{"id":35684215,"url":"https://github.com/neyslim/ultimate-ca-manager","last_synced_at":"2026-06-12T23:01:02.420Z","repository":{"id":332067896,"uuid":"1127195856","full_name":"NeySlim/ultimate-ca-manager","owner":"NeySlim","description":"A comprehensive PKI/Certificate Authority management platform","archived":false,"fork":false,"pushed_at":"2026-06-06T21:00:56.000Z","size":191234,"stargazers_count":86,"open_issues_count":1,"forks_count":8,"subscribers_count":6,"default_branch":"main","last_synced_at":"2026-06-06T22:19:17.780Z","etag":null,"topics":["acme","certificate-authority","certificate-management","certificate-manager","crl","crl-list","fido2","hsm","letsencrypt","mtls","ocsp","ocsp-responder","pki","scep","scep-server","security","ssl-certificates","webauthn","x509"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NeySlim.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-03T11:37:53.000Z","updated_at":"2026-06-06T20:46:31.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/NeySlim/ultimate-ca-manager","commit_stats":null,"previous_names":["neyslim/ultimate-ca-manager"],"tags_count":185,"template":false,"template_full_name":null,"purl":"pkg:github/NeySlim/ultimate-ca-manager","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NeySlim%2Fultimate-ca-manager","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NeySlim%2Fultimate-ca-manager/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NeySlim%2Fultimate-ca-manager/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NeySlim%2Fultimate-ca-manager/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NeySlim","download_url":"https://codeload.github.com/NeySlim/ultimate-ca-manager/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NeySlim%2Fultimate-ca-manager/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34265491,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-12T02:00:06.859Z","response_time":109,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["acme","certificate-authority","certificate-management","certificate-manager","crl","crl-list","fido2","hsm","letsencrypt","mtls","ocsp","ocsp-responder","pki","scep","scep-server","security","ssl-certificates","webauthn","x509"],"created_at":"2026-01-05T21:21:50.346Z","updated_at":"2026-06-12T23:01:02.313Z","avatar_url":"https://github.com/NeySlim.png","language":"JavaScript","funding_links":["https://ko-fi.com/neyslim"],"categories":[],"sub_categories":[],"readme":"# Ultimate Certificate Manager\n\n![Version](https://img.shields.io/github/v/release/NeySlim/ultimate-ca-manager?label=version\u0026color=brightgreen)\n![License](https://img.shields.io/badge/license-BSD--3--Clause%20%2B%20Commons%20Clause-green.svg)\n![Docker Hub](https://img.shields.io/docker/v/neyslim/ultimate-ca-manager?label=docker%20hub\u0026color=blue)\n![GHCR](https://img.shields.io/badge/ghcr.io-available-blue)\n![Tests](https://img.shields.io/badge/tests-2137%20passing-brightgreen)\n[![Ko-fi](https://img.shields.io/badge/Ko--fi-Support%20UCM-FF5E5B?logo=ko-fi\u0026logoColor=white)](https://ko-fi.com/neyslim)\n\n**Ultimate Certificate Manager (UCM)** is a web-based Certificate Authority management platform with PKI protocol support (ACME, SCEP, EST, OCSP, CRL/CDP), Microsoft ADCS integration, multi-factor authentication, and certificate lifecycle management.\n\n\u003e **UCM is a young and actively developed project.** Feedback, bug reports, and feature requests are very welcome! Feel free to [open an issue](https://github.com/NeySlim/ultimate-ca-manager/issues) — every report helps make UCM better.\n\n\u003e **Latest release — v2.156** (2026-05-12): per-webhook custom authentication ([#116](https://github.com/NeySlim/ultimate-ca-manager/issues/116)) with five auth types (`none`, `bearer`, `basic`, `api_key`, `custom`), encrypted tokens at rest, and a live request-preview pane in the webhook form. See the [v2.156 release notes](https://github.com/NeySlim/ultimate-ca-manager/releases/latest) and the full [CHANGELOG](CHANGELOG.md).