https://github.com/neyslim/ultimate-ca-manager

A comprehensive PKI/Certificate Authority management platform
https://github.com/neyslim/ultimate-ca-manager

acme certificate-authority certificate-management certificate-manager crl crl-list fido2 hsm letsencrypt mtls ocsp ocsp-responder pki scep scep-server security ssl-certificates webauthn x509

Last synced: 20 days ago
JSON representation

A comprehensive PKI/Certificate Authority management platform

• Host: GitHub
• URL: https://github.com/neyslim/ultimate-ca-manager
• Owner: NeySlim
• License: other
• Created: 2026-01-03T11:37:53.000Z (5 months ago)
• Default Branch: main
• Last Pushed: 2026-05-02T17:30:54.000Z (27 days ago)
• Last Synced: 2026-05-02T18:31:39.262Z (27 days ago)
• Topics: acme, certificate-authority, certificate-management, certificate-manager, crl, crl-list, fido2, hsm, letsencrypt, mtls, ocsp, ocsp-responder, pki, scep, scep-server, security, ssl-certificates, webauthn, x509
• Language: JavaScript
• Homepage:
• Size: 184 MB
• Stars: 67
• Watchers: 4
• Forks: 7
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE
  • Security: docs/SECURITY.md

Awesome Lists containing this project

README

          
# Ultimate Certificate Manager

![Version](https://img.shields.io/github/v/release/NeySlim/ultimate-ca-manager?label=version&color=brightgreen)

![License](https://img.shields.io/badge/license-BSD--3--Clause%20%2B%20Commons%20Clause-green.svg)

![Docker Hub](https://img.shields.io/docker/v/neyslim/ultimate-ca-manager?label=docker%20hub&color=blue)

![GHCR](https://img.shields.io/badge/ghcr.io-available-blue)

![Tests](https://img.shields.io/badge/tests-2137%20passing-brightgreen)

[![Ko-fi](https://img.shields.io/badge/Ko--fi-Support%20UCM-FF5E5B?logo=ko-fi&logoColor=white)](https://ko-fi.com/neyslim)

**Ultimate Certificate Manager (UCM)** is a web-based Certificate Authority management platform with PKI protocol support (ACME, SCEP, EST, OCSP, CRL/CDP), Microsoft ADCS integration, multi-factor authentication, and certificate lifecycle management.

> 🚀 **UCM is a young and actively developed project.** Feedback, bug reports, and feature requests are very welcome! Feel free to [open an issue](https://github.com/NeySlim/ultimate-ca-manager/issues) — every report helps make UCM better.

> ✨ **Latest release — v2.152** (2026-05-08): security and RFC-compliance hardening pass across all PKI protocols (OCSP, CRL, ACME, EST, SCEP, TSA) and resource APIs (CAs, certs, CSRs, templates, RBAC, HSM, MSCA, SSO, webhooks, discovery, audit, reports, SSH, trust store). Smoke-tested on SQLite and PostgreSQL across Debian, RHEL/Fedora, and Docker. See the [v2.152 release notes](https://github.com/NeySlim/ultimate-ca-manager/releases/latest) and the full [CHANGELOG](CHANGELOG.md).

**Upcoming:** CA offline mode — take CAs offline to prevent signing new certificates, with password-protected or file-exported modes.

![Dashboard](docs/screenshots/dashboard-dark.png)

---

## Features

### PKI Core

- **CA Management** -- Root and intermediate CAs, hierarchy view, import/export, **HSM-backed signing keys** (private key never leaves the HSM)

- **Certificate Lifecycle** -- Issue, sign, revoke, renew, export (PEM, DER, PKCS#12, JKS), bulk operations

- **CSR Management** -- Create, import, sign Certificate Signing Requests with **custom Extra EKU OIDs** (RFC 5280 §4.2.1.12)

- **Certificate Templates** -- Predefined profiles for server, client, code signing, email

- **Certificate Discovery** -- Network scanning, scan profiles, scheduled scans, certificate import

- **Trust Store** -- Manage trusted root CA certificates with expiry alerts

- **Chain Repair** -- AKI/SKI-based chain validation with automatic repair scheduler

- **SSH Certificates** -- SSH Certificate Authority management, sign host/user certificates, import CAs and certs, curl-friendly setup scripts

### Protocols

- **ACME** -- RFC 8555, auto-enrollment, auto-renewal, DNS-01/HTTP-01/TLS-ALPN-01 challenges, wildcard support, **External Account Binding (EAB, RFC 8555 §7.3.4)**, **custom DNS resolvers** for split-horizon, ACME on internal/private IPs, proxy mode

- **SCEP** -- RFC 8894 device auto-enrollment with approval workflows

- **EST** -- RFC 7030 Enrollment over Secure Transport

- **OCSP** -- RFC 6960 real-time certificate status

- **CRL/CDP** -- Certificate Revocation List distribution with Delta CRL support (RFC 5280 §5.2.4)

- **AIA CA Issuers** -- Authority Information Access CA certificate download (RFC 5280 §4.2.2.1)

### Integrations

- **Microsoft ADCS** -- Certificate signing via AD CS, template discovery, EOBO (Enroll On Behalf Of)

