CA Manager

Available now

mTLS certificate API for B2B partner authentication.

Issue, renew, and revoke mTLS certificates via REST API. CRL and OCSP responder hosted on a dedicated CDN. Audit log included. Built for Brazilian fintechs that authenticate dozens to hundreds of B2B partners in private integrations, without operating PKI internally.

Subscribe on AWS Marketplace Read the API reference

The use case

B2B partner authentication, in production.

Brazilian fintechs that integrate with partner ecosystems, payment processors, sub-acquirers, BaaS clients, financial service consumers, face the same operational problem: dozens to hundreds of certificate-authenticated mTLS connections to manage.

Every partner needs a certificate. Every certificate has a lifecycle. And every event of that lifecycle is operational work that doesn't differentiate your product: issuance, renewal, revocation, OCSP query.

The traditional path is to set up your own private CA: pick a PKI stack, write scripts, configure CRL distribution, custody the root key in dedicated hardware, build a presigned download mechanism, write audit logs, and maintain all of it as your partner base grows.

CA Manager replaces that entire stack with a REST API. Your fintech keeps full control over which partners get certificates and which ones get revoked. Swepay handles everything that doesn't add value to your product.

Where CA Manager fits in your stack

What's in the box

Full certificate lifecycle, managed.

REST API for the entire lifecycle

Issue, renew, revoke, and query certificates via a single API surface. JWT bearer authentication. No portal forms, no manual approval steps.

Private CA per tenant

Each Swepay tenant gets a dedicated private CA, isolated from other tenants. Your root key is generated in managed cryptographic custody and not extractable. Your intermediate hierarchy is yours.

CRL and OCSP on a dedicated CDN

Certificate Revocation List is published automatically as certificates are revoked, served from ca-cdn.swepay.com.br with edge caching. OCSP responder supports both POST (RFC 6960) and GET (RFC 6960 §A.1) variants. CRL Distribution Points and Authority Information Access extensions embedded in every certificate. Your partners' mTLS clients validate revocation status without coupling to the administrative API.

Four delivery formats per issuance

Each issued certificate is returned in four formats on the same API response: PEM inline, presigned PEM download URL, base64-encoded PFX with generated password, or presigned PFX download URL. Pick the format that fits your partner's runtime, no conversion scripts needed.

Audit log with configurable retention

Every API call leaves an immutable audit record. Retention is configurable per plan (30 days to 1 year). Queryable when an auditor asks for evidence, internal, regulatory, or partner-driven.

AWS Marketplace billing

Pay on your AWS bill. Subscribe in five minutes. Upgrade between tiers without procurement cycles. Cancel anytime.

Multi-tenant by design

Built from day one for fintechs that need tenant isolation. Customers, environments, and key pairs are scoped by tenant from API to storage layer.

From zero to production

Six steps, six API calls.

A complete certificate lifecycle, demonstrated. Authenticate with a JWT bearer token delivered after subscribing on AWS Marketplace. Administrative API at https://ca.swepay.com.br; PKI infrastructure (CRL, OCSP) at https://ca-cdn.swepay.com.br.

0. Initialize your CA (one-time)

Before issuing certificates, initialize your tenant's private Certificate Authority. The root key is generated and stored in managed cryptographic custody within Swepay's infrastructure, not accessible externally, not extractable.

Requestbash

curl -X POST https://ca.swepay.com.br/v1/ca/initialize \
  -H "Authorization: Bearer ${SWEPAY_JWT}" \
  -H "Content-Type: application/json" \
  -d '{
    "commonName": "Your Fintech Root CA",
    "organization": "Your Fintech S.A.",
    "country": "BR",
    "validityYears": 10
  }'

Responsejson

{
  "caId": "8f3c9b2e-1a4d-4e5f-9c8a-2b3d4e5f6a7b",
  "certificatePem": "-----BEGIN CERTIFICATE-----\nMIIDXTCCAk...",
  "expiresAt": "2036-05-22T14:30:00Z"
}

1. Issue a client certificate

Provide identity attributes. CA Manager generates the key pair and returns the certificate in four delivery formats, choose what fits your runtime.