\n\n![Dashboard](docs/screenshots/dashboard-dark.png)\n\n---\n\n## Features\n\n### PKI Core\n- **CA Management** -- Root and intermediate CAs, hierarchy view, import/export, **HSM-backed signing keys** (private key never leaves the HSM)\n- **Certificate Lifecycle** -- Issue, sign, revoke, renew, export (PEM, DER, PKCS#12, JKS), bulk operations\n- **CSR Management** -- Create, import, sign Certificate Signing Requests with **custom Extra EKU OIDs** (RFC 5280 §4.2.1.12)\n- **Certificate Templates** -- Predefined profiles for server, client, code signing, email\n- **Certificate Discovery** -- Network scanning, scan profiles, scheduled scans, certificate import\n- **Trust Store** -- Manage trusted root CA certificates with expiry alerts\n- **Chain Repair** -- AKI/SKI-based chain validation with automatic repair scheduler\n- **SSH Certificates** -- SSH Certificate Authority management, sign host/user certificates, import CAs and certs, curl-friendly setup scripts\n\n### Protocols\n- **ACME** -- RFC 8555, auto-enrollment, auto-renewal, DNS-01/HTTP-01/TLS-ALPN-01 challenges, wildcard support, **External Account Binding (EAB, RFC 8555 §7.3.4)**, **custom DNS resolvers** for split-horizon, ACME on internal/private IPs, proxy mode\n- **SCEP** -- RFC 8894 device auto-enrollment with approval workflows\n- **EST** -- RFC 7030 Enrollment over Secure Transport\n- **OCSP** -- RFC 6960 real-time certificate status\n- **CRL/CDP** -- Certificate Revocation List distribution with Delta CRL support (RFC 5280 §5.2.4)\n- **AIA CA Issuers** -- Authority Information Access CA certificate download (RFC 5280 §4.2.2.1)\n\n### Integrations\n- **Microsoft ADCS** -- Certificate signing via AD CS, template discovery, EOBO (Enroll On Behalf Of)\n- **HSM** -- SoftHSM included, PKCS#11, Azure Key Vault, Google Cloud KMS, OpenBao/Vault Transit; **HSM-backed CAs** with non-exportable signing keys\n- **Kubernetes / cert-manager** -- Reference manifests for ClusterIssuer (HTTP-01 + DNS-01 with EAB), sample Certificate, Secret template under `examples/kubernetes/cert-manager/`\n- **DNS Providers** -- Cloudflare, Route53, Azure DNS and more for ACME DNS-01 challenges\n- **Webhooks** -- Event-driven notifications for certificate lifecycle events (15+ event types)\n\n### Security \u0026 Access\n- **Authentication** -- Password, WebAuthn/FIDO2, TOTP 2FA, mTLS, API keys\n- **SSO** -- LDAP, OAuth2 (Azure/Google/GitHub), SAML single sign-on with role mapping; **per-user `auth_source` tracking** and opt-in role sync on login\n- **RBAC** -- 4 built-in roles (Admin, Operator, Auditor, Viewer) plus custom roles with granular permissions\n- **Policies \u0026 Approvals** -- Certificate issuance policies with approval workflows\n- **Audit Logs** -- Action logging with integrity verification and remote syslog forwarding\n\n### Operations \u0026 Monitoring\n- **Dashboard** -- Customizable drag-and-drop widgets, real-time stats, certificate trends\n- **Reports** -- Scheduled PDF reports, executive summaries, custom templates\n- **Certificate Toolbox** -- SSL checker, CSR/cert decoder, key matcher, format converter\n- **Email Notifications** -- SMTP with **OAuth2 (XOAUTH2)** for Gmail, Outlook.com \u0026 Microsoft 365, customizable HTML/text templates, certificate expiry alerts\n- **Backup \u0026 Restore** -- Manual and scheduled backups with retention policies\n- **Software Updates** -- In-app update checker with one-click install\n- **Global Search** -- Cross-resource search and command palette (Ctrl+K)\n\n### Platform\n- **6 Themes** -- 3 color schemes (Gray, Purple Night, Orange