- **HSM** -- SoftHSM included, PKCS#11, Azure Key Vault, Google Cloud KMS, OpenBao/Vault Transit; **HSM-backed CAs** with non-exportable signing keys

- **Kubernetes / cert-manager** -- Reference manifests for ClusterIssuer (HTTP-01 + DNS-01 with EAB), sample Certificate, Secret template under `examples/kubernetes/cert-manager/`

- **DNS Providers** -- Cloudflare, Route53, Azure DNS and more for ACME DNS-01 challenges

- **Webhooks** -- Event-driven notifications for certificate lifecycle events (15+ event types)

### Security & Access

- **Authentication** -- Password, WebAuthn/FIDO2, TOTP 2FA, mTLS, API keys

- **SSO** -- LDAP, OAuth2 (Azure/Google/GitHub), SAML single sign-on with role mapping; **per-user `auth_source` tracking** and opt-in role sync on login

- **RBAC** -- 4 built-in roles (Admin, Operator, Auditor, Viewer) plus custom roles with granular permissions

- **Policies & Approvals** -- Certificate issuance policies with approval workflows

- **Audit Logs** -- Action logging with integrity verification and remote syslog forwarding

### Operations & Monitoring

- **Dashboard** -- Customizable drag-and-drop widgets, real-time stats, certificate trends

- **Reports** -- Scheduled PDF reports, executive summaries, custom templates

- **Certificate Toolbox** -- SSL checker, CSR/cert decoder, key matcher, format converter

- **Email Notifications** -- SMTP with **OAuth2 (XOAUTH2)** for Gmail, Outlook.com & Microsoft 365, customizable HTML/text templates, certificate expiry alerts

- **Backup & Restore** -- Manual and scheduled backups with retention policies

- **Software Updates** -- In-app update checker with one-click install

- **Global Search** -- Cross-resource search and command palette (Ctrl+K)

### Platform

- **6 Themes** -- 3 color schemes (Gray, Purple Night, Orange Sunset) × Light/Dark; **per-user preferences persisted server-side** (language, theme, mode)

- **i18n** -- 9 languages (EN, FR, DE, ES, IT, PT, UK, ZH, JA)

- **Persisted UI state** -- Filter selections persist across reloads on every list page

- **Database** -- SQLite (default) or **native PostgreSQL backend** with bidirectional migration UI

- **Responsive UI** -- React 18 + Radix UI, mobile-friendly

- **Real-time** -- WebSocket live updates

- **Multi-platform** -- Docker, Debian/Ubuntu (.deb), RHEL/Rocky/Fedora (.rpm)

---

## Quick Start

### Docker

```bash

docker run -d --restart=unless-stopped \

  --name ucm \

  -p 8443:8443 \

  -p 8080:8080 \

  -v ucm-data:/opt/ucm/data \

  neyslim/ultimate-ca-manager:latest

```

Also available from GitHub Container Registry: `ghcr.io/neyslim/ultimate-ca-manager`

### Debian/Ubuntu

Download the `.deb` package from the [latest release](https://github.com/NeySlim/ultimate-ca-manager/releases/latest):

```bash

sudo dpkg -i ucm__all.deb

sudo systemctl enable --now ucm

```

### RHEL/Rocky/Fedora

Download the `.rpm` package from the [latest release](https://github.com/NeySlim/ultimate-ca-manager/releases/latest):

```bash

sudo dnf install ./ucm-VERSION-1.noarch.rpm

sudo systemctl enable --now ucm

```

**Access:** `https://localhost:8443` or `https://your-server-fqdn:8443`

**Default credentials:** `admin` / `changeme123` — you will be prompted to change on first login.

See [Installation Guide](docs/installation/README.md) for all methods including Docker Compose and source install.

---

## Documentation

| Resource | Link |

|----------|------|

| Wiki (full docs) | [github.com/NeySlim/ultimate-ca-manager/wiki](https://github.com/NeySlim/ultimate-ca-manager/wiki) |

| Installation | [docs/installation/](docs/installation/README.md) |

| User Guide | [docs/USER_GUIDE.md](docs/USER_GUIDE.md) |

| Admin Guide | [docs/ADMIN_GUIDE.md](docs/ADMIN_GUIDE.md) |

| API Reference | [docs/API_REFERENCE.md](docs/API_REFERENCE.md) |

| OpenAPI Spec | [docs/openapi.yaml](docs/openapi.yaml) |

| Security | [docs/SECURITY.md](docs/SECURITY.md) |

| Upgrade Guide | [UPGRADE.md](UPGRADE.md) |

| Changelog | [CHANGELOG.md](CHANGELOG.md) |

---

## Technology Stack

| Component | Technology |

|-----------|------------|

| Frontend | React 18, Vite, Radix UI, Recharts |

| Backend | Python 3.11+, Flask, SQLAlchemy |

| Database | SQLite |

| Server | Gunicorn + gevent WebSocket |

| Crypto | pyOpenSSL, cryptography |

| Auth | Session cookies, WebAuthn/FIDO2, TOTP, mTLS |

---

## File Locations

| Item | Path |

|------|------|

| Application | `/opt/ucm/` |

| Data & DB | `/opt/ucm/data/` |

| Config (DEB/RPM) | `/etc/ucm/ucm.env` |

| Logs (DEB/RPM) | `/var/log/ucm/` |

| Service | `systemctl status ucm` |

Docker: data at `/opt/ucm/data/` (mount as volume), config via environment variables, logs to stdout.

