Zero-Trust Security for Modern DevOps

BastionXP Private CA with ACME support brings the simplicity of Let’s Encrypt to your internal infrastructure. Using the ACME protocol, we provide a fully automated, high-velocity PKI designed for the speed of CI/CD.

More Information Get Started For Free
BastionXP SSH Key Management Solution

Why DevOps Teams are Switching to BastionXP

BastionXP acts as the "Private Let's Encrypt" for your internal infrastructure, plugging directly into the tools your team uses every day.

The Core DevOps Benefits:

  • Instant Provisioning, Zero Human Intervention: Leverage the industry-standard ACME protocol to automate the entire lifecycle. Your servers, containers, and load balancers request, verify, and renew their own certificates—silently in the background.
  • The Power of Short-Lived Certificates: Reduce your attack surface by moving from year-long certificates to 24-hour or 7-day identities. If a key is ever compromised, it becomes useless before an attacker can even move laterally. Short-lived certificates eliminate the need for complex Revocation Lists (CRLs).
  • Infrastructure as Code (IaC): Use the Terraform ACME provider to provision certificates alongside your infrastructure, eliminating the "chicken-and-egg" problem of securing new endpoints.
  • Kubernetes Native: Seamlessly integrate with cert-manager to automate mTLS for pods and ingress controllers (Nginx/Traefik) without manual sidecar injection or secret management.
  • CI/CD Pipeline Security: Automatically sign build artifacts and secure ephemeral staging environments using temporary certificates that expire the moment the job is complete.
  • Git SSH Certificate Automation: BastionXP transforms Git security by replacing permanent, unmanaged SSH keys with short-lived, identity-bound certificates. By integrating directly with your SSO/OIDC, it ensures that every code push is cryptographically tied to a verified engineer with appropriate previleges.

How BastionXP Private ACME CA Works With Kubernetes

In a Kubernetes environment, BastionXP acts as a high-performance Private ACME Server. By integrating with the industry-standard cert-manager, BastionXP automates the entire certificate lifecycle for internal services, ingresses, and pod-to-pod mTLS without any manual intervention.

The Architecture: How it Works:

The workflow follows a cloud-native pattern where cert-manager acts as the client (on behalf of your pods) and BastionXP acts as the Authority (signing the certificates).

  • Issuer Configuration: You define a ClusterIssuer in Kubernetes that points to your BastionXP ACME directory URL.
  • Certificate Request: A developer creates a Certificate resource.
  • Challenge & Validation: cert-manager interacts with BastionXP to prove control over the requested domain using one of the three ACME challenge types.
  • Issuance: Once validated, BastionXP signs the certificate and cert-manager stores it as a Kubernetes Secret for your application to mount.
  • Renewal By default, cert-manager triggers the renewal process when 2/3 of its lifespan has passed for shorter-lived certs.
Automated Certificate & Key Management

BastionXP PKI/CA automates X.509 & SSH certificate creation, signing, distribution, rotation and revocation.

Identity Based Access Control

Certificates are tied to device, host and end user identity. Certificates are issued only after hardware-rooted device attestation or OIDC login.

Short-Lived Certificates

Issues short-lived SSL/TLS X.509 certificates to devices, workloads and end users, eliminating the security risks associated with long-lived certificates.

Zero Trust Security

Generates SSL/TLS X.509 server and client certificates for mutual TLS(mTLS) authentication and end-to-end encryption.

Auditing & Compliance

All activities and events are logged to provide a detailed log trail for auditing and compliance purposes. Logs can be analyzed later using a log analyzer to identify anomaly.

Role Based Access Control

Supports SCIM integration with your Identity Provider(IdP). Assign roles to your team members and restrict access to your enterprise resources using RBAC policies.

Start Your Free Trial Now

Try BastionXP for free with no commitments. No credit card required.

Get Started For Free

Frequently Asked Questions

  • How does BastionXP automate the certificate lifecycle for DevOps teams?

    BastionXP acts as a private ACME server, allowing your existing tools (like certbot, acme.sh, or cert-manager) to request, renew, and rotate certificates automatically. By using the ACME protocol, you eliminate the "human-in-the-middle" for internal certificate management, reducing the risk of expired certificates causing downtime.