Requestbash

curl -X POST https://ca.swepay.com.br/v1/certificates \
  -H "Authorization: Bearer ${SWEPAY_JWT}" \
  -H "Content-Type: application/json" \
  -d '{
    "clientId": "partner_001",
    "commonName": "partner.example.com",
    "organization": "Partner Inc",
    "organizationalUnit": "B2B Integrations",
    "country": "BR",
    "validityDays": 365,
    "responseFormat": "Text",
    "passwordProtected": true
  }'

Responsejson

{
  "certificateId": "a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d",
  "serialNumber": "01:23:45:67:89:AB:CD:EF",
  "certificatePem": "-----BEGIN CERTIFICATE-----\nMIIDXT...",
  "privateKeyPem": "-----BEGIN PRIVATE KEY-----\nMIIE...",
  "expiresAt": "2027-05-22T14:30:00Z",
  "pfxBase64": "MIIK1QIBAzCC...",
  "password": "p@ssw0rd-Gen3rated"
}

2. Query certificate status

Get full certificate details by ID, status, validity, expiration countdown.

Requestbash

curl https://ca.swepay.com.br/v1/certificates/a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d \
  -H "Authorization: Bearer ${SWEPAY_JWT}"

Responsejson

{
  "certificateId": "a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d",
  "status": "Active",
  "issuedAt": "2026-05-22T14:30:00Z",
  "expiresAt": "2027-05-22T14:30:00Z",
  "daysUntilExpiration": 365
}

3. Revoke a certificate

Revoke with RFC 5280 reason code. Certificate is added to the CRL within minutes.

Requestbash

curl -X POST https://ca.swepay.com.br/v1/certificates/a1b2c3d4-.../revoke \
  -H "Authorization: Bearer ${SWEPAY_JWT}" \
  -H "Content-Type: application/json" \
  -d '{
    "reason": "Private key suspected compromised on partner side",
    "reasonCode": "KeyCompromise"
  }'

Responsejson

{
  "certificateId": "a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d",
  "revokedAt": "2026-05-23T10:15:00Z"
}

4. Monitor expiring certificates

Query certificates expiring within a window. Useful for proactive renewal automation.

Requestbash

curl "https://ca.swepay.com.br/v1/certificates/expiring?days=30" \
  -H "Authorization: Bearer ${SWEPAY_JWT}"

Responsejson

{
  "days": 30,
  "certificates": [
    {
      "certificateId": "...",
      "commonName": "partner.example.com",
      "expiresAt": "2026-06-15T14:30:00Z",
      "daysUntilExpiry": 24
    }
  ]
}

5. Partner-side: validate via OCSP

Your partner's mTLS client queries the OCSP responder on the CDN during handshake. RFC 6960 standard.

Requestbash

openssl ocsp \
  -issuer ca.pem \
  -cert partner-cert.pem \
  -url https://ca-cdn.swepay.com.br/v1/tenants/${TENANT_ID}/ocsp \
  -resp_text

Responsejson

Response verify OK
partner-cert.pem: revoked
  This Update: May 23 10:15:00 2026 GMT
  Revocation Time: May 23 10:15:00 2026 GMT
  Revocation Reason: keyCompromise (0x1)

Full API reference, OpenAPI spec, and architecture details on the developers page. For technical questions, email [email protected].

Pricing

Pay for what you use. No floor, no overage surprises.

Plans differ by certificate volume included. All plans get the same API, same audit log, same OCSP responder, same support response time. Subscribe and upgrade via AWS Marketplace.

