Ultimate Certificate Manager (UCM) is a web-based Certificate Authority management platform with PKI protocol support (ACME, SCEP, EST, OCSP, CRL/CDP), Microsoft ADCS integration, multi-factor authentication, and certificate lifecycle management.
π UCM is a young and actively developed project. Feedback, bug reports, and feature requests are very welcome! Feel free to open an issue β every report helps make UCM better.
- CA Management -- Root and intermediate CAs, hierarchy view, import/export
- Certificate Lifecycle -- Issue, sign, revoke, renew, export (PEM, DER, PKCS#12), bulk operations
- CSR Management -- Create, import, sign Certificate Signing Requests
- Certificate Templates -- Predefined profiles for server, client, code signing, email
- Certificate Discovery -- Network scanning, scan profiles, scheduled scans, certificate import
- Trust Store -- Manage trusted root CA certificates with expiry alerts
- Chain Repair -- AKI/SKI-based chain validation with automatic repair scheduler
- ACME -- RFC 8555, auto-enrollment, auto-renewal, DNS-01/HTTP-01 challenges, wildcard support
- SCEP -- RFC 8894 device auto-enrollment with approval workflows
- EST -- RFC 7030 Enrollment over Secure Transport
- OCSP -- RFC 6960 real-time certificate status
- CRL/CDP -- Certificate Revocation List distribution with Delta CRL support (RFC 5280 Β§5.2.4)
- AIA CA Issuers -- Authority Information Access CA certificate download (RFC 5280 Β§4.2.2.1)
- Microsoft ADCS -- Certificate signing via AD CS, template discovery, EOBO (Enroll On Behalf Of)
- HSM -- SoftHSM included, PKCS#11, Azure Key Vault, Google Cloud KMS
- DNS Providers -- Cloudflare, Route53, Azure DNS and more for ACME DNS-01 challenges
- Webhooks -- Event-driven notifications for certificate lifecycle events (15+ event types)
- Authentication -- Password, WebAuthn/FIDO2, TOTP 2FA, mTLS, API keys
- SSO -- LDAP, OAuth2 (Azure/Google/GitHub), SAML single sign-on with role mapping
- RBAC -- 4 built-in roles (Admin, Operator, Auditor, Viewer) plus custom roles with granular permissions
- Policies & Approvals -- Certificate issuance policies with approval workflows
- Audit Logs -- Action logging with integrity verification and remote syslog forwarding
- Dashboard -- Customizable drag-and-drop widgets, real-time stats, certificate trends
- Reports -- Scheduled PDF reports, executive summaries, custom templates
- Certificate Toolbox -- SSL checker, CSR/cert decoder, key matcher, format converter
- Email Notifications -- SMTP, customizable HTML/text templates, certificate expiry alerts
- Backup & Restore -- Manual and scheduled backups with retention policies
- Software Updates -- In-app update checker with one-click install
- Global Search -- Cross-resource search and command palette (Ctrl+K)
- 6 Themes -- 3 color schemes (Gray, Purple Night, Orange Sunset) Γ Light/Dark
- i18n -- 9 languages (EN, FR, DE, ES, IT, PT, UK, ZH, JA)
- Responsive UI -- React 18 + Radix UI, mobile-friendly
- Real-time -- WebSocket live updates
- Multi-platform -- Docker, Debian/Ubuntu (.deb), RHEL/Rocky/Fedora (.rpm)
docker run -d --restart=unless-stopped \
--name ucm \
-p 8443:8443 \
-p 8080:8080 \
-v ucm-data:/opt/ucm/data \
neyslim/ultimate-ca-manager:latestAlso available from GitHub Container Registry: ghcr.io/neyslim/ultimate-ca-manager
Download the .deb package from the latest release:
sudo dpkg -i ucm_<version>_all.deb
sudo systemctl enable --now ucmDownload the .rpm package from the latest release:
sudo dnf install ./ucm-VERSION-1.noarch.rpm
sudo systemctl enable --now ucmAccess: https://localhost:8443 or https://your-server-fqdn:8443
Default credentials: admin / changeme123 β you will be prompted to change on first login.
See Installation Guide for all methods including Docker Compose and source install.
| Resource | Link |
|---|---|
| Wiki (full docs) | github.com/NeySlim/ultimate-ca-manager/wiki |
| Installation | docs/installation/ |
| User Guide | docs/USER_GUIDE.md |
| Admin Guide | docs/ADMIN_GUIDE.md |
| API Reference | docs/API_REFERENCE.md |
| OpenAPI Spec | docs/openapi.yaml |
| Security | docs/SECURITY.md |
| Upgrade Guide | UPGRADE.md |
| Changelog | CHANGELOG.md |
| Component | Technology |
|---|---|
| Frontend | React 18, Vite, Radix UI, Recharts |
| Backend | Python 3.11+, Flask, SQLAlchemy |
| Database | SQLite (PostgreSQL supported) |
| Server | Gunicorn + gevent WebSocket |
| Crypto | pyOpenSSL, cryptography |
| Auth | Session cookies, WebAuthn/FIDO2, TOTP, mTLS |
| Item | Path |
|---|---|
| Application | /opt/ucm/ |
| Data & DB | /opt/ucm/data/ |
| Config (DEB/RPM) | /etc/ucm/ucm.env |
| Logs (DEB/RPM) | /var/log/ucm/ |
| Service | systemctl status ucm |
Docker: data at /opt/ucm/data/ (mount as volume), config via environment variables, logs to stdout.
- Code Signing β Issue and manage code signing certificates (Authenticode, JAR, macOS)
- RFC 3161 Timestamp Authority (TSA) β Code signing timestamp server (#37)
- High Availability / Clustering β Active-passive or active-active HA deployment
- Kubernetes / Helm β Helm chart and cert-manager integration
- Post-Quantum Cryptography β ML-DSA, ML-KEM, SLH-DSA key types (NIST FIPS 203/204/205)
- SSH Certificates β Issue and manage SSH host and user certificates
- CMP Protocol (RFC 4210) β Certificate Management Protocol support
- Key Archival & Recovery β Secure key escrow with recovery workflows
- Delta CRL β Incremental CRL updates for large deployments (v2.75)
- Fork the repository
- Create feature branch (
git checkout -b feature/my-feature) - Commit and push
- Open Pull Request
BSD 3-Clause License with Commons Clause -- see LICENSE.
