smaller and faster than CRLs. Futurex's KMES Series 3 integrates OCSP within the HSM itself to eliminate risks of relying on third-party OCSP servers.

Does Futurex support third-party certificate authority integration?

Yes. Futurex supports integration with third-party CAs via its Registration Authority (RA). This includes approving, revoking, or resigning certificate requests, and importing third-party CA roots. The KMES Series 3 uses Cloud Credentials to authenticate with external CA APIs while maintaining FIPS 140-2 Level 3 validation and audit capabilities.

What is a certificate authority (CA)?

A certificate authority (CA) issues, manages, and signs digital certificates to authenticate users, devices, and systems. It creates a chain of trust using asymmetric cryptography and X.509 certificates. The Futurex KMES Series 3 functions as a CA, generating and managing certificates using secure cryptographic modules validated to PCI HSM and FIPS 140-2 Level 3 standards.

Can you explain the Certificate Lifecycle?

The certificate lifecycle includes creating, issuing, renewing, revoking, and expiring certificates. Futurex's KMES Series 3 manages this lifecycle using X.509 profiles and domain name templates, allowing fine-grained control over certificate fields like OID, syntax, and values.

What is Windows Client Certificate Enrollment (WCCE)?

WCCE is a Microsoft protocol for requesting, issuing, and managing certificates in Active Directory environments. Futurex integrates WCCE into the KMES Series 3, enabling secure issuance and lifecycle management of certificates directly through the HSM using PKCS12 and PKCS11 standards, autoenrollment, and approval workflows.

How is Futurex RA functionality accessed?

Futurex RA functionality is available via GUI, web portal, and API. These interfaces allow admins to manage CSRs, RA entities, and X.509 templates securely. Admins can approve or deny requests and download signed certificates in .pem or .der formats.

How can registration authority (RA) benefit enterprise-level organizations?

An RA provides a centralized, secure way to manage certificate requests, reducing administrative overhead while maintaining security. By coexisting with the CA on the KMES device, RAs streamline operations with intuitive interfaces and built-in automation.

What is Simple Certificate Enrollment Protocol (SCEP)?

SCEP is a protocol developed by Cisco to enroll network devices with certificates, using a password and request format translation. Although it has known security weaknesses (e.g., VU#971035), Futurex mitigates these risks by implementing SCEP securely within its HSM boundary and requiring multi-admin approval workflows.

What can an enterprise certificate authority do for my organization?

An enterprise CA can manage the entire lifecycle of digital certificates and cryptographic keys, securing users, devices, and communication. Futurex’s KMES Series 3 supports a wide range of CA features including SCEP, WCCE, OCSP, third-party CA integration, and lifecycle automation with standards-based APIs and interfaces.

PKI and Certificate Authority Solutions

Own your PKI. Trust your infrastructure.

CryptoHub delivers a complete, hardware-backed Public Key Infrastructure platform that combines certificate authority services, automated enrollment, and end-to-end certificate lifecycle management in a single, FIPS 140-3 Level 3 validated solution. Whether you're securing enterprise identities, DevOps pipelines, or millions of IoT devices, CryptoHub gives your organization the cryptographic foundation to build on.

Hardware-backed PKI root of trust

Root CA, Issuing CA, and Registration Authority in one platform

Automated enrollment through ACME, SCEP, and EST

Certificate Lifecyle management with CRL and OCSP support 1

Certificate lifecycle management with CRL and OCSP support

140-3 Level 3 (in progress) validated HSM protection

FIPS 140-3 Level 3 validated HSM protection

What Is CryptoHub PKI?

Public Key Infrastructure (PKI) is the backbone of digital trust. It is the system of hardware, software, policies, and standards that creates, manages, distributes, and revokes the digital certificates that secure your organization's data and communications.

CryptoHub serves as a complete PKI platform; it is your Certificate Authority (CA), Registration Authority (RA), and certificate management hub in one.