Sunset) × Light/Dark; **per-user preferences persisted server-side** (language, theme, mode)\n- **i18n** -- 9 languages (EN, FR, DE, ES, IT, PT, UK, ZH, JA)\n- **Persisted UI state** -- Filter selections persist across reloads on every list page\n- **Database** -- SQLite (default) or **native PostgreSQL backend** with bidirectional migration UI\n- **Responsive UI** -- React 18 + Radix UI, mobile-friendly\n- **Real-time** -- WebSocket live updates\n- **Multi-platform** -- Docker, Debian/Ubuntu (.deb), RHEL/Rocky/Fedora (.rpm)\n\n---\n\n## Quick Start\n\n### Docker\n\n```bash\ndocker run -d --restart=unless-stopped \\\n  --name ucm \\\n  -p 8443:8443 \\\n  -p 8080:8080 \\\n  -v ucm-data:/opt/ucm/data \\\n  neyslim/ultimate-ca-manager:latest\n```\n\nAlso available from GitHub Container Registry: `ghcr.io/neyslim/ultimate-ca-manager`\n\n### Debian/Ubuntu\n\nDownload the `.deb` package from the [latest release](https://github.com/NeySlim/ultimate-ca-manager/releases/latest):\n\n```bash\nsudo dpkg -i ucm_\u003cversion\u003e_all.deb\nsudo systemctl enable --now ucm\n```\n\n### RHEL/Rocky/Fedora\n\nDownload the `.rpm` package from the [latest release](https://github.com/NeySlim/ultimate-ca-manager/releases/latest):\n\n```bash\nsudo dnf install ./ucm-VERSION-1.noarch.rpm\nsudo systemctl enable --now ucm\n```\n\n**Access:** `https://localhost:8443` or `https://your-server-fqdn:8443`\n**Default credentials:** `admin` / `changeme123` — you will be prompted to change on first login.\n\nSee [Installation Guide](docs/installation/README.md) for all methods including Docker Compose and source install.\n\n---\n\n## Documentation\n\n| Resource | Link |\n|----------|------|\n| Wiki (full docs) | [github.com/NeySlim/ultimate-ca-manager/wiki](https://github.com/NeySlim/ultimate-ca-manager/wiki) |\n| Installation | [docs/installation/](docs/installation/README.md) |\n| User Guide | [docs/USER_GUIDE.md](docs/USER_GUIDE.md) |\n| Admin Guide | [docs/ADMIN_GUIDE.md](docs/ADMIN_GUIDE.md) |\n| API Reference | [docs/API_REFERENCE.md](docs/API_REFERENCE.md) |\n| OpenAPI Spec | [docs/openapi.yaml](docs/openapi.yaml) |\n| Security | [docs/SECURITY.md](docs/SECURITY.md) |\n| Upgrade Guide | [UPGRADE.md](UPGRADE.md) |\n| Changelog | [CHANGELOG.md](CHANGELOG.md) |\n\n---\n\n## Technology Stack\n\n| Component | Technology |\n|-----------|------------|\n| Frontend | React 18, Vite, Radix UI, Recharts |\n| Backend | Python 3.11+, Flask, SQLAlchemy |\n| Database | SQLite |\n| Server | Gunicorn + gevent WebSocket |\n| Crypto | pyOpenSSL, cryptography |\n| Auth | Session cookies, WebAuthn/FIDO2, TOTP, mTLS |\n\n---\n\n## File Locations\n\n| Item | Path |\n|------|------|\n| Application | `/opt/ucm/` |\n| Data \u0026 DB | `/opt/ucm/data/` |\n| Config (DEB/RPM) | `/etc/ucm/ucm.env` |\n| Logs (DEB/RPM) | `/var/log/ucm/` |\n| Service | `systemctl status ucm` |\n\nDocker: data at `/opt/ucm/data/` (mount as volume), config via environment variables, logs to stdout.\n\n---\n\n## Roadmap\n\n- [ ] **Code Signing** — Issue and manage code signing certificates (Authenticode, JAR, macOS)\n- [ ] **High Availability / Clustering** — Active-passive or active-active HA deployment\n- [ ] **Helm chart** — Package UCM itself as a Helm chart for in-cluster deployment (k8s clusters can already *consume* UCM today via the cert-manager integration shipped in v2.139)\n- [ ] **Post-Quantum Cryptography** — ML-DSA, ML-KEM, SLH-DSA key types (NIST FIPS 203/204/205)\n- [ ] **CMP Protocol (RFC 4210)** — Certificate Management Protocol support\n- [ ] **Key Archival \u0026 Recovery** — Secure key escrow with recovery workflows\n- [x] **SAN database columns derived from final SAN list** — `san_email` / `san_dns` / `san_ip` / `san_uri` always match the X.509 extension, with backfill migration *(v2.140)*\n- [x] **On-disk