Why we run our own certificate authority

Every service inside Authr speaks mutual TLS to every other service, every workload identity is a certificate, and every one of those certificates chains to a root we own, protect, and could destroy with a ceremony involving three people and two safes. This post is about why we run our own certificate authority instead of leaning on public PKI, and what that choice actually costs.
Public CAs answer a different question
Public PKI exists to let strangers trust each other. Its constraints follow from that mission: multi-day issuance conservatism, revocation infrastructure designed for the open internet, maximum lifetimes measured in months. Our problem is the opposite of strangers. We know exactly which workloads should exist, we created them, and we want certificates that live for 20 minutes, not 90 days. When your median certificate outlives the pod it identifies by a factor of a thousand, revocation stops being a safety net and becomes your primary attack surface.
Short lifetimes invert that. A credential that expires in 20 minutes barely needs revocation at all; the clock does the work. But no public CA will issue at that rate. We mint roughly 40 million certificates a day. That is not a use case, that is a denial-of-service complaint.
The shape of the hierarchy
The root lives offline in HSMs, touched only in recorded, multi-party ceremonies, most recently this March. Below it, per-environment intermediates, and below those, per-cell issuing CAs with narrow name constraints, so an issuing CA in one cell is cryptographically incapable of minting an identity for another. A workload proves what it is to the local issuer via its platform attestation, and gets back a certificate that says precisely one thing.
$ authr-pki inspect --cert /run/identity/current.pem
subject: spiffe://authr.internal/cell/eu-w-3/svc/token-mint
issuer: Authr Issuing CA eu-w-3 G4
chain: root G2 -> intermediate prod-eu G3 -> issuing eu-w-3 G4
not-before: 2024-06-25T09:41:02Z
not-after: 2024-06-25T10:01:02Z (lifetime: 20m)
name-constraint check: PASS (cell/eu-w-3 only)What it costs, honestly
Running a CA is not a weekend project, and I want to be precise about the bill. It is HSM fleets in every region, key ceremonies with dual control and tamper-evident everything, a dedicated team that treats the issuance path as a tier-zero service with its own error budget, and an annual exercise where we rehearse compromising our own intermediate and rebuilding trust from the root. That last one takes three days and it is the best security investment we make all year, because PKI failures are never the math. They are always operations.
The payoff is that identity inside Authr is not a configuration, it is a physical property of the infrastructure. Nothing talks to anything without proving what it is, freshly, every 20 minutes, across 22 regions. When customers ask what zero trust means here, this is the answer under the buzzword: certificates all the way down, and the mint is ours.
Writing from inside the identity layer since 2024. For the conversation this post starts, bring it to your next architecture review — or to ours.
