Running your own PKI is expensive. An offline Root CA needs an HSM ($30K-$100K), a secure room, key ceremony procedures, and trained staff. An online Issuing CA needs high availability, CRL publication, OCSP responders, and 24/7 monitoring. Certificate templates need design. Policies need documentation. Audits need evidence.
PKI as a Service (PKIaaS) offloads all of this to a managed provider. You define what certificates you need. The provider operates the CA infrastructure — HSMs, availability, compliance, ceremonies, and operations. You get certificates via API or automation without managing the underlying CA.
What PKIaaS Actually Provides
| Component | Self-Managed PKI | PKIaaS |
|---|---|---|
| Root CA | You buy HSM, run ceremony, store offline | Provider operates (or you bring your own Root) |
| Issuing CA | You deploy, configure, maintain HA | Provider operates with SLA |
| HSM | You procure, manage, firmware-update | Provider manages (FIPS 140-2 Level 3) |
| CRL/OCSP | You publish, monitor availability | Provider handles |
| Certificate templates | You design and configure | You define via API/portal, provider enforces |
| Compliance | You achieve WebTrust/ETSI yourself | Provider is pre-audited |
| Availability | You build HA (multi-node, DR) | Provider guarantees SLA (99.9%+) |
| Scaling | You add capacity as volume grows | Provider scales automatically |
| Monitoring | You build dashboards and alerts | Provider monitors CA health |
What you still own:
- Certificate lifecycle management (discovery, renewal, deployment)
- Policy decisions (who can request what)
- Trust distribution (getting the CA cert into your trust stores)
- Application integration (how your apps use certificates)
PKIaaS Providers
| Provider | Type | Best For | Pricing Model |
|---|---|---|---|
| AWS Private CA | Cloud-native | AWS-centric organizations | $400/mo + $0.75/cert |
| Google CAS | Cloud-native | GCP-centric organizations | Per-cert + per-operation |
| Azure Managed HSM + Key Vault | Cloud-native | Azure-centric | Per-operation |
| DigiCert ONE | Enterprise platform | Large enterprises, multi-CA | Enterprise pricing |
| Keyfactor EJBCA SaaS | Managed open-source | Compliance-heavy, multi-protocol | Enterprise pricing |
| Sectigo Certificate Manager | Enterprise platform | Mid-market, multi-CA | Per-cert pricing |
| Smallstep Hosted | Developer-focused | DevOps teams, SSH + X.509 | Usage-based |
| Venafi as a Service | Enterprise platform | Machine identity management | Enterprise pricing |
When PKIaaS Makes Sense
Use PKIaaS When:
- No PKI expertise in-house — you don’t have (or want) dedicated PKI administrators
- Speed matters — need a CA running in hours, not months (procurement + setup)
- Compliance without effort — provider is already WebTrust/SOC 2 audited
- Variable volume — certificate issuance fluctuates (pay-per-cert vs fixed infrastructure cost)
- Multi-cloud — need certificates across AWS + Azure + GCP without separate CAs in each
- No HSM budget — HSMs cost $30K-$100K; PKIaaS includes HSM-backed key storage
Keep Self-Managed PKI When:
- Regulatory requirement — some regulations require keys within your physical control
- Air-gapped environments — no network connectivity to a cloud service
- Extreme volume — issuing millions of certs/day (cost becomes prohibitive with per-cert pricing)
- Full control needed — you need to customize every aspect of CA behavior
- Existing investment — you already have HSMs, trained staff, and working infrastructure
The Hybrid (Most Common)
Self-managed Root CA (offline, HSM, your physical control)
↓ signs
PKIaaS Issuing CA (managed, HA, API-driven, scales automatically)
↓ issues
Certificates for your workloads (servers, containers, devices, users)You keep the trust anchor (Root CA) under your control. The operational burden (Issuing CA) is offloaded to the provider. Best of both worlds.
AWS Private CA (Most Popular Cloud PKIaaS)
# Create a private CA in minutes
aws acm-pca create-certificate-authority \
--certificate-authority-type SUBORDINATE \
--certificate-authority-configuration \
"KeyAlgorithm=EC_prime256v1,SigningAlgorithm=SHA256WITHECDSA,\
Subject={CommonName='My Issuing CA',Organization='My Org'}"
# Issue a certificate
aws acm-pca issue-certificate \
--certificate-authority-arn arn:aws:acm-pca:us-east-1:123:certificate-authority/abc \
--csr fileb://server.csr \
--signing-algorithm SHA256WITHECDSA \
--validity Value=365,Type=DAYS
# Integrates with: cert-manager, ACM, IoT Core, EKS
# HSM-backed (FIPS 140-2 Level 3)
# Auto-scales to any volumeCost reality: $400/month per CA + $0.75 per certificate. At 1,000 certs/month = $1,150/month. At 10,000 certs/month = $7,900/month. At high volumes, self-managed becomes cheaper.
