DigiCert Private CA deployment models
Trust Architecture Playbook: Issuance pillar
DigiCert® Private CA is a full-stack private PKI service for the DigiCert ONE platform. It supports the complete CA lifecycle, including root and intermediate CA creation, HSM integration, CRL and OCSP configuration, enrollment protocol support, and end-entity certificate issuance. DigiCert Private CA is the central focus of the Issuance pillar because it's the most customizable CA component in the DigiCert ecosystem and requires the most upfront planning.
Choosing a deployment model
DigiCert Private CA is available in two deployment models. For most organizations, the DigiCert-hosted model is the recommended choice: DigiCert manages the CA infrastructure and HSMs on your behalf, reducing operational complexity while maintaining strong security controls. The customer-hosted model is available for organizations with specific requirements that the managed model cannot meet, such as key custody mandates, air-gapped deployments, or strict data residency obligations.
In the DigiCert-hosted model, DigiCert manages the CA infrastructure on your behalf. Your CA runs in the DigiCert cloud, integrated with DigiCert ONE, and is natively available from Trust Lifecycle Manager without an additional connector. Key storage is provided through DigiCert-managed HSMs, with dedicated HSM options available for customers that require stronger separation or portability.
Choose DigiCert-hosted when:
You want to issue private-trust certificates without operating CA infrastructure or HSMs.
Your environment is cloud-connected and internet-accessible.
Your compliance requirements do not mandate that you control CA keys.
You want faster onboarding, automated scaling, and platform updates managed by DigiCert.
In the customer-hosted model, you deploy and operate the DigiCert® Private CA software in your own environment: on-premises or in your own cloud infrastructure. You are responsible for the platform infrastructure, including HSMs, networking, backup, and recovery.
Choose customer-hosted when:
You must control root and issuing CA keys and cannot delegate key custody to DigiCert.
You require offline or air-gapped CA deployments.
You must meet strict regulatory, sovereignty, or data residency requirements.
You need a highly customized CA hierarchy or revocation model beyond the core platform capabilities.
Important
In the customer-hosted model, your CA infrastructure and keys remain in your environment. To use Trust Lifecycle Manager for centralized lifecycle management, you need a CA connector with a local DigiCert sensor installed on your network to securely manage the integration.
Deployment model decision guide
Use the following table to guide your deployment model selection.
Consideration | DigiCert-hosted | Customer-hosted |
|---|---|---|
Infrastructure management | Managed by DigiCert | Managed by you |
Key custody | DigiCert-managed HSMs (dedicated and offline options available) | Your own HSMs |
Setup time | Faster | Slower |
Operational effort | Low | High |
PKI expertise required | Low to moderate | Moderate to high |
Trust Lifecycle Manager integration | Native (no connector required) | Requires CA connector |
Offline/air-gapped CAs | Not supported | Supported |
Customization | Within platform capabilities | Full control over CA design |
Compliance alignment | Standard enterprise needs | Strict regulatory requirements |