Your own Public Key Infrastructure — without the operational overhead

We build, operate, and maintain your dedicated PKI hierarchy. You retain full control over your certificate chain — including the right to take over all key material at any time.

Your certificate chain

CN=Nexilon PRIMARCH Root CA G1, O=Nexilon GmbH
└─ CN=Nexilon PRIMARCH Issuing CA – Your Company G1, O=Nexilon GmbH
└─ CN=vpn.yourcompany.com

What you get

Dedicated Root CA

No shared infrastructure. Your PKI hierarchy belongs to you — we simply operate it on your behalf.

Certificates on demand

SSL/TLS for reverse proxies, DPI certificates for firewalls, client certificates for VPN authentication, and more.

Secure key custody

Root CA key material is stored encrypted and offline. Access only for authorised certificate operations.

Trust distribution

We assist with distributing your Root CA certificate via GPO, MDM, or manual configuration.

No vendor lock-in. Guaranteed.

Unlike traditional managed PKI providers, PRIMARCH gives you full key material handover at any time — including the Root CA, Intermediate CAs, and the complete certificate database.

If you decide to run your PKI in-house, we hand over everything — encrypted, documented, and without re-issuance. Your existing certificates and the entire chain of trust remain valid.

Typical use cases

SSL termination and Deep Packet Inspection on FortiGate and other NGFWs
Client certificates for VPN authentication (IPSec, SSL-VPN, WireGuard)
RADIUS/802.1X authentication on enterprise networks
Internal web services and reverse proxy security
S/MIME certificates for email encryption and signing
Code signing for internal scripts and software distribution