Sectigo CaaS revolutionizes how partners manage and monetize digital certificates
The SSL/TLS certificate market is booming, projected to hit $4.2 billion by 2028. With shorter certificate lifespans like 47-day TLS becoming soon the new norm, managing certificates manually isn't just time-consuming—it's unscalable. But with Sectigo CaaS for Partners, you can turn these challenges into opportunities.
Designed specifically for partners, Sectigo CaaS empowers you to automate certificate management, streamline operations, and deliver seamless, secure experiences for your customers.
Why choose Sectigo CaaS for your business?
With Sectigo CaaS, you can manage up to 12x more certificates without increasing your staff. Whether you’re issuing certificates to customers or managing your own internal operations, our automated platform helps eliminate human error, reduces downtime, and frees your team to focus on what matters most—growing your business.
Key benefits of Sectigo CaaS for Partners
Get control how your customers issue certificates under your subscription with seamless ACME account oversight and reporting, ensuring control without complexity.
Easily handle the growing demand for SSL/TLS certificates as your customer base expands. Sectigo CaaS is designed to support high volumes without compromising on speed or security.
Move away from the uncertainty of one-off purchases. Our subscription-based model offers predictable costs, helping you plan and grow your revenue.
Mitigate risks associated with expired certificates. Sectigo ensures that all certificates are compliant with the latest industry requirements, including 47-day TLS and postquantum cryptography readiness.
Plug subscription and account management into your existing systems with our flexible ACME Admin API, designed to scale with your business needs.
Get started, see how easy it works
ACME automation guarantees high value and low effort:
- You manage your subscriptions & ACME accounts with a single admin API endpoint
- Your customers just need to setup the ACME client
- No more copying or pasting of CSRs, manual validations, email delays, or yearly renewal reminders
- Minimal IT resources required
Built to scale your business
At Sectigo, we understand that no two partners are alike. That’s why CaaS is designed to be flexible and scalable, fitting seamlessly into your business model. Our platform helps you:
Expand your service offering
Add value by offering automated certificate management as part of your portfolio.
Reduce operational overheads
Let automation do the heavy lifting while your team focuses on customer success.
Enhance customer experience
Deliver faster, more reliable services that keep your customers’ businesses running smoothly.
FAQ
Ready to start
Right away. You just need to have a Sectigo Partner account set up with CaaS enabled. Please contact our Partner Sales team via partners@sectigo.com to assist in set up.
Please contact our Partner Sales team via partners@sectigo.com to assist in your Partner account setup.
The CaaS API specifications can be found here: https://docs.sectigo.com/caas/caas-api-guide/introduction-to-caas.html
General
DV support is available now, and OV support is on the way. Sectigo CaaS is currently available with DV certificates only. We are in the process of implementing support for OV certificates with planned delivery in Q2.
At the present time, support for EV is not planned.
Support for OV will be added to CaaS soon. The organization will need to be pre-validated and tied to the right domain(s) prior to certificate enrolment. Once validated, an OV certificate request will result in issuing the certificate containing the pre-validated organization details tied to the domain(s) the certificate is requested for, once domain validation is completed.
This will allow access to an unlimited amount of OV certificates containing the pre-validated organization’s details obtained during the subscription period.
Yes, the TLS certificates issued through CaaS can include wildcard domains.
The answer depends on what "client" implies:
If the client is an ACME client, one subscription can be utilized by multiple ACME clients using ACME accounts that share the External Account Binding (EAB) details. An ACME client can operate multiple ACME accounts; however, not with a typical command-line ACME client.
If the client is a customer, selling one subscription for each customer makes perfect sense. However, you can also opt for selling multiple subscriptions to your customer by "releasing" multiple EAB details to them (if needed). Each EAB details have their own subscription that will need to be managed separately.
One subscription should not be shared by different customers.
Installation and use of an ACME client requires sufficient permissions to install and run the client, as well as access to the webserver or DNS, and the ability to restart some services (if installation is also required and supported by the client). In a situation where none of these prerequisites can be met, then CaaS (and any ACME CA) would not be supported.
Pricing
CaaS is priced as a yearly or multi-year subscription. The benefit of using CaaS does not significantly increase the current equivalent yearly cost of a certificate.
We work with our partners on a tiered basis, with respect to number of clients and certificates managed.
All listed options are available in CaaS.
A domain subscription needs to be purchased and is Priced per Fully Qualified Domain Name (FQDN) or wildcard domain name. An unlimited number of single-domain and multi-domain certificates, including wildcard certificates, can be requested for the subscribed domains during the subscription period.
If *.sectigo.com is added to the subscription and then sectigo.com, only a wildcard domain cost will be charged. www.sectigo.com is covered by the wildcard domain.
If sectigo.com is added to the subscription and then www.sectigo.com, the cost of only one FQDN will be charged.
Even with a few certificates, the manual task of copying and pasting CSRs and manual domain validation is no one’s favourite task on their to-do list. It also presents the risk of human error when doing this routinely, especially as certificate lifespans continue to shrink. Our prices are competitive – please reach out to our Partner Sales team at partners@sectigo.com for a price offer.
Technical
ACME offers a few different methods of domain validation. Sectigo supports DNS-based validation method with dns-01 in ACME and HTTP-based method with http-01.
ACME protocol does not support email-based validation, as it is not automatable.
The communication between ACME client and ACME sever is performed in accordance with ACME protocol documented in https://datatracker.ietf.org/doc/html/rfc8555.
No, they don’t expire. ACME EAB credentials are just used during ACME account creation as indication of your approval to bind this ACME account to your Sectigo Partner account, as well as your approval of the ACME account key.
The EAB credentials that we offer can be reused. If your customer has multiple servers or multiple clients, they can reuse those credentials to create multiple ACME accounts. They will share the same subscription and domains that they can issue certificates for.
Compliance
We don't have a date yet. According to the current ballot proposed by Apple, we will see a reduction to 200 days next year in 2026, 100 days in 2027, and 47 days in early 2029. Though not guaranteed, we do expect to see either this ballot passing, or Google and/or Apple enforcing new standards as part of their programs. As soon as the landscape of certificate lifespans becomes firmer and we have final dates, Sectigo will publicize this information to all their customers.
Private CAs and certificates are generally out of scope for these changes, but some trust-store operators (Apple) have historically limited private TLS certificates to 825 days. The current CA/Browser Forum ballot does not cover private certificates at all. As a reminder, CaaS covers publicly-trusted certificates.
The existing APIs and certificate provisioning processes will remain unchanged. Once shorter certificate lifetimes are required, this will be enforced in Sectigo systems, in the same way we made this change when moving from 3 to 2 and 1-year certificates.
Get started today
Ready to revolutionize your certificate management? Book a personalized demo of Sectigo CaaS and discover how our platform can transform your operations and drive new revenue streams.
Enter your details and we will be in touch
