Learn · Foundations

Why enterprises build private trust systems.

By Updated

A private Certificate Authority issues certificates trusted only inside your organization — for internal services, devices, and machine-to-machine authentication where public CAs don’t fit.

Try a free domain scan Public vs private
7 min readFoundations
Private trust hierarchy
Private CA
Applications
Devices
Services
Internal sites
Definition

A private CA (private Certificate Authority) is an internally operated certificate authority that issues certificates trusted only within an organization — used for internal applications, devices, services, and mutual TLS, rather than the public internet.

How a private CA works

Your own root
of trust.

1
Establish a root

Stand up an internal root of trust, kept offline and protected.

2
Issue internally

Provision certificates to internal services and devices.

3
Distribute trust

Roll the root out to the systems that must trust it.

4
Manage & revoke

Renew, rotate, and revoke certificates over time.

Public vs private

When to use a
private CA.

Public CAs secure what the world connects to. Private CAs secure what only your organization needs to trust — and often issue far more certificates.

Public CA

Trusted by browsers and operating systems by default. Used for public-facing websites and APIs.

Private CA

Trusted only within your organization. Used for internal services, devices, and mTLS where public trust isn’t needed.

Microsoft ADCS

A common enterprise private CA built into Windows Server, widely used for internal certificates and device enrollment.

HashiCorp Vault

A modern private CA via its PKI secrets engine, popular for dynamic, short-lived service certificates.

Modern challenges

Private PKI is powerful —
and easy to lose track of.

Hardest to see

Private PKI is the least visible part of most estates.

Kubernetes everywhere

Service mesh and cert-manager issue private certs constantly.

mTLS explosion

Service-to-service certs multiply faster than anyone tracks.

Root protection

A compromised private root undermines everything it signed.

Manual issuance

Ticket-based internal issuance can’t scale.

Multiple internal CAs

Different teams stand up their own, fragmenting trust.

FAQ

Private CAs,
answered.

A private CA is an internally operated certificate authority that issues certificates trusted only within an organization. It’s used for internal applications, devices, services, and mutual TLS — cases where public trust isn’t required or appropriate.
A public CA is trusted by browsers and operating systems by default and is used for internet-facing sites. A private CA is trusted only by systems you configure to trust it, and is used for internal-only services and machine identities.
To issue certificates for internal services, devices, and mutual TLS at scale and within their own policies, without the cost, rate limits, or public exposure of using a public CA for internal use.
Microsoft Active Directory Certificate Services (ADCS), HashiCorp Vault’s PKI engine, and Kubernetes cert-manager (often backed by an internal issuer) are among the most common.
Internal certificates typically far outnumber public ones, rotate frequently (especially in Kubernetes and service meshes), and are issued by tools that don’t share a common view — making them the least visible, hardest-to-track certificates.
Mutual TLS, where both sides of a connection present certificates, is usually backed by a private CA. As service-to-service mTLS grows, private certificate volume grows with it.
Every certificate signed by that root becomes untrustworthy. Protecting the private root — typically by keeping it offline — is critical to the security of the whole internal trust system.
MachineCert discovers and inventories certificates from private CAs like ADCS, Vault, and cert-manager alongside public and cloud certificates, then monitors and automates their renewal — bringing visibility to the least-visible PKI.
Keep learning

Related topics

What is a Certificate AuthorityCAs and trust, explained.PKI managementManaging trust at scale.mTLS automationTrust between services.Internal discoverySee private certificates.For PKI teamsModernize internal PKI.cert-managerPrivate CAs in Kubernetes.
See it in practice

Bring your private PKI into view.

Discover and manage certificates from your private CAs — ADCS, Vault, cert-manager — in one inventory.

Book a demo
See MachineCert in action