A production-focused Certificate Authority written in Python, with support for post-quantum cryptography, common enrollment protocols (ACME, EST, SCEP, CMP/CMC), and both single-server and multi-server deployments.
Full documentation is in the docs/ directory (GitHub Markdown):
| Guide | Description |
|---|---|
| Installation | Installer script, make, RPM/DEB; prerequisites; troubleshooting. |
| Configuration | Complete ca.conf reference, all sections, examples, env vars. |
| Architecture | Components, single-node vs HA, deployment options, diagrams. |
| Security | Hardening, authentication, module integrity, audit, HSM, best practices, references. |
| Operations | CRL/OCSP, lifecycle, backup, monitoring, upgrades. |
| API Reference | REST and protocol endpoints, auth, examples, OpenAPI. |
| Development | Contributing, tests, code style, serial harness. |
| Feature | Dogtag | Boulder | EJBCA | Smallstep | CaskCA |
|---|---|---|---|---|---|
| ACME v2 (RFC 8555) | ✓ | ✓ | ✓ | ✓ | ✓ |
| ACME ARI (draft-ietf-acme-ari) | - | ✓ | - | - | ✓ |
| OCSP (RFC 6960) | ✓ | ✓ | ✓ | ✓ | ✓ |
| CRL (RFC 5280) | ✓ | - | ✓ | ✓ | ✓ |
| Delta CRL | ✓ | - | ✓ | - | ✓ |
| SCEP (RFC 8894) | ✓ | - | ✓ | ✓ | ✓ |
| EST (RFC 7030) | ✓ | - | ✓ | ✓ | ✓ |
| CMP / CMC | ✓ | - | ✓ | - | ✓ |
| Timestamp Authority (RFC 3161) | - | - | ✓ | - | ✓ |
| SSH Certificates (OpenSSH) | - | - | - | ✓ | ✓ |
| LDAP / LDAPS publication | ✓ | - | ✓ | - | ✓ |
| Post-Quantum (ML-DSA, Falcon, SLH-DSA) | - | - | - | - | ✓ |
| HSM / PKCS#11 | ✓ | ✓ | ✓ | ✓ | ✓ |
| mTLS authentication | ✓ | - | ✓ | ✓ | ✓ |
| JWT / API key auth | - | - | - | ✓ | ✓ |
| Prometheus metrics | - | ✓ | - | ✓ | ✓ |
| Certificate lifecycle manager | ✓ | - | ✓ | ✓ | ✓ |
| MPIC challenge validation | - | ✓ | - | - | ✓ |
| Tamper-evident audit log | ✓ | ✓ | ✓ | ✓ | ✓ |
| Module integrity (signed manifest) | - | - | - | - | ✓ |
| Native encrypted/signed datastore | - | - | - | - | ✓ |
| Multi-server / HA deployment | ✓ | ✓ | ✓ | ✓ | ✓ |
| Client | Protocol(s) | Status |
|---|---|---|
| Certbot | ACME v2 | Pass |
| acme.sh | ACME v2 | Pass / Skip (HTTP-01) |
| curl / OpenSSL / Python | EST | Pass |
| scepclient | SCEP | Pass |
| sscep | SCEP | Pass / Skip (if not installed) |
| OpenSSL | OCSP, CRL | Pass |
| OpenSSL / curl | TSP | Pass |
| curl / Python (CMS) | CMC | Pass |
| OpenSSH ssh-keygen / curl | SSH certs | Pass |
| OpenLDAP ldapsearch | LDAP/s | Skip (when CASKCA_LDAP_URL not set) |
Regenerate: python -m tests.harness.pipeline --topology single. See Development → Serial test harness.
Operating systems: Ubuntu 20.04/22.04/24.04, Debian 11/12, RHEL/Alma/Rocky 8/9, Fedora 37+. See Installation → Supported platforms.
Key types: RSA (2048-8192), EC (P-256/384/521), Ed25519/Ed448; optional PQC (ML-DSA, Falcon, SLH-DSA, ML-KEM) with pip install caskca[pqc]. See Configuration → key_policy.
# 1. Install (pick one)
curl -fsSL https://raw.githubusercontent.com/caskca/caskca/main/installer/install.sh | sudo bash
# or: sudo ./configure && make build (from a git clone)
# or: install from RPM/DEB - see docs/installation.md
# 2. Configure
sudo cp /opt/caskca/etc/ca.conf.example /etc/caskca/ca.conf
sudo $EDITOR /etc/caskca/ca.conf # set [ca].subject_dn, [api].jwt_secret, [api].base_url
# 3. Initialise CA and start services
sudo caskca-ctl ca init
sudo systemctl enable --now caskca-api caskca-ocsp caskca-crl.timer caskca-lifecycle.timerFull steps and options: Installation and Configuration.
For high availability, run multiple nodes behind a load balancer with a shared datastore and shared key storage (HSM or secure NFS). See Architecture → Multi-server deployment.
Module integrity: Installed code is HMAC-signed at install; the API verifies it at startup. After upgrades run sudo caskca-ctl integrity sign. See Security → Module integrity.
Hardening, auth, audit, HSM: Security.
./packaging/build-rpm.sh # → dist/rpmbuild/RPMS/noarch/
./packaging/build-deb.sh # → ../caskca_*.debDetails: packaging/README.md and Installation → RPM and DEB.
MIT-0 - see LICENSE.