---

## Roadmap

- [ ] **Code Signing** — Issue and manage code signing certificates (Authenticode, JAR, macOS)

- [ ] **High Availability / Clustering** — Active-passive or active-active HA deployment

- [ ] **Helm chart** — Package UCM itself as a Helm chart for in-cluster deployment (k8s clusters can already *consume* UCM today via the cert-manager integration shipped in v2.139)

- [ ] **Post-Quantum Cryptography** — ML-DSA, ML-KEM, SLH-DSA key types (NIST FIPS 203/204/205)

- [ ] **CMP Protocol (RFC 4210)** — Certificate Management Protocol support

- [ ] **Key Archival & Recovery** — Secure key escrow with recovery workflows

- [x] **SAN database columns derived from final SAN list** — `san_email` / `san_dns` / `san_ip` / `san_uri` always match the X.509 extension, with backfill migration *(v2.140)*

- [x] **On-disk certificate & CA files** — `.crt` / `.key` materialized to disk on every creation path *(v2.140)*

- [x] **ACME External Account Binding (EAB, RFC 8555 §7.3.4)** — Issue/rotate/revoke `kid`+`hmac` pairs for cert-manager / certbot / acme.sh *(v2.139)*

- [x] **ACME custom DNS resolvers + private-IP validation** — Split-horizon DNS, RFC1918/`.lan`/`.local` HTTP-01 & TLS-ALPN-01 *(v2.139)*

- [x] **Kubernetes / cert-manager integration** — Reference manifests for ClusterIssuer (HTTP-01 + DNS-01 with EAB) *(v2.139)*

- [x] **SMTP OAuth2 (XOAUTH2)** — Gmail, Outlook.com, Microsoft 365 modern auth *(v2.134)*

- [x] **SSO `auth_source` tracking + role preservation** — Per-user origin, optional sync-on-login, UI never overwritten *(v2.133)*

- [x] **HSM-backed Certificate Authorities** — Signing key generated/stored in HSM, never exportable *(v2.130)*

- [x] **Native PostgreSQL backend** — Bidirectional migration UI with safety checks *(v2.127)*

- [x] **PostgreSQL feature parity** — Database stats, optimize, integrity check, certificate activity chart all work natively on PostgreSQL *(v2.135)*

- [x] **Custom Extra EKU OIDs** — Microsoft RDP, smartcard logon, document signing, IPsec, Kerberos PKINIT… (RFC 5280 §4.2.1.12) *(v2.128)*

- [x] **Persisted UI filters** — Filter selections survive reloads on every list page *(v2.128)*

- [x] **User preferences server-side** — Language/theme follow the user across browsers *(v2.128)*

- [x] **Windows SSH CA setup script (`.ps1`)** — One-command trust setup for Windows OpenSSH Server *(v2.128/v2.134)*

- [x] **SSH Certificates** — SSH CA management, host/user certificate signing, import, setup scripts *(v2.112)*

- [x] **Security Audit** — Comprehensive security hardening: session fixation, export passwords, LDAP injection, LIKE escaping *(v2.112)*

- [x] **Certificate Transparency (RFC 6962)** — CT log submission, SCT parsing, auto-submit on issuance *(v2.109)*

- [x] **OCSP Delegated Responder (RFC 5019)** — Per-CA delegated responder assignment with EKU validation *(v2.109)*

- [x] **Certificate Practice Statement (CPS)** — Per-CA CPS URI and Policy OID in CertificatePolicies extension *(v2.109)*

- [x] **Multiple CDP/OCSP/AIA URLs** — Multiple distribution points and access descriptions per CA *(v2.109)*

- [x] **RFC 3161 Timestamp Authority (TSA)** — Time stamping server with configurable policy, hash algorithms, and accuracy *(v2.109)*

- [x] **In-App Help Translations** — 208 help files across 8 languages for all 26 sections *(v2.109)*

- [x] **ACME Auto-Supersede** — Automatically revoke old certificates on ACME renewal *(v2.110)*

- [x] **Universal Format Detection** — DER/PEM detection by content across all file uploads *(v2.110)*

- [x] **PKCS7/PKCS12 Decode** — Certificate decoder supports P7B bundles and PKCS12 files *(v2.111)*

- [x] **Delta CRL** — Incremental CRL updates for large deployments *(v2.75)*

## Contributing

1. Fork the repository

2. Create feature branch (`git checkout -b feature/my-feature`)

3. Commit and push

4. Open Pull Request

---

## License

BSD 3-Clause License with Commons Clause -- see [LICENSE](LICENSE).

---

## Support

- [GitHub Issues](https://github.com/NeySlim/ultimate-ca-manager/issues)

- [GitHub Wiki](https://github.com/NeySlim/ultimate-ca-manager/wiki)

If you find UCM useful, consider supporting its development: