Koios

Your CA. Our platform.

Integrate your existing certificate authority with Koios. Keep your chain of trust intact. Get managed lifecycle automation for every device in your fleet.

Get Started FreeTalk to an Engineer

You already have a PKI. You shouldn't have to abandon it.

Most IoT platforms force you onto their certificate authority. That means ripping out your existing PKI, re-issuing certificates, re-certifying for compliance, and explaining to your security team why the chain of trust changed.

Koios BYOCA integrates with your existing CA hierarchy. Upload your root and intermediate certificates, and Koios issues device certificates under your chain of trust. Your compliance posture doesn't change. Your security team doesn't lose sleep.

Certificate chain of trust with linked crown shield and keyCA Import

Your Chain of Trust, Intact

Upload your root and intermediate CAs. Your PKI hierarchy doesn't change.

Import your existing root and intermediate certificate authorities. Koios uses your chain of trust for all device certificate issuance. Your existing PKI hierarchy stays intact — Koios issues device certificates under your CA, not ours. Your compliance posture doesn't change.

  • Upload root & intermediate CAs
  • Chain of trust preserved
  • Private keys stay with you
  • Existing compliance posture maintained
Certificate documents with rotation arrow and checkmarkLifecycle Automation

Automated from Issuance to Revocation

Full lifecycle management, even with your own CA.

Even with your own CA, you get full lifecycle automation — issuance, renewal, rotation, revocation — all managed by Koios. Provision devices individually, in bulk, or via API integration with your manufacturing line.

  • Automated issuance & renewal
  • Certificate rotation
  • Instant revocation
  • API-driven provisioning
Multiple user figures with role-based access controlsMulti-Tenant

One Platform, Multiple Hierarchies

Each product line or customer gets their own chain of trust.

Support multiple CA hierarchies within a single Koios organization. Each product line or customer gets their own chain of trust, fully isolated. Manage everything from a single pane of glass.

  • Multiple CA hierarchies
  • Tenant isolation
  • Single pane of glass
  • Per-tenant policy controls
Audit logs clipboard with magnifying glass for compliance trackingGovernance

Enforced Policy, Full Visibility

Define your rules. We enforce them. Every operation is auditable.

Define issuance policies, key algorithms, validity periods, and naming constraints. Enforce your security requirements at the platform level. Every certificate operation is logged — who issued it, when, to which device. Complete traceability for compliance audits.

  • Custom issuance policies
  • Key algorithm & validity controls
  • Complete audit trail
  • Compliance reporting

BYOCA Capabilities

All the benefits of managed PKI, with your existing certificate authority.

Hardware security module smart card with chip and keyhole Private Keys Stay With You
Your CA private keys never leave your infrastructure. Upload only the public chain — Koios handles the rest.
Code bracket symbols representing API documentation API-Driven Provisioning
Issue certificates individually or in bulk. Integrate directly with your manufacturing line or CI/CD pipeline via REST API.
Globe with connected pin points representing global distribution CRL & OCSP Distribution
Distribute certificate revocation lists and serve OCSP responses across your fleet under your CA hierarchy.
Compliance checklist clipboard with pen Custom Policy Controls
Define key algorithms, validity periods, naming constraints, and issuance policies. Enforced at the platform level.
Monitoring terminal with heartbeat line and checkmark Certificate Monitoring
Track expiry across your fleet. Get alerts before certificates expire. Monitor issuance patterns and anomalies.
Padlock with keypad representing encrypted key storage HSM-Backed Device Keys
Device certificate keys are generated and stored in hardware security modules. Not in config files, not in environment variables.

Managed CA vs. BYOCA

Choose the approach that fits your infrastructure. You can use both within the same organization.

FeatureManaged CABYOCA
Setup timeMinutes — Koios creates and manages the CAImport existing CA certificates
Chain of trustKoios-managed hierarchyYour existing PKI hierarchy
Key managementKoios HSM-backed keysYour keys + Koios HSM for device certs
ComplianceKoios security postureYour existing compliance posture
Best forTeams without existing PKITeams with established CA infrastructure

Security isn't a feature. It's the architecture.

Built on infrastructure you already trust. Every byte encrypted at rest and in transit. Keys stored in dedicated HSMs. We don't sell your data. Full stop.

AES-256 encryption icon

AES-256 at Rest

All data encrypted in storage

mTLS certificate chain icon

mTLS in Transit

Mutual authentication on every connection

HSM key storage icon

HSM Key Storage

Keys never exist in plaintext

SOC 2 audit icon

SOC 2 In Progress

Type II audit underway

Keep your PKI. Get managed device certificates.

BYOCA is available on Enterprise plans. Start with a free account to evaluate the platform.

Get Started FreeView Pricing