Trusted Roots & Hierarchies

Flexible models provide full control
over your chain of trust

Get a Quote

Custom PKI hierarchies using GlobalSign’s embedded trust architecture

PKI hierarchies allow you to control the chain of trust in your ecosystem, whether you’re implementing client authentication within an enterprise or deploying secure device identities within a supply chain. GlobalSign supports multiple hierarchy options for more flexible trust management and isolation of control, including dedicated or shared and public or private models.

GlobalSign Root Certificates are already distributed in all operating systems, browsers, and mobile devices, meaning that all certificates issued from hierarchies beneath these roots are transparently trusted. For closed ecosystems, where public trust isn’t wanted or allowed, private and dedicated customer roots and intermediates are issued.

GlobalSign helps you build trust models based on your specific needs using our customizable hierarchy configurations, embedded trust, scalable operations, and PKI expertise.

Below are some of the most common hierarchy options, but this list is not exhaustive. GlobalSign can support most any hierarchy configuration; please contact us with your specific requirements.

Dedicated Private Roots & Hierarchies (Private PKI)

GlobalSign can create and host private hierarchies, including root and intermediate/issuing CAs, for our customers. These are built on the same secure infrastructure we use for our own public roots and are maintained by us, providing the SLAs, certificate policy, high availability, and PKI expertise you need without the burden of doing it yourself.

Learn more about dedicated private hierarchies >>

Branded Public Intermediate CAs / Issuing CAs

Sometimes referred to as vanity CAs, these are dedicated intermediates (sometimes known as issuing CAs or subordinate CAs) specific to one customer that chain up to GlobalSign’s publicly trusted roots. These intermediate CAs are hosted and maintained by GlobalSign, relieving the burden of PKI management and expertise from internal teams.

Learn more about dedicated public intermediate CAs >>

Shared Public Roots (Managed PKI platform)

While there are certainly scenarios where dedicated roots or hierarchies are required, most organizations can meet certificate requirements through our Managed PKI services. Using our all-in-one certificate management portal, you can cover all certificate needs from one place, with advanced billing, user management, and reporting capabilities.

Learn more about Managed PKI >>

Shared Private Root (IntranetSSL)

Our IntranetSSL solution, available via our Managed PKI platform, provides a cost-effective way to issue and manage SSL/TLS Certificates for internal servers and applications. These certificates are issued from a shared, non-public GlobalSign CAs so they can include configurations that the CA/Browser Forum prohibits from public certificates (e.g., validity periods over three years, internal server names or reserved IP addresses).

Learn more about IntranetSSL >>

IoT Roots of Trust

IoT roots of trust enjoy the same flexibilities as traditional roots of trust but are configured for the exacting demands of IoT use. Dedicated private hierarchies, branded public intermediate CAs, shared public roots and shared private roots can all be employed to secure IoT devices, platforms, gateways and networks, depending on your required trust level.

Learn more about our IoT solutions >>

Customized Trust Architecture

GlobalSign can support most any hierarchy configuration. If you need a model other than those described above or aren’t sure what architecture would best suit your ecosystem, just contact us. One of our PKI solution engineers will work with you to build a trust architecture that fits your specific needs.