Onboard™ PKI

A CA shaped to your supply chain.
With the trust topology you choose.

The PKI module of OnBoard^™ Secure Infrastructure (OBSI) issues and manages certificates for IoT devices. Every certificate is bound to a product, version, and device. Fresh, your root, or an industry root — OBSI runs the issuance layer beneath. When partners need to issue, they do so under scoped authorization, never by holding your CA private keys.

Lifecycle

Certificate lifecycle — organized around products and devices.

Every certificate is bound to a product, a version, and a device from the moment it is issued — and stays visible in that frame for its full lifecycle.

Issuance

Certificates are issued from validated CSRs, signed inside the HSM hardware boundary. Chip-level CSR verification confirms that the private key was genuinely generated inside a legitimate chip and has never left the device's security boundary — not merely that the signature is mathematically correct.

Renewal & rotation

Expiry alerts are triggered by product and device — OEMs can answer which products and which devices have certificates approaching end of validity. Renewal workflows initiate automatically without per-device manual intervention.

Revocation

Certificate invalidation takes effect immediately, with CRL management handled by the platform. When a CA key is compromised, the blast radius surfaces from any single query — no cross-system reconciliation — which products, which versions, how many devices are affected.

Profile System

Any IoT certificate format your supply chain requires.

Certificate Profiles let you declare any X.509 specification — extensions, key usage, EKUs, validity policy, signing constraints — once. The engine handles every subsequent issuance, whether you author the profile or pick from the pre-built set.

Including ready-to-use profiles for common ecosystems

Matter DAC

Google Cast

ISO 15118

IEEE 802.1AR

OPC UA

Wi-Fi EAP-TLS

OCPP

Aliro

Qi Authentication

C2PA

DLMS/COSEM

LwM2M

50+ more

50+ profiles in total. Custom profiles run on the same engine as the pre-built ones, with the same audit trail.

CA Topology

Your supply chain already has a shape. Your CA should match it.

Factory layouts, partner relationships, and regulatory boundaries define your supply chain's structure. OBSI PKI builds CA hierarchies that follow that structure — at whichever depth you hand the hierarchy over to us.

Self-contained

End-to-end, with product line isolation

OBSI manages root, intermediate, and issuing CA send-to-end. Multiple issuing CAs separate product lines, each auditing independently. Fits programs starting fresh or moving fully to OBSI.

Anchored

Beneath the root you keep

Your existing internal root sits at the top — typically cold-stored, rarely used. Below it, OBSI runs everything end-to-end: intermediate CA, issuing CAs by product line, and full certificate lifecycle.

GrafteD

Beneath an industry or external root

The upper CA can be an industry root — Matter PAA, an automotive V2G root, an IEEE 802.1AR authority —or another party's. OBSI provides the issuance layer beneath it, with multiple issuing CAs where product separation is required.

Whatever sits at the top — fresh, your root, or an industry root — OBSI runs the issuance layer beneath it.

Multi-party Issuance

Two modes. One principle: CA private keys don't move.

Multi-party device programs need partners, factories, and branches to issue certificates locally. OBSI PKI separates the right to issue from the keys that sign — so collaboration scales without your CA private keys ever leaving their hardware boundary. Authorization scope and audit are bounded by the PKI Workspace — the same boundary unit shared with KMS and SEMS.

Remote issuance authorization

Partners invoke certificate issuance through authenticated APIs. Each request is checked against scoped authorization — which products, which profiles, what quota, what validity window. Signing happens inside the owner's HSM; only the certificate returns. Every issuance is counted and auditable against the partner's authorized scope.

Edge-delegated issuance

Where factory or field operations require local execution, an authorized issuing CA is provisioned into the partner's EdgeHSM under quota, scope, and validity rules defined by the owner and enforced by the receiving hardware. Fits production lines and air-gapped sites where round-trip authorization isn't viable.

Explore PKI

In both modes, the right to issue is authorized, scoped, and revocable. CA private keys are not.

Get Started

See a CA shaped to your device program.

A 30-minute demo covers your CA topology, the Profile System, and how partners issue under scoped authorization without ever holding your CA private keys.

A CA shaped to your supply chain. With the trust topology you choose.