Sold by: Swepay (A short way to pay)
Deployed on AWS
Issue and manage mTLS certificates via REST API, starting at $199/month for 100 certificates. Managed CRL and OCSP endpoints included in every plan. Built for fintechs and SaaS platforms that authenticate B2B partners, internal services, and proprietary clients with mutual TLS. No PKI infrastructure to install or operate. Certificate bundles delivered inline in the API response or via presigned download URLs, ready for CI/CD and runtime consumption. Multi-tenant by design: each customer operates an isolated CA with its own certificate inventory and revocation list. Operational activity flows through AWS CloudTrail for ingestion into your existing AWS audit pipeline. In production with Brazilian payment processors authenticating B2B partner integrations.
Overview
The challenge with running mTLS in production
Mutual TLS is the right answer when you need to authenticate B2B partners, internal microservices, proprietary clients, or devices without relying on shared secrets. But the path to running mTLS in production involves significant operational complexity: standing up and maintaining a certificate authority, implementing revocation infrastructure (CRL publication, OCSP responders), managing key rotation, ensuring high availability, and writing the API surface that your applications will use to request and rotate certificates. For most teams, this is months of platform engineering work plus ongoing maintenance.
What CA Manager does
CA Manager is an API-first certificate authority service. A single authenticated REST call issues an x.509v3 certificate signed by your private CA. Industry-standard cryptography is supported, with configurable key algorithms, signing parameters, and validity periods. Certificate bundles are returned through either an inline API response or a presigned download URL, so CI/CD pipelines, mobile build systems, and runtime workloads can fetch them programmatically without operating any PKI infrastructure of their own.
Predictable pricing built for steady production workloads
Pricing is contract-based, starting at $199/month for up to 100 certificates and scaling to $1,999/month for up to 5,000 certificates. Overage certificates are billed per unit at rates that decrease at higher tiers. There is no separate fee for CRL or OCSP. Both are included in every plan.
Managed revocation, included in every plan
Revocation is fully managed. CA Manager exposes public CRL and OCSP endpoints so relying parties can validate certificate status in real time without you running responders, scheduling CRL publication, or maintaining revocation infrastructure. Both CRL and OCSP are included in every contract tier.
Multi-tenant by design, AWS-native operations
Each customer operates inside an isolated trust boundary, with its own dedicated CA, certificate inventory, and revocation list. There is no shared CA across tenants. Operational activity is logged through AWS CloudTrail, so customers using AWS-native observability stacks can ingest CA Manager events alongside the rest of their AWS audit data.
Where CA Manager fits best
CA Manager is designed for scenarios where you control both sides of the mTLS handshake and a private CA is the appropriate trust model. It is not for use cases that require certificates anchored to publicly trusted root programs. Common production workloads include: authenticating B2B partner integrations, internal microservice-to-microservice mTLS, proprietary SDK or client authentication, device and terminal authentication, CI/CD and supply chain agent authentication, and zero trust service mesh deployments.
Who this is for
You are a fintech, SaaS platform, payments company, or engineering team that:
- Issues mTLS certificates today through manual or semi-manual processes
- Authenticates B2B partners, internal services, or proprietary clients with mutual TLS
- Needs API-driven certificate issuance without standing up and operating PKI infrastructure
- Wants predictable contract pricing with transparent overage rates
- Controls both endpoints of the mTLS handshake (no public root program requirement)
Highlights
- Issue x.509v3 certificates via a single authenticated REST API call. Industry-standard cryptography is supported, with configurable key algorithms, signing parameters, and validity periods. No PKI infrastructure to install or operate. Certificate bundles are returned through an inline API response or a presigned download URL, ready for direct consumption by CI/CD pipelines, mobile build systems, and runtime workloads.
- Fully managed revocation. CA Manager exposes public CRL and OCSP endpoints so relying parties can validate certificate status in real time without you operating responders, scheduling CRL publication, or maintaining revocation infrastructure. Multi-tenant by design: each customer operates inside an isolated trust boundary with its own dedicated CA, certificate inventory, and revocation list. No shared CA across tenants.
