Keytos Documentation

Welcome to the Keytos documentation, your comprehensive resource for all things related to PKI, smart card authentication, FIDO2, Cloud RADIUS, and SSL management. Our tools make it easy to achieve full passwordless authentication, and in this documentation you’ll find everything you need to know to get started as well as industry best practices.

EZCA - Cloud PKI


EZCA - Cloud PKI

EZCA allows you to run and scale your own highly available private CA service without the upfront investment and ongoing maintenance costs of operating a private Certificate Authority. With EZCA, you can quickly deploy a highly available HSM-backed PKI deployment in a few clicks, leaving the management to our world-class PKI experts and freeing up your team to work on other pressing security tasks. EZCA also integrates with key management systems like Azure Key Vault allowing you to automatically manage and rotate all certificates across multi-cloud and hybrid deployments.

  • WebTrust Level Security: Offload time consuming tasks such as HSM provisioning, PKI patching, CRL distribution, disaster recovery, and more to the cloud. EZCA allows your team to quickly deploy a highly available HSM backed PKI deployment in a few clicks. Leaving the PKI management to our world class PKI experts and freeing up your team to work on other pressing security tasks.

  • Secure By Default: While other legacy PKI solutions are hard to set up increasing the probability of a misconfiguration that can cause an outage or even worse; expose your company. EZCA was designed and tested by PKI experts across the world. Making it easy for anyone to set up a world class HSM backed PKI in minutes.

Learn more about EZCA →
EZRADIUS - Cloud RADIUS


EZRADIUS - Cloud RADIUS

EZRADIUS is a cloud-based RADIUS service that allows you to move your network authentication to the cloud. EZRadius is designed to be easy to use and easy to integrate with your existing infrastructure. It’s also highly available and scalable, so you can be sure that your users will always be able to access the resources they need.

  • No Infrastructure to Manage: EZRADIUS is a fully managed cloud service, so you don’t have to worry about setting up or maintaining any infrastructure. This allows your team to focus on other pressing security tasks.
  • Go Passwordless with Certificates: EZRADIUS supports EAP-TLS, allowing you to leverage your existing PKI infrastructure to provide secure, passwordless authentication for your users.
  • Integrated with Entra ID: With support for Entra ID, EZRADIUS makes it easy for your users to authenticate using their existing Entra ID credentials.
  • Protocol Support: EZRADIUS supports a wide range of RADIUS protocols, including EAP-TLS, EAP-TTLS, PAP, PEAP, EAP-MD5, and MS-CHAPv2, making it easy to integrate with your existing infrastructure, both new and old.

Learn more about EZRADIUS →
EZSSH - Zero Trust SSH


EZSSH - Zero Trust SSH

EZSSH uses SSH Certificates to create short-term access keys signed by our HSM-backed Certificate Authority (CA) that grant just-in-time access to your resources while creating an audit log that can be traced back to the user and their actions. The best part? The user doesn’t have to do anything extra - they just type the command, and we handle everything in the background. And since EZSSH uses native SSH Certificates, most Linux distros can trust a specified CA and accept certificates from it without any additional changes.

  • Just-in-Time Access: EZSSH issues short-lived SSH certificates that automatically expire after a set period, reducing the risk of long-term key compromise.
  • Isolated Certificate Authorities: Each policy inside each customer’s account gets its own HSM-backed Certificate Authority, creating an identity perimeter limited to your own access policy. We also offer a “bring your own CA” option where you can bring your own Azure Key Vault and give EZSSH create and sign permissions, allowing you to remain in control of your private keys and how they’re used.
  • Support for GitHub: EZSSH integrates with GitHub to provide seamless access to your GitHub-hosted resources using SSH certificates.

Learn more about EZSSH →
EZCMS - Truly Passwordless Onboarding


EZCMS - Truly Passwordless Onboarding

EZCMS is the first truly passwordless onboarding tool for SmartCards. EZCMS’s industry leading technology enables users to quickly create their secure identity without the help of the IT Help Desk.

  • Meet Your Infrastructure Needs: After years of working with highly regulated organizations, we understand that when it comes to security there is no one size fits all. Our tools are designed to be able to: run fully on premises managed by your team, in the cloud managed by your team while still connecting to your on premises Certificate Authority, or fully managed by Keytos (Including cloud based HSM backed CAs) leaving the infrastructure management to our team of experts allowing your team to focus on other pressing security issues.

  • Meet and Exceed Regulatory Requirements: With the rise of cyber-attacks have also come a wave of new regulatory requirements that require organizations to adopt the zero-trust identity features such as Microsoft’s unphishable credentials. EZCMS’s Zero trust design is the easiest way to enable Azure Certificate based Authentication.

Learn more about EZCMS →
EZMONITOR - Turnkey SSL Monitoring


EZMonitor - Turnkey SSL Monitoring

EZMonitor scans and monitors your SSL certificates across the internet and uses our cloud intelligence to alert you if any business critical anomalies are detected.

  • Turnkey Monitoring: EZMonitor’s hosted architecture gives you full visibility into your all your SSL certificates in one convenient dashboard. Enabling your team to start monitoring your SSL health and security in minutes. In addition to our dashboard, EZMonitor adapts to your team needs by enabling you to receive the generated alerts by: Email, SIEM integration, or by calling our APIs.
  • Prevent Costly Outages: According to Gartner, the average outage costs companies $300,000 per hour. EZMonitor was designed to help the more than 80% of companies reporting a certificate related outage in the past 2 years.
  • Meet and Exceed DHS Requirements: The Department of Homeland Security requires all federal agencies to use a Certificate Transparency monitor such as EZMonitor to detect rogue SSL certificates.

Learn more about EZMONITOR →

Keytos Product Changelog

Monthly changelog of customer-facing features across Keytos products including EZCA, EZRADIUS, EZSSH, EZMonitor, and EZCMS.