Managed PKI service

Managed PKI Zertifikat Service

Trusted certificates 24/7

With the SwissSign Managed PKI service you issue, approve, manage and withdraw certificate requests yourself for your employees, customers and partners within a matter of minutes whatever the time of day. You manage your certificates independently via our web interface or on an automated basis via one of our partner solutions with a standardised interface. We validate only once your organization and there will be no need for single validation of certificate requests in the future – even for SSL EV certificates. 

Everything speaks in favour of SwissSign Managed PKI service:

  • Flexible issuance: Any time, any place and everything immediately.

  • Everything from a single source: Every S/MIME or SSL certificate – including SSL EV Gold.

  • Transparent and fair prices: You pay for what you purchase and can use a single certificate on several servers at no extra cost. You also benefit from attractive volume discounts. In case of Personal ID certificates you can save even additionally 40%. Just sign your contract for a first contract period of three years or five years. Afterwards you can resign on a yearly base.

  • SwissSign goes the extra mile: SwissSign is a Swiss company and we work to ensure reliability in everything we do – right down to the last detail. Our local Support team will support you in German, French and English. SwissSign certificates are integrated in European partner solutions for secure and trusted e-business.

Please order now our Managed PKI Offer Tool (inter-active pdf) to create your individual quote:

USD 0.00

High efficiency and low costs

  • Automated use: Thanks to the CMC and RFC 2797 interface standards, you can perform the entire auto-enrolment process using our partner products.
  • Tested with the most popular gateways on the market: Take advantage of a high level of efficiency in the management and distribution of certificates with the most popular gateways on the market. SwissSign's partner
  • High level of flexibility and scalability: You can scale your certificate quantities and types in a flexible manner at any time.
  • Lower costs: You spare yourself cost-intensive development and operational work associated with maintaining your own PKI. We have a price model with rapidly rising volume discounts.
  • Trustworthiness: All popular browsers and operating systems trust our certificates.

Payment – flexible management and billing

  • Billing takes place once a year prior to the acquisition period based on the quantity of certificate licenses.
  • Upon adding to your number of certificate licenses, the volume discount allows you to benefit from your existing certificate inventory.
  • You can always obtain certificates for the agreed order volume. It is not necessary to order those certificate types which were originally mentioned in the order as far as the sum of all your certificate licenses does not exceed the order volume. In case you will exceed the order volume we will contact you for an upgrade of your contract.
  • You are free to decrease your certificate order volume for the next yearly contract period.
  • A certificate revocation followed by the re-issuing of a new certificate constitutes the acquisition of a single certificate. This means that an exchange of a server or a new replacing employee can use the same certificate license.
  • We calculate the certificate usage based on days. That means if you use your certificate only an half year we will count your certificate number as 0.5 for this certificate.
  • Certificates can be issued for the signature, for encryption or for authentication. Provided these are always for the same subject (person, e-mail address, computer, etc.), they only have to be paid for once in the case of Managed PKI.

Are you unsure whether you'd be better off operating your own PKI or whether you would like to procure this from SwissSign? The matrix supports you in deciding whether a "Managed PKI" of SwissSign or an "inhouse PKI" will offer you the greatest benefits.

Compare MPKI and inhouse PKI

Do you currently obtain your certificates via Managed PKI services provided by our competitors? And would you like to switch to SwissSign Managed PKI certificate services?

If so, you can benefit from our attractive changeover offer:

  • All valid certificates at the time of order will be fully taken into account in the first year:
    • Regardless of who the provider is.
    • Regardless of which certificates.
    • Regardless of whether MPKI or web shop.
    • Regardless of the term.
    • Regardless of the validity date.
  • Your volume discount shall apply on an accumulative basis for all existing and newly ordered SwissSign certificates. The volume discount will also apply to subsequent years.
  • For the volume discount, the prices are calculated for appropriate SwissSign certificates.
  • From the first day of the service period, you will be able to acquire all certificates from SwissSign. You determine when you want to exchange the certificates.
  • During the first year, a minimum order value of 20% of the net price will apply.

Our pricing has convinced you and you'd now like to make an order?

If so, send the completed interactive PDF document "Order and Contract for Managed PKI Services" to us at The number of certificates and the certificate types for your Managed PKI are defined therein.

