A private certificate authority issuing TLS, S/MIME, client, code-signing and document-signing certificates — with full Certificate Transparency through our own log, Kitsos Onyx.
Download and trust the Kitsos CA certificates below. All issuing CAs are signed by Kitsos Root CA 1; their revocation status is published in the Root CA 1 CRL at http://crl.pki.kitsos.net/root1.crl.
Trust anchor for the entire Kitsos PKI. Install this certificate to trust every Kitsos-issued certificate.
Issues TLS/HTTPS server certificates.
Issues S/MIME certificates for signed and encrypted email.
Issues certificates for digital document signatures.
Issues certificates for signing software, scripts and updates.
Issues client certificates for mutual-TLS authentication.
A second root anchored on RSA, cross-signed by Kitsos Root CA 1 for compatibility with clients that don't support elliptic-curve roots. Coming soon.
Kitsos Onyx is our own Certificate Transparency log. It accepts certificates exclusively from Kitsos root CAs. Every certificate we issue is logged and remains publicly auditable.
TLS server certificates are issued automatically via ACME. Every issued certificate is submitted to the Kitsos Onyx transparency log. The ACME directory endpoint is currently available to internal services only.