PKI as a service

Hello to all,
Does someone know about a good provider of PKI as a service in Europe (don’t want to hear about Entrust, GlobalSign or others)?

Thank you,

I have tried two European ones who ended up being GlobalSign resellers to get S/MIME email signing and I am not happy with any of them.

Funny, isn’t it?
In France we have 2 french providers at least:
Nexus which is the brand name for the PKI service of Imprimerie Nationale (renamed IN a few years ago) ;
CertEurope which is an eIDAS-compliant USB sticks provider.
But no one answers: typical behaviour in France. :rage:
That’s why I’m looking from provider from another country: Germany, Italy for example.

Thank you for your information.
I’m carrying on,

What are you looking for exactly?

I was looking for S/MIME certificates (very bad situation) but I also have two qualified digital signature cards, one from Estonia (so-called e-Residency, very recommended) and one from Poland (Eurocert) - they are fine.

A typical PKI as a service from which devices can retrieve, update their signed private/public keys using common protocols like SCEP, CMP and EST as well as a service that offers RA functions through a web portal.
Of course I know EJBCA, openxpki, DogTag or Boulder and, of course, even openssl but I do not want to be involved in management.
As you may know, PKI is 10 % technique and 90 % for the management.


I know one Swedish supplier for this, but I do not recommend them :frowning:

`step-ca` server ?
Yes not a provider but as I have been told a good wrapper. Iirc they offer also a managed hosted service… Maybe it’s an option?

Another option might be SSL Certificates, Electronic Signature, Code Signing: Certum . I don’t have enough experience with them (yet) to recommend or not recommend them. At least they are cheaper than many others.

Interesting. I didn’t know about them.
Thank you for the reference.
Above all we have " * Issue short-lived SSH certificates via OAuth OIDC single sign on."
But, there is no support for self-retrieved certificates using something like CMP or EST.
That’s essentially based upon ACME.

  • Very limited options for active revocation (CRL, OCSP)
  • Very limited options for legacy CA protocols