Skip to content

Home

Jump to bottom
NeySlim edited this page Apr 27, 2026 · 59 revisions

Ultimate Certificate Manager - Wiki

Version License Docker CI/CD

Welcome to the Ultimate Certificate Manager (UCM) documentation! This wiki provides comprehensive guides for all features.

v2.140 Released! ACME EAB credentials, custom DNS resolvers, ACME on internal IPs, Kubernetes/cert-manager integration, on-disk certificate files, SAN database columns derived from final SAN list. See Release Notes v2.128 → v2.140 and CHANGELOG.

📸 Screenshots

Dashboard

Dashboard

Certificate Management with Detail Panel

Certificates

Certificate Toolbox

Toolbox

Certificate Discovery

Discovery

Mobile & Tablet Support

Mobile Tablet
Mobile Tablet

✨ Key Features

🔐 Complete PKI Infrastructure

  • Full CA Management - Create, import, manage Certificate Authorities with hierarchy support
  • Certificate Lifecycle - Generate, sign, revoke, renew, export certificates
  • CSR Management - Create, import, sign Certificate Signing Requests
  • Certificate Templates - Predefined configurations for server, client, code signing
  • X.509 Extension Viewer - Full certificate extension display with RFC 5280 compliance (v2.76)
  • JKS Export - Java KeyStore export format for Java applications (v2.99)
  • RFC 5280 SAN Compliance - All 4 SAN types: DNS, IP, Email, URI (v2.91)
  • CRL & CDP - Certificate Revocation Lists with HTTP/HTTPS distribution points
  • Delta CRL - Incremental CRL updates per RFC 5280 §5.2.4 (v2.75)
  • OCSP Responder - Real-time certificate status validation (RFC 6960)
  • OCSP Delegated Responder - Per-CA delegated OCSP responders with EKU validation (v2.109)
  • AIA CA Issuers - CA certificate download for chain building (RFC 5280 §4.2.2.1) (v2.101)
  • Certificate Transparency - CT log submission, SCT parsing, auto-submit on issuance (RFC 6962) (v2.109)
  • Certificate Practice Statement - Per-CA CPS URI and Policy OID in CertificatePolicies extension (v2.109)
  • Multiple CDP/OCSP/AIA URLs - Multiple distribution points and access descriptions per CA (v2.109)
  • HTTP Protocol Server - Dedicated HTTP server for CDP/OCSP/AIA on port 8080 (v2.80)
  • Trust Store - Manage trusted root CA certificates
  • Approval Workflows - Policy-based certificate issuance with approval enforcement (v2.77)

🔑 SSH Certificate Authority (v2.127)

  • SSH CA Management - Create and manage SSH Certificate Authorities (Ed25519, RSA, ECDSA)
  • Certificate Signing - Sign user and host SSH certificates with principals, validity, extensions
  • Import Support - Import existing SSH CAs and certificates
  • Setup Scripts - curl-friendly one-command server trust setup
  • Dashboard Widget - SSH certificate stats on dashboard

🔍 Certificate Discovery

  • Network Scanning - Find TLS certificates on hosts, IPs, and CIDR subnets
  • Quick Scan - Instant scan without saving a profile
  • Scan Profiles - Reusable scan configurations with scheduling
  • SNI Probing - Multi-hostname TLS handshake for maximum coverage
  • Certificate Inventory - Track managed/unmanaged/expired/expiring certificates
  • Export - CSV and JSON export of discovered certificates
  • SSRF Protection - Blocks scanning of internal addresses

🧰 Certificate Toolbox

  • SSL Checker - Verify SSL certificates on any hostname (TLS version, cipher suite, expiry)
  • CSR Decoder - Parse and display CSR contents
  • Certificate Decoder - Analyze certificate details including PKCS7 bundles and PKCS12 files (v2.111)
  • Key Matcher - Verify certificate and private key match
  • SSL Converter - Convert between PEM, DER, PKCS#12, PKCS#7 formats

📊 Reports & Analytics

  • Executive PDF Report - Multi-section PDF with cover page, risk assessment, compliance, charts (fpdf2/matplotlib)
  • Report Scheduler - 6 report types with daily/weekly/monthly scheduling and email delivery
  • On-Demand Reports - Generate and download CSV/JSON reports for certificates, CAs, compliance, audit
  • Stat Cards - At-a-glance report overview with schedule status

