https://github.com/neyslim/ultimate-ca-manager

A comprehensive PKI/Certificate Authority management platform
https://github.com/neyslim/ultimate-ca-manager

acme certificate-authority certificate-management certificate-manager crl crl-list fido2 hsm letsencrypt mtls ocsp ocsp-responder pki scep scep-server security ssl-certificates webauthn x509

Last synced: 8 days ago
JSON representation

A comprehensive PKI/Certificate Authority management platform

• Host: GitHub
• URL: https://github.com/neyslim/ultimate-ca-manager
• Owner: NeySlim
• License: other
• Created: 2026-01-03T11:37:53.000Z (6 months ago)
• Default Branch: main
• Last Pushed: 2026-06-06T21:00:56.000Z (15 days ago)
• Last Synced: 2026-06-06T22:19:17.780Z (14 days ago)
• Topics: acme, certificate-authority, certificate-management, certificate-manager, crl, crl-list, fido2, hsm, letsencrypt, mtls, ocsp, ocsp-responder, pki, scep, scep-server, security, ssl-certificates, webauthn, x509
• Language: JavaScript
• Homepage:
• Size: 182 MB
• Stars: 86
• Watchers: 6
• Forks: 8
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE
  • Security: docs/SECURITY.md

Awesome Lists containing this project

README

          
# Ultimate Certificate Manager

![Version](https://img.shields.io/github/v/release/NeySlim/ultimate-ca-manager?label=version&color=brightgreen)

![License](https://img.shields.io/badge/license-BSD--3--Clause%20%2B%20Commons%20Clause-green.svg)

![Docker Hub](https://img.shields.io/docker/v/neyslim/ultimate-ca-manager?label=docker%20hub&color=blue)

![GHCR](https://img.shields.io/badge/ghcr.io-available-blue)

![Tests](https://img.shields.io/badge/tests-2137%20passing-brightgreen)

[![Ko-fi](https://img.shields.io/badge/Ko--fi-Support%20UCM-FF5E5B?logo=ko-fi&logoColor=white)](https://ko-fi.com/neyslim)

**Ultimate Certificate Manager (UCM)** is a web-based Certificate Authority management platform with PKI protocol support (ACME, SCEP, EST, OCSP, CRL/CDP), Microsoft ADCS integration, multi-factor authentication, and certificate lifecycle management.

> **UCM is a young and actively developed project.** Feedback, bug reports, and feature requests are very welcome! Feel free to [open an issue](https://github.com/NeySlim/ultimate-ca-manager/issues) — every report helps make UCM better.

> **Latest release — v2.156** (2026-05-12): per-webhook custom authentication ([#116](https://github.com/NeySlim/ultimate-ca-manager/issues/116)) with five auth types (`none`, `bearer`, `basic`, `api_key`, `custom`), encrypted tokens at rest, and a live request-preview pane in the webhook form. See the [v2.156 release notes](https://github.com/NeySlim/ultimate-ca-manager/releases/latest) and the full [CHANGELOG](CHANGELOG.md).

![Dashboard](docs/screenshots/dashboard-dark.png)

---

## Features

### PKI Core

- **CA Management** -- Root and intermediate CAs, hierarchy view, import/export, **HSM-backed signing keys** (private key never leaves the HSM)

- **Certificate Lifecycle** -- Issue, sign, revoke, renew, export (PEM, DER, PKCS#12, JKS), bulk operations

- **CSR Management** -- Create, import, sign Certificate Signing Requests with **custom Extra EKU OIDs** (RFC 5280 §4.2.1.12)

- **Certificate Templates** -- Predefined profiles for server, client, code signing, email

- **Certificate Discovery** -- Network scanning, scan profiles, scheduled scans, certificate import

- **Trust Store** -- Manage trusted root CA certificates with expiry alerts

- **Chain Repair** -- AKI/SKI-based chain validation with automatic repair scheduler

- **SSH Certificates** -- SSH Certificate Authority management, sign host/user certificates, import CAs and certs, curl-friendly setup scripts

### Protocols

- **ACME** -- RFC 8555, auto-enrollment, auto-renewal, DNS-01/HTTP-01/TLS-ALPN-01 challenges, wildcard support, **External Account Binding (EAB, RFC 8555 §7.3.4)**, **custom DNS resolvers** for split-horizon, ACME on internal/private IPs, proxy mode

- **SCEP** -- RFC 8894 device auto-enrollment with approval workflows

- **EST** -- RFC 7030 Enrollment over Secure Transport

- **OCSP** -- RFC 6960 real-time certificate status

- **CRL/CDP** -- Certificate Revocation List distribution with Delta CRL support (RFC 5280 §5.2.4)

- **AIA CA Issuers** -- Authority Information Access CA certificate download (RFC 5280 §4.2.2.1)

### Integrations

- **Microsoft ADCS** -- Certificate signing via AD CS, template discovery, EOBO (Enroll On Behalf Of)

- **HSM** -- SoftHSM included, PKCS#11, Azure Key Vault, Google Cloud KMS, OpenBao/Vault Transit; **HSM-backed CAs** with non-exportable signing keys

