Zero-Touch Security for Modern DevOps

BastionXP Private CA with ACME support brings the simplicity of Let’s Encrypt to your internal infrastructure. Using the ACME protocol, we provide a fully automated, high-velocity PKI designed for the speed of CI/CD.

More Information Get Started For Free
BastionXP SSH Key Management Solution

Why DevOps Teams are Switching to BastionXP

BastionXP acts as the "Private Let's Encrypt" for your internal infrastructure, plugging directly into the tools your team uses every day.

The Core DevOps Benefits:

  • Instant Provisioning, Zero Human Intervention: Leverage the industry-standard ACME protocol to automate the entire lifecycle. Your servers, containers, and load balancers request, verify, and renew their own certificates—silently in the background.
  • The Power of Short-Lived Certificates: Reduce your attack surface by moving from year-long certificates to 24-hour or 7-day identities. If a key is ever compromised, it becomes useless before an attacker can even move laterally. Short-lived certificates eliminate the need for complex Revocation Lists (CRLs).
  • Infrastructure as Code (IaC): Use the Terraform ACME provider to provision certificates alongside your infrastructure, eliminating the "chicken-and-egg" problem of securing new endpoints.
  • Kubernetes Native: Seamlessly integrate with cert-manager to automate mTLS for pods and ingress controllers (Nginx/Traefik) without manual sidecar injection or secret management.
  • CI/CD Pipeline Security: Automatically sign build artifacts and secure ephemeral staging environments using temporary certificates that expire the moment the job is complete.
  • Git SSH Certificate Automation: BastionXP transforms Git security by replacing permanent, unmanaged SSH keys with short-lived, identity-bound certificates. By integrating directly with your SSO/OIDC, it ensures that every code push is cryptographically tied to a verified engineer with appropriate previleges.

How BastionXP Private ACME CA Works With Kubernetes

In a Kubernetes environment, BastionXP acts as a high-performance Private ACME Server. By integrating with the industry-standard cert-manager, BastionXP automates the entire certificate lifecycle for internal services, ingresses, and pod-to-pod mTLS without any manual intervention.

The Architecture: How it Works:

The workflow follows a cloud-native pattern where cert-manager acts as the client (on behalf of your pods) and BastionXP acts as the Authority (signing the certificates).

  • Issuer Configuration: You define a ClusterIssuer in Kubernetes that points to your BastionXP ACME directory URL.
  • Certificate Request: A developer creates a Certificate resource.
  • Challenge & Validation: cert-manager interacts with BastionXP to prove control over the requested domain using one of the three ACME challenge types.
  • Issuance: Once validated, BastionXP signs the certificate and cert-manager stores it as a Kubernetes Secret for your application to mount.
  • Renewal By default, cert-manager triggers the renewal process when 2/3 of its lifespan has passed for shorter-lived certs.
Automated Certificate & Key Management

BastionXP PKI/CA automates X.509 & SSH certificate creation, signing, distribution, rotation and revocation.

Identity Based Access Control

Certificates are tied to device, host and end user identity. Certificates are issued only after hardware-rooted device attestation or OIDC login.

Short-Lived Certificates

Issues short-lived SSL/TLS X.509 certificates to devices, workloads and end users, eliminating the security risks associated with long-lived certificates.

Zero Trust Security

Generates SSL/TLS X.509 server and client certificates for mutual TLS(mTLS) authentication and end-to-end encryption.

Auditing & Compliance

All activities and events are logged to provide a detailed log trail for auditing and compliance purposes. Logs can be analyzed later using a log analyzer to identify anomaly.

Role Based Access Control

Supports SCIM integration with your Identity Provider(IdP). Assign roles to your team members and restrict access to your enterprise resources using RBAC policies.

Start Your Free Trial Now

Try BastionXP for free with no commitments. No credit card required.

Get Started For Free

Frequently Asked Questions

  • What is BastionXP?

    BastionXP is an Identity-Aware Automated Certificate Lifecycle Management platform that uses hardware-rooted device attestation to provide passwordless WiFi and VPN access for enterprise managed devices.

    BastionXP integrates with your MDM to automate hardware-rooted device certificate lifecycle management, so that only company approved devices can access resources such as WiFi, VPN and SaaS apps.

  • Yes. You can download and try the free version of BastionXP. Please refer to our documentation on BastionXP "Getting Starting" guide. Remember that the free trial version comes with a limited feature set without the enterprise features. If you want to try the Enterprise Version, please write to us: [email protected].

  • BastionXP Enterpise version supports:

    a) Private PKI/CA that generates SSL/TLS X.509 certificates and keys based on hardware-rooted device attestation.

    b) Integrates with your favorite MDM.

    b) Google G-Suite, Microsoft Office 365, Okta, Keycloak, and AWS IAM based SSO/OAuth.

    c) Role Based Access Control using Microsoft Azure Active Directory, Okta, Keycloak or any IAM.

    e) Priority customer support.

  • BastionXP solution is a cloud native application that is cloud vendor agnostic. It works seamlessly in any cloud including AWS, GCP, Azure or Digital Ocean cloud.

  • Yes. We offer a cloud hosted version of BastionXP as a SaaS offering. You can try the cloud version for free for 30-days. No credit card required.

  • Please write to [email protected] for sales, queries, pricing and demo request.

Contact Us

For sales, support, demo or any queries, please write to us at:

[email protected]