certificate \u0026 CA files** — `.crt` / `.key` materialized to disk on every creation path *(v2.140)*\n- [x] **ACME External Account Binding (EAB, RFC 8555 §7.3.4)** — Issue/rotate/revoke `kid`+`hmac` pairs for cert-manager / certbot / acme.sh *(v2.139)*\n- [x] **ACME custom DNS resolvers + private-IP validation** — Split-horizon DNS, RFC1918/`.lan`/`.local` HTTP-01 \u0026 TLS-ALPN-01 *(v2.139)*\n- [x] **Kubernetes / cert-manager integration** — Reference manifests for ClusterIssuer (HTTP-01 + DNS-01 with EAB) *(v2.139)*\n- [x] **SMTP OAuth2 (XOAUTH2)** — Gmail, Outlook.com, Microsoft 365 modern auth *(v2.134)*\n- [x] **SSO `auth_source` tracking + role preservation** — Per-user origin, optional sync-on-login, UI never overwritten *(v2.133)*\n- [x] **HSM-backed Certificate Authorities** — Signing key generated/stored in HSM, never exportable *(v2.130)*\n- [x] **Native PostgreSQL backend** — Bidirectional migration UI with safety checks *(v2.127)*\n- [x] **PostgreSQL feature parity** — Database stats, optimize, integrity check, certificate activity chart all work natively on PostgreSQL *(v2.135)*\n- [x] **Custom Extra EKU OIDs** — Microsoft RDP, smartcard logon, document signing, IPsec, Kerberos PKINIT… (RFC 5280 §4.2.1.12) *(v2.128)*\n- [x] **Persisted UI filters** — Filter selections survive reloads on every list page *(v2.128)*\n- [x] **User preferences server-side** — Language/theme follow the user across browsers *(v2.128)*\n- [x] **Windows SSH CA setup script (`.ps1`)** — One-command trust setup for Windows OpenSSH Server *(v2.128/v2.134)*\n- [x] **SSH Certificates** — SSH CA management, host/user certificate signing, import, setup scripts *(v2.112)*\n- [x] **Security Audit** — Comprehensive security hardening: session fixation, export passwords, LDAP injection, LIKE escaping *(v2.112)*\n- [x] **Certificate Transparency (RFC 6962)** — CT log submission, SCT parsing, auto-submit on issuance *(v2.109)*\n- [x] **OCSP Delegated Responder (RFC 5019)** — Per-CA delegated responder assignment with EKU validation *(v2.109)*\n- [x] **Certificate Practice Statement (CPS)** — Per-CA CPS URI and Policy OID in CertificatePolicies extension *(v2.109)*\n- [x] **Multiple CDP/OCSP/AIA URLs** — Multiple distribution points and access descriptions per CA *(v2.109)*\n- [x] **RFC 3161 Timestamp Authority (TSA)** — Time stamping server with configurable policy, hash algorithms, and accuracy *(v2.109)*\n- [x] **In-App Help Translations** — 208 help files across 8 languages for all 26 sections *(v2.109)*\n- [x] **ACME Auto-Supersede** — Automatically revoke old certificates on ACME renewal *(v2.110)*\n- [x] **Universal Format Detection** — DER/PEM detection by content across all file uploads *(v2.110)*\n- [x] **PKCS7/PKCS12 Decode** — Certificate decoder supports P7B bundles and PKCS12 files *(v2.111)*\n- [x] **Delta CRL** — Incremental CRL updates for large deployments *(v2.75)*\n\n## Contributing\n\n1. Fork the repository\n2. Create feature branch (`git checkout -b feature/my-feature`)\n3. Commit and push\n4. Open Pull Request\n\n---\n\n## License\n\nBSD 3-Clause License with Commons Clause -- see [LICENSE](LICENSE).\n\n---\n\n## Support\n\n- [GitHub Issues](https://github.com/NeySlim/ultimate-ca-manager/issues)\n- [GitHub Wiki](https://github.com/NeySlim/ultimate-ca-manager/wiki)\n\nIf you find UCM useful, consider supporting its development:\n\n\u003ca href=\"https://ko-fi.com/neyslim\"\u003e\u003cimg src=\"https://ko-fi.com/img/githubbutton_sm.svg\" alt=\"Support on Ko-fi\" /\u003e\u003c/a\u003e\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fneyslim%2Fultimate-ca-manager","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fneyslim%2Fultimate-ca-manager","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fneyslim%2Fultimate-ca-manager/lists"}