It supports the full certificate lifecycle that will:

generate key pairs
issue X.509 certificates
enforce issuance policies
automate enrollment across devices and services
publish revocation information through CRLs and OCSP

Unlike software-only PKI solutions, CryptoHub anchors every cryptographic operation in FIPS 140-3 Level 3 validated hardware security modules (HSMs) that will ensure your root of trust is never exposed. Flexible deployment options support on-premises, cloud, and hybrid environments, while a rich REST API and support for industry-standard protocols make integration seamless across any technology stack.

Why Futurex for PKI and Certificate Authority?

PKI programs often depend on aging software CAs, fragmented enrollment workflows, separate certificate management tools, and manual approval processes. This creates weak visibility into certificate status, inconsistent policy control, and heavier audit preparation across enterprise, DevOps, network, and IoT environments.

Futurex CryptoHub consolidates Root CA, Issuing CA, Registration Authority, enrollment protocols, code signing, certificate lifecycle management, revocation services, and API-driven automation into one hardware-backed PKI platform.

Every CryptoHub PKI deployment is anchored in FIPS 140-3 Level 3 validated HSM hardware. CA root keys and private key material are generated and stored within the hardware boundary, with no plaintext key exposure outside the HSM.

CryptoHub also provides the operational controls required for enterprise PKI administration: certificate templates, DN profiles, PKI signing approvals, X.509 v3 extension permissions, REST API coverage, audit logs, and support for on-premises, cloud, and hybrid deployment models.

Key Pair Generation

Generate certificate key material within FIPS 140-3 Level 3 validated HSM hardware to protect private keys from exposure outside the hardware boundary.

Certificate Issuance

Issue X.509 certificates using defined certificate templates, DN profiles, certificate chains, and policy controls.

Policy Enforcement

Govern certificate issuance through PKI signing approvals, X.509 v3 extension permissions, and Registration Authority workflows.

Automated Enrollment

Support automated certificate enrollment through ACME, SCEP, and EST for web servers, DevOps toolchains, network devices, IoT endpoints, and modern infrastructure.

Renewal and Export

Manage certificate renewal and export from a central platform with visibility into certificate status and expiration.

Revocation

Revoke certificates through built-in certificate revocation list management and OCSP responder support.

Status Publication

Publish certificate status through CRLs and OCSP so relying systems can validate certificate trust.

API-Driven Automation

Every PKI function is accessible through CryptoHub's RESTful API, enabling seamless integration with DevSecOps pipelines, certificate management platforms (including Kubernetes cert-manager), identity providers, and enterprise automation tooling. Programmatic control means certificates are provisioned, renewed, and revoked on-demand without manual intervention.

Hardware-Backed Security (HSM)

All private key material — including CA root keys — is generated and stored exclusively within FIPS 140-3 validated HSM hardware. Keys never exist in plaintext outside the hardware boundary. CryptoHub's HSM foundation provides the highest assurance root of trust available, critical for organizations operating under strict compliance frameworks.

Why is Futurex PKI and CA Different?

Hardware security as the standard, not an add-on. Every CryptoHub PKI deployment is anchored in FIPS 140-3 Level 3 validated HSM hardware. Competitors like Keyfactor and DigiCert PKI often treat HSM integration as an optional enterprise upgrade. With CryptoHub, HSM-backed key protection is the baseline, not a premium tier.

One platform, full PKI stack. CryptoHub consolidates Root CA, Issuing CA, Registration Authority, enrollment protocols (ACME/SCEP/EST), code signing, and certificate lifecycle management in a single system. Microsoft ADCS requires significant infrastructure investment and third-party tooling to achieve comparable functionality, and still lacks native HSM key management.

Built for scale and automation. CryptoHub's API-first architecture and protocol breadth (ACME, SCEP, EST, REST) are designed for modern DevSecOps and IoT scale. Organizations that have outgrown ADCS or rigid SaaS PKI platforms consistently cite CryptoHub's depth of automation and throughput as decisive advantages.