Starter

$199/month

Certificates included: 100
Overage rate: $2.25
Audit retention: 30 days
Support: Email, business hours
Best for: Fintechs starting with B2B partner integrations

Growth

$449/month

Certificates included: 500
Overage rate: $1.02
Audit retention: 90 days
Support: Email, business hours
Best for: Fintechs scaling partner ecosystems

Scale

$799/month

Certificates included: 1,000
Overage rate: $0.90
Audit retention: 180 days
Support: Email + Slack channel
Best for: PSPs and acquirers with mature partner programs

Volume

$1,999/month

Certificates included: 5,000
Overage rate: $0.49
Audit retention: 365 days
Support: Email + Slack + priority response
Best for: BaaS providers and large fintechs

Want to see it in action first?

Request a guided demonstration before subscribing. Email [email protected] with your name, company, and a brief description of your B2B integration scenario. We schedule a 30-minute technical walkthrough.

Above 5,000 certificates per month?

Talk to engineering for an AWS Marketplace Private Offer with custom volume, dedicated support, contractual SLA, and negotiated overage rates.

Evaluate it in a sandbox first

Request a 15-day sandbox with 5 certificates to run issuance, OCSP, and revocation against your own integration before subscribing. No AWS Marketplace contract required.

Be honest about scope

What CA Manager is not.

Brazilian financial infrastructure is full of overlapping standards. We want you to know exactly when CA Manager is not the right tool.

Can I use CA Manager for Open Finance Brasil?

No. CA Manager is a private CA. The certificates it issues are not trusted by the Open Finance Brasil directory. For Open Finance Brasil, obtain certificates from established Brazilian providers like Soluti, Serpro, Certisign, or Valid Certificadora.

Can I use CA Manager for Pix or SPB connections?

No. Pix DICT and SPB integrations require certificates that CA Manager does not issue. For those scenarios, follow the same path as Open Finance: obtain certificates from Soluti, Serpro, Certisign, or Valid Certificadora.

Can I use CA Manager certificates on the public internet?

No. CA Manager certificates are signed by your private CA, which is not in browser or OS trust stores. They are designed for mTLS between your fintech and partners you explicitly trust. For public-internet TLS certificates, use Let's Encrypt, AWS Certificate Manager, or DigiCert.

Who generates the private key for the certificates I issue?

CA Manager generates the key pair server-side at issuance and delivers it to you in one of four formats on the same API response: inline PEM, presigned PEM download URL, base64-encoded PFX with a generated password, or presigned PFX download URL. The presigned URLs expire shortly. Swepay does not retain the issued certificate's private key after delivery. The only key that stays in Swepay's infrastructure is your tenant's root CA key, held in managed cryptographic custody and not externally accessible, including not accessible to Swepay operators in normal operations.

What kind of integrations is CA Manager designed for?

CA Manager is designed for mTLS authentication of B2B partners in private integrations, where your fintech defines the trust relationship contractually, manages partner onboarding, and operates the truststore on both sides. Typical scenarios: payment processors authenticating sub-acquirers, BaaS providers authenticating tenants, fintechs authenticating financial service consumers. CA Manager is not designed for public-internet TLS or for scenarios requiring certificates valid in browser/OS trust stores.

Is CA Manager FAPI or OAuth2 compliant?

CA Manager is mTLS only. It does not issue OAuth2 tokens, validate JWTs, or implement OIDC. For that layer, see Native Guard, currently in technical validation.

CA Manager is used in production by Brazilian payment processors authenticating B2B partner integrations.

Four ways to start.

Self-serve via AWS Marketplace

Subscribe in five minutes. JWT credentials in your inbox. Issue your first certificate today.

Subscribe to CA Manager

See it before subscribing

Request a 30-minute guided demonstration. We walk through your B2B integration scenario, show the API in action, answer questions.

Request a demo

Volume contracts and custom integration

For PSPs, BaaS providers, and large fintechs with custom volume needs, integration assistance, or contractual SLAs.

Talk to engineering

Test in a sandbox

A 15-day sandbox with 5 certificates. Run issuance, OCSP, and revocation against your integration before you subscribe.

Request sandbox access