NextPKI

Every certificate. Every CA. One cockpit.

NextPKI is discovery-first certificate lifecycle management built for the 47-day TLS reality. CA-agnostic, EU-sovereign, crypto-flexible and post-quantum-ready. It finds every certificate before it expires.

EU hosting in Frankfurt Discovery across network and cloud Auto-renewal with approval Crypto-agile, post-quantum-ready
47 days
Maximum TLS lifetime from 2029 under CA/B Forum SC-081v3
all
CAs supported: DigiCert, Sectigo, GlobalSign, Let's Encrypt and more
PQC
Post-quantum cryptography ready, crypto-agile from day one
0
Undiscovered certificates, with discovery across network, cloud and endpoints
Discovery-first

Find the certificate you don't yet know about.

NextPKI scans networks, cloud accounts, load-balancer endpoints and devices. Every TLS and S/MIME certificate lands in your inventory, complete with chain, OCSP status, SAN list and owner.

  • Active discovery (network scan) and passive discovery (cloud APIs)
  • AWS, Azure, GCP, bare metal and on-prem supported
  • Responsible owner assigned automatically per certificate
Lifecycle management

Auto-renewal. With approval. No detours.

NextPKI orders certificates from any supported CA with a configurable approval workflow. ACME for internal CAs, REST APIs for commercial ones. Rollover, renew and revoke in a single cockpit.

  • ACME (RFC 8555) for internal and external CAs
  • Auto-renewal starting X days before expiry, configurable
  • Approval workflow for enterprise compliance
Crypto agility

Post-quantum, before it hurts.

NextPKI is crypto-agile from day one. RSA, ECDSA and Ed25519 today, post-quantum algorithms tomorrow. Switch without changing a line of code in the calling system, governed by a per-tenant policy engine.

  • RSA, ECDSA and Ed25519 fully supported
  • Post-quantum algorithms ready (NIST PQC suites)
  • Policy engine per tenant and per use case
Included on the platform

On the platform or standalone.

NextPKI is included in the platform stack and itemized transparently within the overall package. Standalone list pricing for external PKI use is available on request.

On the platform stack
on the stack

With every Datargo module setup

  • Discovery and inventory
  • Auto-renewal for selected CAs
  • Standard certificate types
  • Audit trail with Datargo ID
Book a call
Standalone PKI
On request

Direct licensing for external customers

  • Direct licensing with no platform lock-in
  • DigiCert, Sectigo and Let's Encrypt connectors
  • 47-day TLS compliance pack
  • Post-quantum options
Book a call
Common questions

What prospects ask first.

What does the 47-day TLS reality actually mean?
In April 2025, the CA/B Forum adopted SC-081v3, a phased reduction of TLS certificate lifetimes: 200 days from March 2026, 100 days from 2027, and 47 days from 15 March 2029. Manual renewal processes become impractical, and automated certificate lifecycle management becomes mandatory.
Which CAs are supported?
DigiCert, Sectigo, GlobalSign, Let's Encrypt and other commercial CAs via REST APIs or ACME. Internal CAs (Microsoft AD CS, OpenSSL-based) via ACME or SCEP. CA-agnostic from day one.
What about post-quantum cryptography?
NextPKI is crypto-agile. The NIST PQC suites (CRYSTALS-Kyber, CRYSTALS-Dilithium, Falcon, SPHINCS+) are pilot-ready. Switch without changing any code in the calling system.
How does discovery work?
Active discovery: network scans against known subnets and hostnames. Passive discovery: cloud APIs (AWS, Azure, GCP, Cloudflare), load-balancer endpoints and device inventories. Combined, the two approaches find roughly 95 % of all certificates.
Do I need my own CA?
No. NextPKI works without your own CA by orchestrating commercial CAs. For internal services (microservices, mTLS, IoT), your own private PKI is available from Datargo One.
When will standalone PKI list pricing be available?
Standalone list pricing for external PKI use is available on request. For now, NextPKI is included in the platform stack and billed as part of the overall package.
Sales-led onboarding

Ready for the 47-day reality.

Talk to us before the next certificate lapses. We set up discovery and enterprise PKI together with you.