- mTLS API, mutual TLS certificate, certificate authority API, private CA managed, PKI as a service, x.509 certificate API, certificate management API, managed certificate authority, B2B partner authentication, service mesh mTLS, zero trust authentication, internal mTLS API, device certificate API, machine identity API, certificate lifecycle API
Details
Sold by
Categories
Delivery method
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on the duration and terms of your contract with the vendor, and additional usage. You pay upfront or in installments according to your contract terms with the vendor. This entitles you to a specified quantity of use for the contract duration. Usage-based pricing is in effect for overages or additional usage not covered in the contract. These charges are applied on top of the contract price. If you choose not to renew or replace your contract before the contract end date, access to your entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/month | Overage cost |
|---|---|---|---|
Starter | Monthly contract for up to 100 certificates with REST API access and CRL endpoint | $199.00 | |
Growth | Monthly contract for up to 500 certificates with REST API access, CRL endpoint, and WebHook notifications | $449.00 | |
Scale | Monthly contract for up to 1,000 certificates with REST API access, CRL endpoint, WebHook notifications, and AWS ALB Trust Store integration | $799.00 | |
Volume | Monthly contract for up to 5,000 certificates with REST API access, CRL endpoint, WebHook notifications, AWS ALB Trust Store integration, and OCSP responder | $1,999.00 |
Vendor refund policy
Full refund within 48 hours of contract activation if no certificates issued. After 48 hours, contracts are non-refundable for the remaining period; cancellation prevents auto-renewal. Exceptions: documented billing errors, service unavailability over 24 consecutive hours, or AWS Marketplace duplicate charges. Send AWS Account ID, Subscription ID, activation date, and reason to support@swepay.com.br . Processing: 5-7 business days via AWS. Full policy: https://marketplace.swepay.co/refund-policy/
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Support
Vendor support
SUPPORT CONTACT Email: support@swepay.com.br API Reference: https://ca.swepay.com.br/docs/scalar
RESPONSE TIMES
- Critical (production outage, security incident): 1 business hour
- High (degraded functionality, integration blockers): 4 business hours
- Standard (general questions, configuration help): 1 business day
SUPPORT CHANNELS
- Email support at support@swepay.com.br
- Interactive API reference powered by Scalar with full endpoint documentation, request/response schemas, and code examples
INCLUDED FOR ALL SUBSCRIBERS
- Comprehensive REST API documentation with code examples
- AWS integration guides for Application Load Balancer, API Gateway, and CloudFront
- Sample CloudFormation and Terraform deployment templates
- Regular platform updates and security patches
SUPPORT HOURS Email is monitored 24/7 for critical production incidents. General inquiries are answered Monday through Friday, 9 AM to 6 PM BRT.
SUPPORT LANGUAGES English (primary), Portuguese (Brazil)
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products
Up-to-date, customizable, and secure. CA Injector is a command-line tool that configures the CA certificates for cert-manager webhooks.
Build a new PKI hierarchy or setup a Subordinate CA to an already established PKI hierarchy. Deploy internal certificates to your users or devices
Up-to-date, customizable, and secure. The Hyperledger Fabric CA is an identity manager in a Fabric blockchain. Hyperledger Fabric is the open-source permissioned blockchain framework.
Get started with an Entry Level deployment of EJBCA SaaS, hosted in a US region and secured by AWS KMS backed keys. By subscribing to this product, you will have an EJBCA SaaS environment ready for PKI configuration in as little as 45 minutes. Designed for rapid deployment, this plan offers intelligent automation to set up a dedicated HSM, database, and load balancer with just a few configuration options. If you need a quick start, this plan is the fastest way to get your PKI up and running. For larger or more customized deployments, you can reach out to us directly or explore our Private Offer Plan for a solution tailored to your business needs.
Customer reviews
No customer reviews yet
Be the first to review this product . We've partnered with PeerSpot to gather customer feedback. You can share your experience by writing or recording a review, or scheduling a call with a PeerSpot analyst.