Secure AI Agents and MCP Tools with Zero Trust Identity

BastionXP acts as a private ACME server, allowing your existing tools (like certbot, acme.sh, or cert-manager) to request, renew, and rotate certificates automatically. By using the ACME protocol, you eliminate the "human-in-the-middle" for internal certificate management, reducing the risk of expired certificates causing downtime.

By moving away from static secrets, BastionXP eliminates the risk of credential theft. Every connection—whether it’s a developer accessing a server, or workload connecting to a database — is authenticated via Mutual TLS (mTLS).

Yes. Because BastionXP is a fully compliant ACME server (RFC 8555), you don’t need proprietary agents. You can use industry-standard clients like Certbot, Lego for Linux servers, acme.sh for lightweight environments, and Autocert for Go applications without any code changes.

Yes. BastionXP includes a fully compliant ACME (RFC 8555) server, that supports 'device-attest-01' challenge. This allows for automated certificate enrollment and renewal for mobile devices, workloads, web servers, VPNs, Wi-Fi access, NAS, RADIUS server, databases and internal services using standard tools like Certbot, Lego, cert-manager or custom ACME clients.

Yes. A core pillar of our Zero Trust philosophy is the use of ephemeral certificates. By issuing certificates that expire in hours or days rather than years, the "window of opportunity" for an attacker is virtually eliminated.

Absolutely. BastionXP is designed to work as an external issuer for cert-manager. This allows Kubernetes clusters to automatically provision mTLS certificates for ingress controllers, sidecars, and pod-to-pod communication using standard CRDs.

Unlike public ACME servers (like Let's Encrypt) which are "open to all," BastionXP uses External Account Binding (EAB) to ensure only authorized entities can register an account. It cryptographically binds an ACME account to a pre-approved identity in your system, preventing "Shadow PKI" where unauthorized scripts or users spin up certificates.

BastionXP functions as both a CA (Signer) and an RA (Registration Authority). While a standard CA blindly signs any valid request, BastionXP’s RA layer applies Granular Provisioner Policies. You can restrict specific ACME accounts to only issue certificates for specific DNS subdomains, IP ranges, or short validity periods (e.g., 4 hours, 8 hours, or 24 hours).

Yes. It is a core use case. BastionXP can issue both client and server certificates, making it easy to enforce mTLS for service-to-service authentication in microservices, internal APIs, and database connections.

Yes. Since BastionXP is a self-hosted private CA, it does not require an internet connection to Let's Encrypt or other public authorities. This makes it ideal for highly regulated industries, air-gapped data centers, or local IoT environments.

Yes. Please write to us for the Enterprise Free Trial Version of BastionXP. We can offer the free trial as a self-hosted or cloud-hosted solution.

The BastionXP Enterpise Version supports:
a) Private PKI/CA and ACME server that issues TLS X.509 certificates and keys based on hardware-rooted device attestation for Apple Devices.
b) Integrates with your favorite MDM such as Jamf, Fleet DM and others.
c) Integrates with Google G-Suite, Microsoft Office 365, Okta, Keycloak, and AWS IAM based SSO/OAuth.
d) Role Based Access Control using Microsoft Azure Active Directory, Okta, Keycloak or any IAM.
e) Priority customer support.

BastionXP solution is a cloud native application that is cloud vendor agnostic. It works seamlessly in any cloud including AWS, GCP, Azure or Digital Ocean cloud.

Yes. We offer a cloud hosted version of BastionXP as a SaaS offering. You can try the cloud version for free for 30-days. No credit card required. Please write to us to learn more about the SaaS offering.

Please write to [email protected] for sales, queries, pricing and demo request.

BastionXP can issue certificates to IoT devices using ACME or via hardware-rooted attestation. This ensures each device has a unique, non-exportable identity, allowing for secure encrypted communication from the edge to your central cloud.

Traditional PKI is often heavy, requiring complex databases, Windows servers, and months of integration. BastionXP collapses this into a single, lightweight binary that is "DevOps-native," meaning it can be deployed in minutes and managed via JSON policies and standard APIs.

BastionXP is typically managed by Platform Engineering, DevOps, or SRE teams who need to provide "Security-as-a-Service" to the rest of the organization. It allows security teams to set the "guardrails" (policies) while letting developers automate their own certificate needs.

Every certificate request, renewal, and revocation is logged with full attribution. Because of EAB, you can see exactly which identity requested which certificate, providing a clear audit trail for compliance frameworks like SOC2, HIPAA, or PCI-DSS.