Manage end entity certificates

Server

Secure communication channels between servers, clients, or devices.

Used for TLS/SSL on internal services, APIs, application backends, or IoT gateways that expose endpoints.

Internal company portal, API endpoint, mail servers, proxy, VPN concentrator, IoT gateway, or MQTT endpoint.

User

Authenticate and secure the digital identities of individual users or devices.

Used for email signing/encryption, VPN access, smart-card logins, or IoT devices authenticating to a service.

User authentication, S/MIME, smart-card, or hardware-token, VPN/Wi-Fi (EAP-TLS) authentication, IoT device identity certificates.

Organization

Represent an internal department, functional group, or system identity.

Used for document signing, encrypted group communication, service accounts, or IoT fleet-level provisioning.

Departmental encryption, automation bot, doc signing workflows, service account authentication, and provisioning or product-line identity.

Code signing

Verify the authenticity and integrity of internal software, scripts, or IoT firmware.

Used for signing executables, mobile apps, or firmware update packages.

Certificates for signing: internal software release packages, PowerShell scripts, configuration tools, mobile apps distributed through internal MDM platforms, docker container images before pushing to a private registry.

Wildcard

Secure multiple subdomains under a single parent domain. Simplifies TLS across environments with shared subdomains.

This isn’t recommended for IoT devices, since each device should have a unique, traceable identity.

Wildcard domains covering internal portals, load balancers, APIs, VPNs, test servers, regional clusters under the same parent domain.