📡 Industry Standard Protocols

  • SCEP Server - RFC 8894 compliant auto-enrollment for network devices
  • ACME Support - Let's Encrypt compatible (certbot, acme.sh) with account management, ECDSA keys, EAB, auto-supersede on renewal (v2.92, v2.110)
  • EST Protocol - RFC 7030 Enrollment over Secure Transport with full chain responses (v2.95)
  • TSA - RFC 3161 Time Stamp Authority for trusted timestamps (v2.109)
  • Microsoft AD CS Integration - CSR submission, status polling, Enroll on Behalf Of (v2.70, EOBO v2.93)
  • OCSP - Online Certificate Status Protocol responder
  • CRL/CDP - Certificate Revocation List distribution points

🔒 Advanced Security

  • SSO - LDAP, OAuth2 (Azure/Google/GitHub), SAML single sign-on with role mapping
  • WebAuthn/FIDO2 - Hardware security key support (YubiKey, Passkeys)
  • mTLS Authentication - Mutual TLS certificate-based authentication
  • TOTP Two-Factor - Time-based one-time passwords
  • Password Strength - Visual strength indicator with policy enforcement
  • Session Management - Timeout warning, force password change
  • Audit Logs - Full action logging with hash chain integrity verification
  • Rate Limiting - Brute force protection on all auth endpoints (v2.109)
  • CSP Headers - Content Security Policy, X-Frame-Options (v2.109)
  • Account Lockout - Configurable lockout on failed login attempts (v2.109)

👥 User & Group Management

  • RBAC - 4 system roles (Admin, Operator, Auditor, Viewer) plus custom roles with granular permissions
  • User Groups - Organize users with role-based access
  • API Keys - Generate keys for automation and integrations
  • Session History - Track all login sessions

🎨 Modern Interface

  • 6 Theme Variants - 3 color themes × Light/Dark modes
  • Auto Dark Mode - Follow system preference
  • Command Palette - Ctrl+K global search with quick actions
  • Floating Detail Windows - Draggable, resizable entity detail panels
  • Dashboard Charts - Certificate activity, status distribution, day selector
  • Real-time Updates - WebSocket-based live refresh
  • Responsive Design - Mobile-first with adaptive layouts
  • Contextual Help - Help modals on every page
  • 9 Languages - EN, FR, DE, ES, IT, PT, UK, ZH, JA

📚 Table of Contents

Getting Started

Core Features

User Interface

Advanced Topics

Administration

Development

🚀 Quick Links

Installation

Access

📖 What's New

v2.140 (Latest) ✨

  • SAN database columns derived from final SAN list (#94) — when a CN is auto-promoted to an rfc822Name SAN at issuance, the san_email / san_dns / san_ip / san_uri columns are now written from the canonical SAN list (matching the X.509 extension). Migration 027 re-parses existing certificate PEMs and backfills out-of-sync rows.
  • Certificate and CA files written to disk on creation (#95).crt / .key files are auto-materialized under data/certs/ and data/cas/ for every creation path (UI, CSR signing, ACME, SCEP, import). Startup file-regeneration scan kept as a safety net.

v2.139

  • ACME External Account Binding (RFC 8555 §7.3.4) — full server-side EAB credentials manager (issue, list, rotate, revoke kid / hmac pairs). Brings UCM in line with public ACME CAs (Let's Encrypt EAB, ZeroSSL, Google Trust Services). See ACME Support.
  • ACME custom DNS resolvers for DNS-01 — per-account override of system resolvers when validating _acme-challenge TXT records (split-horizon DNS, internal authoritatives).
  • ACME on internal / private IPs — gated by acme.allow_private_ips SystemConfig (default true). HTTP-01 and TLS-ALPN-01 work out of the box for RFC1918, loopback, .lan / .local / .corp targets.
  • Kubernetes & cert-manager integration — reference manifests under examples/kubernetes/cert-manager/ (HTTP-01 ClusterIssuer, DNS-01 ClusterIssuer with EAB, sample Certificate). See Kubernetes / cert-manager.

v2.138

  • CAs page returns the full set when no pagination requested (#89) — fresh imports beyond 20 CAs no longer disappear silently.
  • API key creation UX overhaul (#90) — full-key reveal modal, key_prefix column for list-view copy affordance, support for never-expiring keys.

v2.134

  • SMTP OAuth2 (XOAUTH2) — modern OAuth2 authentication for outbound mail (Gmail, Microsoft 365, Outlook.com), replacing legacy app passwords.

v2.133

  • SSO sync_role_on_login (#81) — opt-in, per-provider toggle that stops UCM-managed roles being silently reverted by the provider's default_role on every login. auto_update_users now governs userinfo (email / full name) only.
  • User authentication source trackingusers.auth_source + users.sso_provider_id. Users & Groups page shows a colour-coded Source column (e.g. LDAP · Corporate AD).

v2.132

  • HSM provider dropdown fix in Create CA wizard (#80) — uses the actual enabled field returned by /api/v2/hsm/providers.