18+ years of cryptographic heritage. Futurex has delivered enterprise encryption and key management solutions to thousands of organizations across financial services, healthcare, retail, and government. CryptoHub PKI is built on that foundation, with the support, certifications, and track record that critical infrastructure demands.

Crypto-Agility and PKI Readiness

PKI teams need the ability to manage changing certificate, protocol, and algorithm requirements without rebuilding their certificate authority environment around separate tools.

CryptoHub supports RSA, ECC/ECDSA, SHA-2, SHA-3, and Post-Quantum Cryptography readiness. It also supports standards-based certificate operations through X.509 v3, PKCS#10, PKCS#11, PKCS#12, ACME, SCEP, EST, CRLs, OCSP, S/MIME, and Windows Client Certificate Enrollment.

For enterprise PKI teams, this provides a standards-based foundation for current certificate operations and future cryptographic planning across internal PKI, DevOps, IoT, mTLS, and regulated environments.

Hardware Root of Trust for PKI

PKI depends on protecting CA private keys, certificate signing keys, and trust anchors. If those keys are exposed, the certificate authority loses its ability to establish a trusted identity.

CryptoHub anchors PKI operations in FIPS 140-3 Level 3 validated HSM hardware. All private key material, including CA root keys, is generated and stored exclusively within the HSM hardware boundary. Keys never exist in plaintext outside that boundary.

Hardware-backed PKI provides:

Protected CA root keys
HSM-backed certificate signing operations
Tamper-resistant private key storage
Role-based access controls
Audit records for certificate operations
Hardware key protection for regulated environments

This architecture provides organizations with a hardware-based foundation for certificate authority operations, automated enrollment, code signing, revocation, and compliance review.

PKI and Certificate Authority Capabilities

CryptHub provides the core functions required to operate enterprise PKI at scale, with lifecycle controls that carry certificates from creation through renewal, revocation, and export. Teams can monitor certificate status and expiration, standardize issuance with templates and DN profiles, and require PKI signing approvals for sensitive operations. CA root keys and private key material remain generated and stored inside FIPS 140-3 Level 3 validated HSM hardware, with plaintext keys contained within the hardware boundary.

Automated Enrollment via ACME, SCEP & EST

Eliminate manual certificate provisioning with support for industry-standard enrollment protocols. ACME (RFC 8555) enables automated issuance for web servers and DevOps toolchains. SCEP simplifies bulk enrollment for network devices and IoT endpoints. EST (RFC 7030) provides secure, TLS-authenticated enrollment for modern infrastructure, all natively supported on CryptoHub.

Code Signing

Issue and manage code signing certificates backed by HSM-protected private keys. CryptoHub integrates with Microsoft SignTool, GitLab CI/CD pipelines, and other signing workflows to ensure software artifacts are cryptographically authenticated and tamper-evident from build to deployment.

Revocation & Compliance

Maintain a trustworthy PKI with built-in certificate revocation list (CRL) management and OCSP responder support. Comprehensive audit logging captures every certificate operation issuance, renewal, revocation, and export to provide the tamper-evident records required for regulatory compliance and security audits.

Root & Issuing Certificate Authority

Build a complete PKI hierarchy with CryptoHub acting as your offline Root CA and online Issuing CA. Define certificate chains, manage trust anchors, cross-sign intermediate CAs, and maintain full control over the policies that govern every certificate issued in your organization.

Registration Authority & Approval Workflows

Offload identity validation from your CA with CryptoHub's built-in Registration Authority. Define approval workflows for certificate signing requests, manage X.509 v3 extension permissions, support anonymous enrollment roles, and automate web server RA functions that are all configurable without custom code.

API-Driven Automation

Every PKI function is accessible through CryptoHub's RESTful API, which enables seamless integration with DevSecOps pipelines, certificate management platforms (including Kubernetes cert-manager), identity providers, and enterprise automation tooling. Programmatic control means certificates are provisioned, renewed, and revoked on-demand without manual intervention.

