meshr / Platform / Certificate Authority
Certificate Authority

Certificates that manage themselves.

Per-organization CA with automatic issuance, rotation, and revocation. No manual key management — ever.

  • Per-org User CA + Host CA
  • Short-lived certificates (12h user, 30d host)
  • Automatic rotation
  • One-click revocation
Get early access Learn more →
Certificate DetailsValid
typessh-ed25519-cert-v01
key_iduser-alice-1711276502
serial28491
principalsalice, deploy
valid_after2025-03-24T09:15:02Z
valid_until2025-03-24T21:15:02Z
ca_fingerprintSHA256:xK3m...q8Tz
Auto-rotated 12h TTL — expires tonight
Two CAs, one system

Users authenticate, hosts prove identity.

Each organization gets a dedicated User CA and Host CA — all automatic.

User Certificates

Short-lived (12h) certificates issued on login. Users never touch SSH keys — meshr handles issuance and rotation transparently.

TTL12 hours
Principalsusername, roles
RotationAutomatic on login

Host Certificates

Longer-lived (30d) certificates for servers and devices. Proves host identity to connecting users — no more TOFU warnings.

TTL30 days
Principalshostname, IP
RotationAutomatic before expiry
Lifecycle

From issuance to revocation, automated.

Zero manual steps.

1

Issue

Certificate issued automatically when a user logs in or a host registers.

2

Use

Certificate authenticates SSH connections. No passwords, no keys to manage.

3

Rotate

Before expiry, a new certificate is issued seamlessly. Zero downtime.

4

Revoke

One click to revoke any certificate. Instant propagation across all hosts.

Dashboard management

Every certificate in one pane.

View, search, and manage all certificates. Revoke instantly, rotate on demand.

Active Certificates12 active
[email protected]
User#28491
12h
[email protected]
User#28492
8h
api-server-01
Host#15003
22d
db-primary
Host#15001
3d
SSH Elevation

Just-in-time sudo, recorded.

Root access on demand — not by default. Engineers request elevation in the moment, a peer or policy approves it, the certificate is reissued with elevated claims, and every command runs under an audit trail.

  • Time-boxed elevation (10 min / 1 hr / 4 hr presets)
  • Approval rules — auto-approve in dev, require peer in prod
  • Reason-required field captured in the audit log
  • Elevated session keystrokes recorded automatically

Pairs with Session Recording and Audit Logs — every elevated minute is replayable.

Elevation requestedsavas@ → root@prod-db
Awaiting approval
Reason

Replay missing rows in orders_v2 from staging snapshot.

Ticket: INC-4821 · TTL: 30 min

Approval rule · prod-db requires 1 of
ali@ (oncall)pending
ops-lead@pending
Recorded to audit logSession will be recorded
Just-in-time

Kill the long-lived SSH key.

Every feature is unlocked while we're in beta. No credit card, no commitments.

Get early access See pricing →