- **Kubernetes / cert-manager** -- Reference manifests for ClusterIssuer (HTTP-01 + DNS-01 with EAB), sample Certificate, Secret template under `examples/kubernetes/cert-manager/`

- **DNS Providers** -- Cloudflare, Route53, Azure DNS and more for ACME DNS-01 challenges

- **Webhooks** -- Event-driven notifications for certificate lifecycle events (15+ event types)

### Security & Access

- **Authentication** -- Password, WebAuthn/FIDO2, TOTP 2FA, mTLS, API keys

- **SSO** -- LDAP, OAuth2 (Azure/Google/GitHub), SAML single sign-on with role mapping; **per-user `auth_source` tracking** and opt-in role sync on login

- **RBAC** -- 4 built-in roles (Admin, Operator, Auditor, Viewer) plus custom roles with granular permissions

- **Policies & Approvals** -- Certificate issuance policies with approval workflows

- **Audit Logs** -- Action logging with integrity verification and remote syslog forwarding

### Operations & Monitoring

- **Dashboard** -- Customizable drag-and-drop widgets, real-time stats, certificate trends

- **Reports** -- Scheduled PDF reports, executive summaries, custom templates

- **Certificate Toolbox** -- SSL checker, CSR/cert decoder, key matcher, format converter

- **Email Notifications** -- SMTP with **OAuth2 (XOAUTH2)** for Gmail, Outlook.com & Microsoft 365, customizable HTML/text templates, certificate expiry alerts

- **Backup & Restore** -- Manual and scheduled backups with retention policies

- **Software Updates** -- In-app update checker with one-click install

- **Global Search** -- Cross-resource search and command palette (Ctrl+K)

### Platform

- **6 Themes** -- 3 color schemes (Gray, Purple Night, Orange Sunset) × Light/Dark; **per-user preferences persisted server-side** (language, theme, mode)

- **i18n** -- 9 languages (EN, FR, DE, ES, IT, PT, UK, ZH, JA)

- **Persisted UI state** -- Filter selections persist across reloads on every list page

- **Database** -- SQLite (default) or **native PostgreSQL backend** with bidirectional migration UI

- **Responsive UI** -- React 18 + Radix UI, mobile-friendly

- **Real-time** -- WebSocket live updates

- **Multi-platform** -- Docker, Debian/Ubuntu (.deb), RHEL/Rocky/Fedora (.rpm)

---

## Quick Start

### Docker

```bash

docker run -d --restart=unless-stopped \

  --name ucm \

  -p 8443:8443 \

  -p 8080:8080 \

  -v ucm-data:/opt/ucm/data \

  neyslim/ultimate-ca-manager:latest

```

Also available from GitHub Container Registry: `ghcr.io/neyslim/ultimate-ca-manager`

### Debian/Ubuntu

Download the `.deb` package from the [latest release](https://github.com/NeySlim/ultimate-ca-manager/releases/latest):

```bash

sudo dpkg -i ucm__all.deb

sudo systemctl enable --now ucm

```

### RHEL/Rocky/Fedora

Download the `.rpm` package from the [latest release](https://github.com/NeySlim/ultimate-ca-manager/releases/latest):

```bash

sudo dnf install ./ucm-VERSION-1.noarch.rpm

sudo systemctl enable --now ucm

```

**Access:** `https://localhost:8443` or `https://your-server-fqdn:8443`

**Default credentials:** `admin` / `changeme123` — you will be prompted to change on first login.

See [Installation Guide](docs/installation/README.md) for all methods including Docker Compose and source install.

---

## Documentation

| Resource | Link |

|----------|------|

| Wiki (full docs) | [github.com/NeySlim/ultimate-ca-manager/wiki](https://github.com/NeySlim/ultimate-ca-manager/wiki) |

| Installation | [docs/installation/](docs/installation/README.md) |

| User Guide | [docs/USER_GUIDE.md](docs/USER_GUIDE.md) |

| Admin Guide | [docs/ADMIN_GUIDE.md](docs/ADMIN_GUIDE.md) |

| API Reference | [docs/API_REFERENCE.md](docs/API_REFERENCE.md) |

| OpenAPI Spec | [docs/openapi.yaml](docs/openapi.yaml) |

| Security | [docs/SECURITY.md](docs/SECURITY.md) |

| Upgrade Guide | [UPGRADE.md](UPGRADE.md) |

| Changelog | [CHANGELOG.md](CHANGELOG.md) |

---

## Technology Stack

| Component | Technology |

|-----------|------------|

| Frontend | React 18, Vite, Radix UI, Recharts |

| Backend | Python 3.11+, Flask, SQLAlchemy |

| Database | SQLite |

| Server | Gunicorn + gevent WebSocket |

| Crypto | pyOpenSSL, cryptography |

| Auth | Session cookies, WebAuthn/FIDO2, TOTP, mTLS |

---

## File Locations

| Item | Path |

|------|------|

| Application | `/opt/ucm/` |

| Data & DB | `/opt/ucm/data/` |

| Config (DEB/RPM) | `/etc/ucm/ucm.env` |

| Logs (DEB/RPM) | `/var/log/ucm/` |

| Service | `systemctl status ucm` |

Docker: data at `/opt/ucm/data/` (mount as volume), config via environment variables, logs to stdout.