Zero Trust & mTLS

Build a Zero Trust architecture on a foundation of hardware-rooted identity. CryptoHub issues and manages the client and server certificates that power mutual TLS (mTLS) across your service mesh, API gateways, and network infrastructure — ensuring every connection is authenticated and every identity is verifiable.

Compliance & Regulated Industries

Meet the stringent PKI requirements of financial services, healthcare, government, and critical infrastructure with a FIPS 140-3 validated platform. CryptoHub's immutable audit logs, role-based access controls, and hardware key protection align with PCI DSS, HIPAA, FedRAMP, and Common Criteria compliance mandates.

Enterprise Internal PKI

Replace Microsoft ADCS or an aging software CA with a purpose-built, hardware-anchored PKI platform. CryptoHub manages employee, server, and device certificates across your organization with centralized policy enforcement, automated renewal, and full audit trails that reduce operational risk and administrative overhead.

Offline Root CA

Protect CA root keys in an air-gapped offline Root CA model with HSM-backed key storage and controlled trust-anchor operations.

Learn More >

Issuing CA

Operate online Issuing CA services for certificate issuance, policy enforcement, certificate chains, enrollment workflows, and revocation services.

Learn More >

IoT Device Certificate Provisioning

Scale certificate issuance to millions of devices using SCEP and automated enrollment workflows. CryptoHub's high-throughput architecture and hardware security ensure every device receives a unique, policy-governed certificate that enables strong mutual authentication and encrypted communications from the factory floor to the field.

Learn More >

DevOps & Code Signing

Integrate certificate issuance and code signing directly into CI/CD pipelines. CryptoHub's ACME support and REST API enable development teams to automatically obtain short-lived certificates for microservices and containers, while HSM-backed code signing certificates protect software supply chains end-to-end.

Learn More >

Zero Trust & mTLS

Build a Zero Trust architecture on a foundation of hardware-rooted identity. CryptoHub issues and manages client and server certificates that power mutual TLS (mTLS) across your service mesh, API gateways, and network infrastructure, ensuring every connection is authenticated, and every identity is verifiable.

Compliance & Regulated Industries

Meet the stringent PKI requirements of financial services, healthcare, government, and critical infrastructure with a FIPS 140-3 Level 3 validated platform. CryptoHub's immutable audit logs, role-based access controls, and hardware key protection align with PCI DSS, HIPAA, FedRAMP, and Common Criteria compliance mandates.

PKI Architecture

Enterprise PKI architecture must connect CA hierarchy, enrollment protocols, certificate lifecycle management, revocation services, HSM protection, and enterprise integrations.

A typical CryptoHub PKI architecture includes:

CryptoHub as Certificate Authority, Registration Authority, and certificate management hub
FIPS 140-3 Level 3 validated HSM hardware as the PKI root of trust
Offline Root CA and online Issuing CA support
Certificate templates and DN profiles for issuance standardization
ACME, SCEP, and EST for automated enrollment
CRL management and OCSP responder support for certificate status validation
RESTful API coverage for automation and integration
Audit logging for certificate operations
On-premises physical appliances
Virtual appliances for cloud and on-premises deployment
VirtuCrypt cloud HSM-as-a-Service deployment
High-availability clustering and replication

Technical Highlights and Integrations

CryptoHub integrates with the systems that request, consume, validate, and automate certificates across enterprise environments.

Standards & Protocols

FIPS 140-3 Level 3 validated hardware security modules
X.509 v3 digital certificates (RFC 5280)
ACME protocol (RFC 8555) for automated certificate management
SCEP - Simple Certificate Enrollment Protocol
EST - Enrollment over Secure Transport (RFC 7030)
PKCS#10 Certificate Signing Requests
PKCS#11 cryptographic token interface
PKCS#12 certificate and key export format
Certificate Revocation Lists (CRL) and OCSP
S/MIME certificate support
Windows Client Certificate Enrollment (WCCE / ADCS templates)