  • By moving away from static secrets, BastionXP eliminates the risk of credential theft. Every connection—whether it’s a developer accessing a server, or workload connecting to a database — is authenticated via Mutual TLS (mTLS).

  • Yes. Because BastionXP is a fully compliant ACME server (RFC 8555), you don’t need proprietary agents. You can use industry-standard clients like Certbot, Lego for Linux servers, acme.sh for lightweight environments, and Autocert for Go applications without any code changes.

  • Yes. A core pillar of our Zero Trust philosophy is the use of ephemeral certificates. By issuing certificates that expire in hours or days rather than years, the "window of opportunity" for an attacker is virtually eliminated.

  • Yes. BastionXP includes a fully compliant ACME (RFC 8555) server, that supports 'http-01', 'dns-01', 'tls-alpn-01' and 'device-attest-01' challenges. This allows for automated certificate enrollment and renewal for workloads, web servers, VPNs, Wi-Fi access, NAS, RADIUS server, databases and internal services using standard tools like Certbot, Lego, autocert or custom ACME clients.

  • Absolutely. BastionXP is designed to work as an external issuer for cert-manager. This allows Kubernetes clusters to automatically provision mTLS certificates for ingress controllers, sidecars, and pod-to-pod communication using standard CRDs.

  • Unlike public ACME servers (like Let's Encrypt) which are "open to all," BastionXP uses External Account Binding (EAB) to ensure only authorized entities can register an account. It cryptographically binds an ACME account to a pre-approved identity in your system, preventing "Shadow PKI" where unauthorized scripts or users spin up certificates.

  • BastionXP functions as both a CA (Signer) and an RA (Registration Authority). While a standard CA blindly signs any valid request, BastionXP’s RA layer applies Granular Provisioner Policies. You can restrict specific ACME accounts to only issue certificates for specific DNS subdomains, IP ranges, or short validity periods (e.g., 4 hours, 8 hours, or 24 hours).

  • Yes. It is a core use case. BastionXP can issue both client and server certificates, making it easy to enforce mTLS for service-to-service authentication in microservices, internal APIs, and database connections.

  • Yes. Since BastionXP is a self-hosted private CA, it does not require an internet connection to Let's Encrypt or other public authorities. This makes it ideal for highly regulated industries, air-gapped data centers, or local IoT environments.

  • BastionXP can issue certificates to IoT devices using ACME or via hardware-rooted attestation. This ensures each device has a unique, non-exportable identity, allowing for secure encrypted communication from the edge to your central cloud.

  • Traditional PKI is often heavy, requiring complex databases, Windows servers, and months of integration. BastionXP collapses this into a single, lightweight binary that is "DevOps-native," meaning it can be deployed in minutes and managed via JSON policies and standard APIs.

  • BastionXP is typically managed by Platform Engineering, DevOps, or SRE teams who need to provide "Security-as-a-Service" to the rest of the organization. It allows security teams to set the "guardrails" (policies) while letting developers automate their own certificate needs.

  • Every certificate request, renewal, and revocation is logged with full attribution. Because of EAB, you can see exactly which identity requested which certificate, providing a clear audit trail for compliance frameworks like SOC2, HIPAA, or PCI-DSS.

  • Yes. Please write to us for the Enterprise Free Trial Version of BastionXP. We can offer the free trial as a self-hosted or cloud-hosted solution.

  • BastionXP Enterpise Version supports:

    a) Private PKI/CA and ACME server that issues TLS X.509 certificates and keys based on hardware-rooted device attestation for Apple Devices.

    b) Integrates with your favorite MDM such as Jamf, Fleet DM and others.

    b) Integrates with Google G-Suite, Microsoft Office 365, Okta, Keycloak, and AWS IAM based SSO/OAuth.

    c) Role Based Access Control using Microsoft Azure Active Directory, Okta, Keycloak or any IAM.

    e) Priority customer support.

  • BastionXP solution is a cloud native application that is cloud vendor agnostic. It works seamlessly in any cloud including AWS, GCP, Azure or Digital Ocean cloud.

  • Yes. We offer a cloud hosted version of BastionXP as a SaaS offering. You can try the cloud version for free for 30-days. No credit card required. Please write to us to learn more about the SaaS offering.

  • Please write to [email protected] for sales, queries, pricing and demo request.

Contact Us

For sales, support, demo or any queries, please write to us at:

[email protected]