---

## Roadmap

- [ ] **Code Signing** — Issue and manage code signing certificates (Authenticode, JAR, macOS)

- [ ] **High Availability / Clustering** — Active-passive or active-active HA deployment

- [ ] **Helm chart** — Package UCM itself as a Helm chart for in-cluster deployment (k8s clusters can already *consume* UCM today via the cert-manager integration shipped in v2.139)

- [ ] **Post-Quantum Cryptography** — ML-DSA, ML-KEM, SLH-DSA key types (NIST FIPS 203/204/205)

- [ ] **CMP Protocol (RFC 4210)** — Certificate Management Protocol support

- [ ] **Key Archival & Recovery** — Secure key escrow with recovery workflows

- [x] **SAN database columns derived from final SAN list** — `san_email` / `san_dns` / `san_ip` / `san_uri` always match the X.509 extension, with backfill migration *(v2.140)*

- [x] **On-disk certificate & CA files** — `.crt` / `.key` materialized to disk on every creation path *(v2.140)*

- [x] **ACME External Account Binding (EAB, RFC 8555 §7.3.4)** — Issue/rotate/revoke `kid`+`hmac` pairs for cert-manager / certbot / acme.sh *(v2.139)*

- [x] **ACME custom DNS resolvers + private-IP validation** — Split-horizon DNS, RFC1918/`.lan`/`.local` HTTP-01 & TLS-ALPN-01 *(v2.139)*

- [x] **Kubernetes / cert-manager integration** — Reference manifests for ClusterIssuer (HTTP-01 + DNS-01 with EAB) *(v2.139)*

- [x] **SMTP OAuth2 (XOAUTH2)** — Gmail, Outlook.com, Microsoft 365 modern auth *(v2.134)*

- [x] **SSO `auth_source` tracking + role preservation** — Per-user origin, optional sync-on-login, UI never overwritten *(v2.133)*

- [x] **HSM-backed Certificate Authorities** — Signing key generated/stored in HSM, never exportable *(v2.130)*

- [x] **Native PostgreSQL backend** — Bidirectional migration UI with safety checks *(v2.127)*

- [x] **PostgreSQL feature parity** — Database stats, optimize, integrity check, certificate activity chart all work natively on PostgreSQL *(v2.135)*

- [x] **Custom Extra EKU OIDs** — Microsoft RDP, smartcard logon, document signing, IPsec, Kerberos PKINIT… (RFC 5280 §4.2.1.12) *(v2.128)*

- [x] **Persisted UI filters** — Filter selections survive reloads on every list page *(v2.128)*

- [x] **User preferences server-side** — Language/theme follow the user across browsers *(v2.128)*

- [x] **Windows SSH CA setup script (`.ps1`)** — One-command trust setup for Windows OpenSSH Server *(v2.128/v2.134)*

- [x] **SSH Certificates** — SSH CA management, host/user certificate signing, import, setup scripts *(v2.112)*

- [x] **Security Audit** — Comprehensive security hardening: session fixation, export passwords, LDAP injection, LIKE escaping *(v2.112)*

- [x] **Certificate Transparency (RFC 6962)** — CT log submission, SCT parsing, auto-submit on issuance *(v2.109)*

- [x] **OCSP Delegated Responder (RFC 5019)** — Per-CA delegated responder assignment with EKU validation *(v2.109)*

- [x] **Certificate Practice Statement (CPS)** — Per-CA CPS URI and Policy OID in CertificatePolicies extension *(v2.109)*

- [x] **Multiple CDP/OCSP/AIA URLs** — Multiple distribution points and access descriptions per CA *(v2.109)*

- [x] **RFC 3161 Timestamp Authority (TSA)** — Time stamping server with configurable policy, hash algorithms, and accuracy *(v2.109)*

- [x] **In-App Help Translations** — 208 help files across 8 languages for all 26 sections *(v2.109)*

- [x] **ACME Auto-Supersede** — Automatically revoke old certificates on ACME renewal *(v2.110)*

- [x] **Universal Format Detection** — DER/PEM detection by content across all file uploads *(v2.110)*

- [x] **PKCS7/PKCS12 Decode** — Certificate decoder supports P7B bundles and PKCS12 files *(v2.111)*

- [x] **Delta CRL** — Incremental CRL updates for large deployments *(v2.75)*

## Contributing

1. Fork the repository

2. Create feature branch (`git checkout -b feature/my-feature`)

3. Commit and push

4. Open Pull Request

---

## License

BSD 3-Clause License with Commons Clause -- see [LICENSE](LICENSE).

---

## Support

- [GitHub Issues](https://github.com/NeySlim/ultimate-ca-manager/issues)

- [GitHub Wiki](https://github.com/NeySlim/ultimate-ca-manager/wiki)

If you find UCM useful, consider supporting its development: