Service

Private CA.

A private certificate authority issuing TLS, S/MIME, client, code-signing and document-signing certificates — with full Certificate Transparency through our own log, Kitsos Onyx.

Certificate Authorities

Download and trust the Kitsos CA certificates below. All issuing CAs are signed by Kitsos Root CA 1; their revocation status is published in the Root CA 1 CRL at http://crl.pki.kitsos.net/root1.crl.

Kitsos Root CA 1
RootECDSA P-384
Download

Trust anchor for the entire Kitsos PKI. Install this certificate to trust every Kitsos-issued certificate.

KeyECDSA P-384 · sig. ECDSA-SHA384 Valid2026-03-31 → 2051-03-31 Issuerself-signed Serial793F0052E4EC7BB1598F6D978FF7019D448E1F3A SHA-2565E:15:BD:5B:8F:06:77:73:3B:F4:A2:31:6D:C1:88:EA:3F:69:FF:9D:B2:89:A0:45:86:12:3E:39:7E:1A:C7:95
Kitsos TLS CA G1
TLSECDSA P-384
Download

Issues TLS/HTTPS server certificates.

KeyECDSA P-384 · sig. ECDSA-SHA384 Valid2026-03-31 → 2036-03-31 IssuerKitsos Root CA 1 Serial6E7B0E06B7D78F4AE413BA623D3C019D44A56D4F SHA-256AC:19:BC:F0:10:48:DA:77:0D:1C:BF:8D:E8:14:2C:88:38:53:0C:7D:F5:D6:DC:26:2C:60:E2:65:DB:A7:45:EB CRLhttp://crl.pki.kitsos.net/root1.crl
Kitsos S/MIME CA G2
S/MIMERSA 4096
Download

Issues S/MIME certificates for signed and encrypted email.

KeyRSA 4096 · sig. ECDSA-SHA384 Valid2026-04-30 → 2036-04-30 IssuerKitsos Root CA 1 Serial558DA24073FA831ADB8E14F8C828019E11AC4383 SHA-256BC:33:78:84:58:62:D9:D2:05:E0:C6:99:E0:74:D3:47:42:3D:E0:2D:3E:7C:30:8E:B0:BA:64:04:75:5A:71:6F CRLhttp://crl.pki.kitsos.net/root1.crl
Kitsos Document Signing CA G1
Document signingECDSA P-384
Download

Issues certificates for digital document signatures.

KeyECDSA P-384 · sig. ECDSA-SHA384 Valid2026-03-31 → 2036-03-31 IssuerKitsos Root CA 1 Serial621C486AB5327D9950EA7E5D2F29019D44A8A81A SHA-256EC:9B:21:83:51:3F:CF:30:49:B2:B1:E3:2C:BF:D8:D9:2F:BE:56:FE:C4:8D:E4:27:01:6A:16:02:C5:9A:70:4C CRLhttp://crl.pki.kitsos.net/root1.crl
Kitsos Code Signing CA G1
Code signingECDSA P-384
Download

Issues certificates for signing software, scripts and updates.

KeyECDSA P-384 · sig. ECDSA-SHA384 Valid2026-03-31 → 2036-03-31 IssuerKitsos Root CA 1 Serial72B8E1D6D9B628AC96BC1739A67B019D44A84B64 SHA-2569F:50:34:AD:21:03:03:93:0C:66:9E:95:57:3E:0D:D8:72:9A:1F:9E:42:AC:A2:15:31:FB:19:2F:D4:3C:F3:EE CRLhttp://crl.pki.kitsos.net/root1.crl
Kitsos Client CA G1
Client authECDSA P-384
Download

Issues client certificates for mutual-TLS authentication.

KeyECDSA P-384 · sig. ECDSA-SHA384 Valid2026-03-31 → 2036-03-31 IssuerKitsos Root CA 1 Serial5EA2676523F1FD4DA1C459EA9C80019D44A7F00D SHA-2565C:CB:08:1B:8F:D5:CD:7F:89:32:D3:7D:11:31:28:36:2F:EE:DF:CA:F3:9A:A2:4E:E3:C9:52:62:4F:A2:C9:89 CRLhttp://crl.pki.kitsos.net/root1.crl
Kitsos Root CA 2
RootRSA
Soon

A second root anchored on RSA, cross-signed by Kitsos Root CA 1 for compatibility with clients that don't support elliptic-curve roots. Coming soon.

Certificate Transparency — Kitsos Onyx

Kitsos Onyx is our own Certificate Transparency log. It accepts certificates exclusively from Kitsos root CAs. Every certificate we issue is logged and remains publicly auditable.

TLS Certificate Issuance

TLS server certificates are issued automatically via ACME. Every issued certificate is submitted to the Kitsos Onyx transparency log. The ACME directory endpoint is currently available to internal services only.