Skip to content

Root Signing Services

Leveraging Corporate Certification Authorities to issue globally trusted digital certificates

Back to Trust Services


Benefit of a Unique Trust Model

Selected customers can adhere to the OISTE-WISeKey Trust Model and benefit of immediate recognition of the certificates issued out of a dedicated corporate CA, by inheriting our accreditations and recognition by browsers and operating systems


Enable your CA to issue Trusted Certificates

The OISTE Trust Model allows affiliates to adhere to it and operate Issuing CAs under the “Standard” and “Advanced” Policy Certification Authorities. A comprehensive description of the different certificate profiles is available in

Affiliates can be enabled to issue these certificates:

  • Standard Certificates: aimed to e-mail protection and non-legally binding digital signatures. These certificates reference an e-mail address, not the person’s identity.
  • Advanced Certificates: aimed to legally binding signatures and a higher level of security. Advanced Certificates can be issued to:
    • Physical persons or individuals
    • Legal persons or corporations
    • Applications (i.e. SSL Certificates)
  • Device Certificates: specially adapted for the needs of connected devices in the Internet of Things


The “Domain Constraint” Approach

In order to effectively include third parties in our Trust Model, it is needed to ensure that affiliates can assume an independent control of their subordinated Certification Authorities respecting two base concepts:

  • WISeKey/OISTE Certification Practices and Policies are respected
  • There’s no interference with other possible affiliates in the Trust Model

The mechanism to ensure this is the “domain constraint” that limits the capability for a subordinated CA to issue certificates into a series of allowed Internet domains. For example, a customer could generate a CA that is constrained to the domain, in this case, the domain constrained CA would allow to issue certificates including names as:

  • A certificate that includes the e-mail:
  • A certificate that includes the e-mail:
  • SSL certificate that includes the server name:
  • SSL certificate that includes the server name:

As an alternative, WISeKey could build a Publicly Trusted CA, with no technical or name constraints, but this would imply that this CA must be independently audited before the operation and also to be included in our annual Webtrust audits.

If you are interested in Root Signing Services, please contact us at and we will confirm if your project qualifies as for this service.