Cryptographic Algorithms

RSA (2048, 3072, 4096-bit)
ECC / ECDSA (P-256, P-384, P-521)
SHA-2 and SHA-3 family hash algorithms
Post-Quantum Cryptography (PQC) readiness

Integration & APIs

RESTful API with full PKI coverage
KMIP key management interoperability
Kubernetes cert-manager integration
GitLab, Microsoft SignTool code signing integrations
Curity Identity Server integration
HashiCorp Vault PKI secrets engine compatibility

Deployment

On-premises physical appliances
Virtual appliances (cloud and on-prem)
VirtuCrypt cloud HSM-as-a-Service
High-availability clustering and replication
Air-gapped offline Root CA support

Compliance Support

CryptoHub PKI supports governance, audit review, and regulated-environment control through HSM-backed key protection, certificate operation logging, role-based access controls, and centralized PKI workflows.

CryptoHub provides:

FIPS 140-3 Level 3 validated hardware security modules
Audit logging for issuance, renewal, revocation, and export
Role-based access controls
Hardware key protection for CA root keys and private key material
Certificate templates and DN profiles for issuance standardization
PKI signing approvals for sensitive operations
CRL and OCSP support for certificate status validation

For financial services, healthcare, government, and critical infrastructure environments, CryptoHub aligns hardware key protection, audit logging, and access controls with PCI DSS, HIPAA, FedRAMP, and Common Criteria compliance mandates.

What is PKI?

Public Key Infrastructure is the system of hardware, software, policies, and standards used to create, manage, distribute, and revoke digital certificates.

What is a Certificate Authority?

A Certificate Authority issues and manages digital certificates that establish trusted identities for users, devices, applications, services, and systems.

How does CryptoHub support certificate lifecycle management?

CryptoHub supports certificate creation, issuance, renewal, revocation, export, status visibility, expiration visibility, CRL management, and OCSP responder services from a central platform.

What enrollment protocols does CryptoHub support?

CryptoHub supports ACME, SCEP, and EST for automated certificate enrollment across web servers, DevOps toolchains, network devices, IoT endpoints, and modern infrastructure.

How does HSM-backed PKI protect CA keys?

CryptoHub generates and stores CA root keys and private key material in FIPS 140-3 Level 3 validated HSM hardware. Keys never exist in plaintext outside the hardware boundary.

How does CryptoHub support certificate revocation?

CryptoHub supports built-in certificate revocation list management and OCSP responder support, allowing relying systems to validate certificate status.

PKI and Certificate Authority Solutions

What Is CryptoHub PKI?

Why Futurex for PKI and Certificate Authority?

Certificate Lifecycle

Key Pair Generation

Certificate Issuance

Policy Enforcement

Automated Enrollment

Renewal and Export

Revocation

Status Publication

API-Driven Automation

Hardware-Backed Security (HSM)

Why is Futurex PKI and CA Different?

Crypto-Agility and PKI Readiness

Hardware Root of Trust for PKI

PKI and Certificate Authority Capabilities

Automated Enrollment via ACME, SCEP & EST

Code Signing

Revocation & Compliance

Root & Issuing Certificate Authority

Registration Authority & Approval Workflows

API-Driven Automation

PKI Use Cases

Zero Trust & mTLS

Compliance & Regulated Industries

Enterprise Internal PKI

Offline Root CA

Issuing CA

IoT Device Certificate Provisioning

DevOps & Code Signing

Zero Trust & mTLS

Compliance & Regulated Industries

PKI Architecture

Technical Highlights and Integrations

Standards & Protocols

Cryptographic Algorithms

Integration & APIs

Deployment

Compliance Support

Featured Resources

CryptoHub PKI FAQ

What is PKI?

What is a Certificate Authority?

How does CryptoHub support certificate lifecycle management?

What enrollment protocols does CryptoHub support?

How does HSM-backed PKI protect CA keys?

How does CryptoHub support certificate revocation?

Ready to build a PKI you can trust?

Connect With Us