If you already obtain certificates via a different provider, you can benefit from additional discounts during the first year thanks to our attractive changeover offer

Please also note the hints mentioned in "Identity" and add the Managed PKI Setup Agreement (PDF) to your offer. Please read our GT for Managed PKI Services (PDF) as well as the Certificate Policies and Certification Practice Statements (CP/CPS). The CP/CPS represent binding guidelines for the relevant certificate class. Details can be found at


Other required documentation

You will find details in the tab ″Identity″ on the right.


Order confirmation

After receiving and carefully checking your documents, we will send you an order confirmation. You will then receive the access certificates. Details in this regard can be found under "Set-up".

We configure your Managed PKI on the basis of your order. You can retrieve your Managed PKI via a certificate based encrypted connection. The necessary access or operator certificate for this encrypted connection will be supplied in your account at our certificate management platform

As soon as you have received an e-mail with the access data for your account, call up in the browser.

Select the "Account - Login" menu item and log in using the username and password provided for this purpose.

Please initially replace the existing password for your own password not known by SwissSign via the "Change password" menu item.



You also still have the option to amend the saved account data via the "Edit" menu item. Please read the details in this regard in the Managed PKI Services User Guide (PDF, 1,3 MB).

To download the access certificates required to gain access, select the "Search/manage" menu item. In the "Search/manage" window, leave all of the standard settings and press the "Search" button.


Your certificates will now be displayed:


All access certificates are shown in the table. You can download and install each individual certificate via the "Download/attributes" button. For the installation, you will have received the password for the private key to the access certificate from our Fulfilment Centre with a seperate secure e-mail.

As soon as you have access to your Managed PKI, you will have seven days to test the system and report any errors. After this time, the system will be deemed to have been accepted.

Please report any errors which come to light at a later point to our Help Desk which will add these to our ticketing and workflow system. You can contact the Help Desk by phone on+41 848 77 66 55 or alternatively via e-mail at

The two set-up options are described below:

1. Web-controlled management

In the case of web-controlled management (web interface), you now have to install this certificate on your operating system. You can then log in using the certificate login under

2. Acquisition of certificate via partner application

If you acquire the certificate via a SwissSign partner application (e.g. a mail gateway), you will receive a special access certificate for this mail gateway. You must install the downloaded access certificate in your partner application. To do so, please follow the instructions of the application manufacturer.

The connection is based on the CMC interface. For the configuration of this interface you will need the name of the product:
  • ‹Company name›-‹certificate type›, e.g. abc-gold-pers-1y
  • ‹Company name› is generally the same name that was also used for your account.

You can withdraw, adjust or add to your certificates or change the parameters for certificate issuance. The different options are described below.

Subsequent change to the order volume

You can add additional certificates to your Managed PKI service at any time and in doing so take advantage of an increased volume discount. Up to the next annual bill, you shall be charged the difference between your current inventory and the new order on a pro rata basis for the months for which payment is due. As of the new billing date, the new order volume will then be charged.

Please complete the order form or Managed PKI offer tool (interactive PDF) to amend your order.


Subsequent entry of additional domains

You can subsequently enter additional domains (one-time alteration fee per time). If the domains are listed in your name according to the whois database, you can simply inform our Sales & Partner Management of the domain names by sending an e-mail to: or calling +41 848 77 66 55. If not, we will require a domain authorisation or a domain access authorisation (see FAQ).


Subsequent change to the publication status of your certificates

SwissSign maintains a general public directory of all issued certificates (LDAP) on If you would no longer like your certificates to be listed in the directory in future, you can subsequently amend this setting subject to a fee. However, the setting will not be applied retroactively to previously issued certificate.


Subsequent entry of an access manager/operator

You can subsequently enter additional access managers / operators subject (one-time alteration fee per time). They will also receive an access certificate. Please complete the authorisation for the operator to be added. Please also inform us of any access managers who no longer have authorisation and revoke their access certificates.


Change to the company name

If you need to change your current company name, this company must be authorised and checked once again subject to an alteration fee. To this end, the Managed PKI Set-up Agreement must also be completed by this company and the already known or new access managers must be granted authorisation. We will need an additional proof of organization.

We will again require a copy of the identification documents / passports for all new signatories. This prevents the accidental issuing of certificates to third-party companies. When selecting the e-mail addresses, last names, first names and sub-domains, you are free to enter these in the certificate provided this is allowed by the respective certificate type.