Evaluating a PKIaaS Provider
Questions to Ask
Security:
- What FIPS level are the HSMs? (Level 3 minimum for CA keys)
- Can I bring my own Root CA? (or am I locked to their Root?)
- Who has access to my CA’s private key? (answer should be: nobody, including the provider)
- What happens if the provider is compromised?
Operations:
- What’s the SLA for certificate issuance? (should be 99.9%+)
- What’s the issuance latency? (should be <5 seconds for automated requests)
- How is HA/DR handled? (multi-region? automatic failover?)
- What protocols are supported? (ACME, EST, SCEP, CMP, REST API?)
Integration:
- Does it work with cert-manager? (Kubernetes)
- Does it support ACME? (standard automation)
- Is there a REST API? (custom integration)
- Does it integrate with my cloud provider natively?
Compliance:
- Is the provider WebTrust audited? (required if issuing publicly-trusted certs)
- Is there SOC 2 Type II? (required for enterprise procurement)
- Can I get audit evidence for MY compliance needs? (issuance logs, policy enforcement)
Cost:
- Per-CA fee? Per-certificate fee? Per-operation fee?
- What’s the cost at my expected volume? (model 1x, 5x, 10x growth)
- Are there volume discounts?
- What’s the cost of the equivalent self-managed setup? (compare TCO)
Lock-in:
- Can I export my CA’s private key? (usually no — plan for this)
- Can I migrate to another provider? (requires new CA, re-issuance)
- What happens if I leave? (certificates remain valid until expiry, but no new issuance)
PKIaaS vs CLM: They’re Different Things
A common confusion: PKIaaS and Certificate Lifecycle Management (CLM) are complementary, not competing.
| PKIaaS | CLM | |
|---|---|---|
| What it does | Operates the CA (issues certificates) | Manages certificates after issuance |
| Scope | Certificate Authority infrastructure | Discovery, monitoring, renewal, deployment |
| Analogy | The factory that makes certificates | The logistics that delivers and tracks them |
| You need both | PKIaaS issues certs | CLM ensures they’re deployed, monitored, renewed |
A PKIaaS provider gives you a CA. A CLM platform ensures the certificates from that CA (and other CAs) are properly managed across your infrastructure.
Migration to PKIaaS
From Microsoft AD CS
Phase 1: Deploy PKIaaS Issuing CA (signed by your existing AD CS Root)
Phase 2: New certificate requests → PKIaaS
Phase 3: Existing certs renewed from PKIaaS (as they approach expiry)
Phase 4: Decommission AD CS Issuing CA (keep Root for chain validation)From Self-Managed Open-Source CA (EJBCA, Vault)
Phase 1: Create PKIaaS CA (signed by your existing Root)
Phase 2: Update cert-manager/automation to point to new CA
Phase 3: Existing certs renewed from PKIaaS
Phase 4: Decommission old Issuing CAKey principle: Keep your Root CA. Only migrate the Issuing CA. This avoids trust store redistribution (the hardest part of any CA migration).
FAQ
Q: Is PKIaaS only for private certificates? A: Mostly yes. PKIaaS providers issue private certificates (trusted within your organization). For publicly-trusted certificates (trusted by browsers), you still use public CAs (DigiCert, Let’s Encrypt, Sectigo). Some providers (DigiCert ONE, Sectigo SCM) offer both public and private issuance in one platform.
Q: What if the PKIaaS provider goes down? A: Existing certificates continue working (they’re already deployed). New issuance fails until the provider recovers. Mitigations: choose a provider with multi-region HA, keep certificates with sufficient remaining validity (don’t cut it close), and have a backup issuance path for emergencies.
Q: Can I use PKIaaS for IoT device certificates? A: Yes — this is a primary use case. AWS Private CA integrates with IoT Core for device provisioning. Google CAS integrates with Cloud IoT. The per-cert pricing model works well for IoT (many certs, low individual value).
Q: Is PKIaaS more secure than self-managed? A: Depends on your team’s expertise. A well-managed self-hosted CA with HSMs and proper procedures is equally secure. But most organizations don’t have dedicated PKI staff — and a poorly-managed self-hosted CA (software keys, no HA, no monitoring) is less secure than a properly-operated PKIaaS.
Q: What about vendor lock-in? A: It’s real. CA private keys in PKIaaS are non-exportable. If you leave the provider, you create a new CA and re-issue all certificates. Mitigation: keep your Root CA self-managed (portable). Only the Issuing CA is in PKIaaS — replaceable without changing trust stores.