Insta Certifier CA Product

The trust enabling CA product

Insta Certifier is a full-featured CA (Certification Authority) product for issuing and managing digital certificates. It is designed with focus on security and high availability, making it an ideal solution for e.g. authorities and enterprises from finance, telecom and energy sectors.

Certificates issued by Insta Certifier can be utilised in various use cases, including encryption, digital signing and strong authentication of users, devices and services. A comprehensive set of standards-based interfaces ensures easy adaptation to diverse IT systems and applications, such as VPN (Virtual Private Network), SSO (Single Sign-On), secure email and network device authentication.

Modular product architecture with redundancy and clustering support enables scalability from a single offline root CA to complex organisation-wide CA hierarchies and to large-scale IoT deployments. Due to its security features, such as support for HSMs (Hardware Security Modules) from several manufacturers as well as strongest algorithms, e.g. ECC (Elliptic Curve Cryptography), Insta Certifier is ideally suited for security-critical applications.

Safe investment with long lifecycle

Insta Certifier has gained a well-established position as the trusted CA solution for security critical enterprises around the world. Insta is devoted to long-term development and support of the product, guaranteeing a long life cycle and making it a safe choice long into the future.

Insta Certifier is available as a standalone product or as part of our turn-key PKI solutions including deployment, training, support and maintenance services. Insta also provides CA Services based on Insta Certifier.

Try out Insta Certifier Demo Service

We provide a free Demo Service to demonstrate the possibilities of Insta Certifier. Certificates can be issued for testing purposes using a web browser as well as with CMP and SCEP protocols. Validation of the issued certificates can be performed against a CRL and an OCSP service.

Please contact us to obtain access to the Demo Service.

Scalable architecture

Insta Certifier provides added security and scalability with its modular structure. In small environments, the system can run on a single host. For increased security, the front-end services and the back-end engine can be split onto dedicated hosts, allowing for private keys to be kept separated from network reachable services.

The services can be also divided between multiple hosts, providing added performance and availability in large-scale deployments. For example PKI enrolment, online status checking, publishing and administration can run independently on separate hosts. Insta Certifier is also configurable for various high availability setups necessary for demanding environments.

Flexible certificate management

Insta Certifier adapts to existing corporate security policy rather than introducing constraints, and is easily integrated into complex and diverse environments. As an example of adapting to real life business requirements, a highly flexible framework is provided for defining certificate policies and practices for CAs.

Standards based certificate enrolment

Standards based certificate enrolment protocols allow easy deployment for different applications: certificates can be enrolled for RA workstations producing smart cards for end users, VPN devices, remote access clients, web browsers, etc. Service providers and enterprises can deploy a PKI system effortlessly, as Insta Certifier does not require the installation of proprietary desktop components for the end users.

Multi-CA hosting

New virtual certification authorities (CAs) with their own set of certificate policies and configurations are easily created by a system administrator with a graphical user interface. This powerful feature makes Insta Certifier an ideal platform for hosting a managed, multi-CA service environment. A new CA hierarchy with its own policies and administrators can be created in a matter of minutes.

Evolving and supported

Over the years, Insta Certifier has gained a well-established position as the trusted CA solution among many security critical authorities, institutions and companies. This is something that guarantees a long life cycle with constant updates, making it a supported, safe choice long into the future.

Certificate management

  • Online certificate life-cycle management
  • —Fully customizable automation of CA&RA policy rules
  • —Multiple CA hierarchies and RAs within an installation
  • —Web-based self-enrolment with customizable web enrolment pages
  • —Registration authority (RA) with smart card and USB token personalisation option
  • —Automatic CA renewal
  • —Manual and online cross-certification
  • —Online key backup and recovery
  • —CA private key storage in Hardware Security Module (HSM)


  • —Periodic CRL publishing
  • —Per-revocation CRL publishing
  • —Self-revocation based on pre-shared key (PSK)
  • —OCSP responder service with whitelist checking and HSM support


  • —Modular architecture: Front-end PKI services and back-end certificate engine
  • —Clustering of multiple back-end certificate engines with geo-redundant deployment option
  • —Duplication of front-end PKI services
  • —Online and offline CA deployment options
  • —Secure communication between system components

Directory integration

  • —Certificate and CRL publishing to standard LDAP directory or HTTP server
  • —Flexible publishing schemas
  • —Support for Microsoft Active Directory
  • —TLS protection of LDAP publishing
  • —LDAP authentication


  • —Web administration UI with role-based access control
  • —Support for dual control and separation of duties
  • —Restriction of access to specific CAs and specific operations
  • —Integrity-protected event logging and audit trail
  • —SNMP support for monitoring and statistics


  • EU Directive on Electronic Signatures (1999/93/EC)
  • —EU/ETSI qualified certificates
  • —3GPP CMP profile
  • ICAO Doc 9303, Part 12 - Public Key Infrastructure for Machine Readable Travel Documents

Enrolment, publishing and management protocols

  • Certificate Management Protocol (CMPv2)
  • Simple Certificate Enrolment Protocol (SCEP)
  • Web-form-based PKCS #10 certification requests
  • Web browser enrolment
  • Online Certificate Status Protocol (OCSP)
  • Lightweight Directory Access Protocol (LDAP)
  • Hypertext Transfer Protocol (HTTP)

Supported formats

  • X.509v3 certificate profile
  • X.509v2 CRL format
  • PKCS#1 RSA
  • PKCS#6 extended certificate syntax (selectively)
  • PKCS#7 envelopes
  • PKCS#8 password-protected private keys
  • PKCS#9 attribute types (selectively)
  • PKCS#10 certification requests
  • PKCS#12 Personal Information Exchange Syntax
  • Certification Request Message Format (CRMF)

Interfacing with Hardware Security Modules (HSM)

  • PKCS #11 crypto API
  • Supports e.g. Thales and SafeNet HSMs

Security protocols

  •  Transport Layer Security (TLS)

 Public-Key algorithms

  • RSA (up to 8192 bits)
  • —ECC (secp256r1, secp384r1 and secp521r1)

 Hash algorithms

  • SHA-1
  • SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512)

 Symmetric algorithms

  • AES 128/256-bit
  • 3DES