Getting Started

Know your Deployments for PKI+

We support multiple deployment options to cater to various customer needs and infrastructure preferences. Our solutions can be deployed in On-Premises environments and as a Software as a Service (SaaS).

SaaS Deployment (Highly Secure and Hassle-Free)
Our Software as a Service (SaaS) offering is designed for organizations that prioritize security, simplicity, and efficiency. In this deployment mode, we manage all aspects of application hosting, maintenance, and scaling, providing a worry-free experience for our customers. Our SaaS platform is built with cutting-edge security measures, including robust encryption, multi-factor authentication, and continuous monitoring to ensure your data and operations are protected at all times.

Choosing SaaS not only reduces the burden on your IT teams but also ensures that you benefit from the latest updates, features, and security enhancements without any additional effort. This option is ideal for organizations of all sizes, particularly those looking to quickly access our services with the assurance of enterprise-grade security and compliance. For additional information about saas deployment, click here.

AVX ONE PKI+ – SaaS Deployment
  • Cloud-Based Installation: AVX PKI+ can be deployed in a SaaS model, with both root and intermediate CAs hosted in the cloud. CA private keys are securely stored in a Cloud HSM integrated with the solution.
  • Custodian Governance: Key operations follow the M-of-N custodian approach with custodian users managed either directly by AVX or via enterprise SSO.
  • Key Storage Options:
    • AVX-Managed Keys: Secured using a master key within the AVX vault system.
    • On-Prem HSM: Integrated using the AVX Cloud Connector, which enables secure connectivity between the SaaS platform and on-premise HSMs (via AVX Cloud Connector).
    • Cloud HSM: Supported, if needed, and packaged along with the solution.
  • Certificate Issuance: All end-entity certificates can be issued directly from this SaaS-hosted instance.
On-Premises Deployment
On-Premises deployment enables organizations to install and operate our applications on their own infrastructure. This approach offers the highest level of control and customization, making it particularly suitable for organizations with strict security, compliance, or performance needs. It is best suited for enterprises with dedicated IT resources and the expertise to manage complex infrastructure. For additional information about on-premises deployment, click here.
AVX ONE PKI+ – Air-Gapped Root CA Deployment
  • On-Premise Installation: AVX ONE PKI+ can be deployed within the customer’s on-premise infrastructure. AVX provides the required installation packages in OVA or other supported formats.
  • Root CA Generation: The deployed instance can be used to create the root CA, which is recommended to remain offline with restricted access to the application.
  • Custodian-Controlled Key Operations: Key operations are managed using an M-of-N custodian model. Custodians can be AVX-managed users or authenticated via SSO and are configured directly within the system.
  • Flexible Key Storage Options:
    • AVX-Managed Keys: Protected using a master key secured in the integrated vault system.
    • On-Prem HSM: Uses existing or newly procured HSMs within the customer environment.
    • Cloud HSM: Supported by AVX, though storing root CA keys in a cloud HSM is generally discouraged for security reasons.
  • Extensibility: The same instance can optionally be used to host intermediate CAs and issue end-entity certificates, if required.
AVX ONE PKI+ – Hybrid Model with Air-Gapped Root CA and SaaS-based Issuing CA
  • Issuing CA Deployment: AVX PKI+ is deployed in the SaaS environment with the intermediate CA (issuing CA) signed by an offline, air-gapped root CA.
  • Offline Signing Workflow: The issuing CA key is generated within an HSM. Its CSR is exported and signed by the air-gapped Root CA. The resulting certificate is then imported back into the AVX SaaS instance.
  • Custodian-Driven Security: All key operations are governed by the M-of-N custodian model using AVX-managed or SSO-authenticated users.
  • Comprehensive Key Storage Support:
    • AVX-Managed Keys
    • On-Prem HSM (via AVX Cloud Connector)
    • Cloud HSM
  • End-Entity Certificate Services: This configuration supports issuance of all end-entity certificates through the SaaS-based issuing CA.