Order for other companies

If you would in future like to request certificates for additional organizations in your Managed PKI we need the authorization and acceptance of this organization. The change will be done based on a change fee. The new organization has to sign the "Declaration of Consent and Term of Certificate Use" in order to be admitted in your Managed PKI. By this the new organization accepts all terms of the Managed PKI and authorizes the access managers of the current Managed PKI also for the request of certificates for this new organization.

For all new signatures we need again a copy of the ID/passport. This prevents the misuse of certificate issuance. We need also a current proof of organization (trade registry excerpt or similar) for the new organization. The declaration must be signed by the authorized signatory of this organization as stated in the proof of organization.




Using a Managed PKI (public key infrastructure), you can apply for and acquire certificates for your organisation. The identity and the authorisations of your organisation are checked once prior to the setting up of the Managed PKI. Subsequently, you can immediately acquire certificates around the clock without the need for an individual check by SwissSign.

SwissSign delights hundreds of customers with its flexible Managed PKI services. As a reference depicting the kind of service we provide to our other customers, a description of the SwissSign solution provided to Mobiliar can be found here:


Managed PKI is part of Mobiliar's state-of-the-art infrastructure

  • When Mobiliar introduced the Secure Socket Layer security, TLS version 1.1 had just been standardised.
  • A cooperative structure, local presence, four national languages and numerous domain names mean that many different SSL certificates are required by the general insurer.
  • While others are still contemplating whether to "make or buy", Mobiliar has long since solved this conundrum: with the Managed PKI service (MPKI) of SwissSign, the expert partner for complex products.


The impetus behind the move to implement the SwissSign solution came from the high level of complexity, the large number of certificates and the associated costs: Mobiliar has around 20,000 different certificates internally for clients and servers, for the safeguarding of websites and for allowing encrypted access to data, e-mails and services being used.

Customer case – Mobiliar: SSL certificates as a Managed Service (PDF, 1,46 MB)


After you have sent the "Order and Contract for Managed PKI Services" document to us electronically, the following documents must be submitted by post or via e-mail with a qualified electronic signature:

  • Managed PKI Set-up Agreement: This document governs the obligations, approvals and authorities which you accept as a registration authority (RA). The document must be counter-signed by the access managers and your organisation's management figures pursuant to the proof provided of the organisation's existence (e.g. commercial register excerpt). Please note that the vetting process can be very fast if those responsible persons signed the Managed PKI Setup Agreement who are mentioned in the registry for this organization. Otherwise we need a phone call to your human resource department for the confirmation of authority of the signee for digital identities in your organisation. Managed PKI Setup Agreement (PDF)
  • Declaration of Consent and Terms of Certificate Use: In case the Managed PKI should issue certificates for an additional organisation than the organisation mentioned in the Managed PKI Set-up Agreement we need the signatures from the authorized signatories of this organisation. They authorize the registration authority of the organisation set forth in the Managed PKI Setup Agreement and their access managers and they accept the terms of use for the certificates issued by this Managed PKI. They authorize SwissSign to issue also certificates with the organisation designator mentioned in the declaration. Organisation Authority and Terms of Certificate Use (PDF)
  • Copies of identification documents/passports: To accelerate the identification process, we advise to enclose copies of the identification documents – Switzerland, Liechtenstein and EU – or passports of all signatories. The signature and photograph must be clearly visible. Alternatively, we will call all persons who signed the document to verify the identity. We will accept digital documents with qualified signatures without further verification.
  • Domain authorisation: If the domains mentioned in the order do not belong to you according to or similar whois databases, you require a domain authorisation: Domain authorisation (PDF). Should it not be possible to provide a domain authorisation, you can also set up a website in this domain as arranged with us or you reply to an e-mail sent to the domain administrator. Details can be found in the FAQ.
  • Proof of organisation's existence: Shoud we not find your organisation in a public register, we will call you for further proof of organisation's existence.

Postal and e-mail address

SwissSign AG
Sales & Partner Management
Sägereistrasse 25
8152 Glattbrugg



Order confirmation

After receiving and carefully checking your documents, we will send you an order confirmation. You will then receive the access certificates. Details in this regard can be found under "Set-up".


Write Your Own Review

Only registered users can write reviews. Please, log in or register