v2.131

  • PostgreSQL backend on DEB/RPM (#78)psycopg2-binary declared in requirements.txt; Test connection no longer fails with No module named 'psycopg2' on a fresh package install.
  • SSO callback no longer crashes on role auto-update (#79)AuditService.log_action call signature corrected.
  • HSM warning is now provider-aware — "SoftHSM not detected" only shows when SoftHSM is actually configured.

v2.130

  • HSM-backed Certificate Authorities (#77.3) — CA private signing keys can now be generated or stored inside an HSM and never leave it. Certificate issuance, CRL generation and OCSP responses are signed by the HSM. PKCS#12 / JKS / raw-key export return HTTP 409 for HSM-backed CAs. See HSM Support.

v2.129

  • ACME client / proxy SSL verification togglesverify_ssl / proxy_verify_ssl persisted per-instance; default on; UI warning when disabled.
  • Outbound HTTP TLS verification on by default in utils.safe_requests.create_session().
  • CSRF exemptions narrowed for SSO and mTLS — admin-write endpoints under those prefixes are now CSRF-protected.
  • WebSocket admin endpoints require admin:system, forgot-password is rate-limited, API keys for deactivated users are rejected.
  • Migration runner is fail-closed and uses DATABASE_URL as single source of truth.
  • Background-task audit logs are no longer attributed to anonymous (now system / scheduler / acme).

v2.128

  • Custom Extra EKUs (RFC 5280 §4.2.1.12, #76)Issue Certificate form and Sign CSR modal expose an "Extra EKUs" multi-select (18-EKU catalog + free-text dotted OIDs, capped at 16). For CSR signing, the existing EKU is rebuilt with the merged set.
  • Filter state persisted across reloads (#57) — Certificates, CAs, Audit, Templates, Policies, TrustStore, HSM, RBAC, SSH Certificates, SSH CAs, Users/Groups, User Certificates.
  • Windows quick-install script for SSH CA trust (#75) — PowerShell .ps1 for Windows OpenSSH Server, alongside the existing Linux/macOS .sh.
  • User UI preferences persisted server-side (#73) — language, theme family, theme mode in users.preferences. Restored across browsers / devices.
  • ACME proxy orders linked to local accounts (#71) — proxy orders display the originating account; account detail "Orders" tab merges local + proxy with a "Proxy" badge.
  • ACME renewal storm with Let's Encrypt fixed (#74)expires_at now stores the leaf certificate's notAfter, not the order's 7-day expires.
  • No more compilation toolchain at install timegcc / python3-dev / python3-devel removed from package deps; pyjks installed via pip --no-deps.

v2.127

  • Native PostgreSQL backend — UCM now supports PostgreSQL 13+ alongside SQLite via DATABASE_URL. New Settings → Database UI with bidirectional migration and safety checks (PG version validation, non-empty target refusal, source backup on failure). See Database Backend.

v2.126

  • SSRF guard relaxed for on-prem — Local ACME (HTTP-01 / TLS-ALPN-01), webhooks, OPNsense import and discovery scans now allow RFC1918 / .lan / loopback targets again. Cloud metadata IPs remain blocked.

v2.125

  • Backup format v2 — Encrypted container with Argon2id KDF (memory-hard), AES-256-GCM, magic header bound as AAD. Backward-compatible restore.

v2.110

  • ACME Auto-Supersede — Automatically revoke old certificates on ACME renewal (controlled by revoke_on_renewal setting)
  • DER File Upload Detection — All file uploads detect PEM vs DER by content instead of extension
  • CA Template Fix — Remove CA template from Certificates page dropdown

v2.108 – v2.109

  • Certificate Transparency (RFC 6962) — CT log submission, SCT parsing, auto-submit on issuance
  • OCSP Delegated Responder (RFC 5019) — Per-CA delegated responder assignment with EKU validation
  • Certificate Practice Statement (CPS) — Per-CA CPS URI and Policy OID in certificates
  • Multiple CDP/OCSP/AIA URLs — Multiple distribution points and access descriptions per CA
  • RFC 3161 Timestamp Authority (TSA) — Time stamping server with configurable policy and accuracy
  • RFC 5280 Extensions — PathLength, NameConstraints, PolicyConstraints, InhibitAnyPolicy, SIA, OCSP Must-Staple
  • ACME Enhancements — Order management, newAuthz, External Account Binding (EAB)
  • In-App Help Translations — 208 help files across 8 languages for all 26 sections
  • Security Audit — 38 fixes across CRITICAL/HIGH/MEDIUM: CSP headers, rate limiting, account lockout, CSRF rotation

v2.107

  • SoftHSM Auto-Register — Docker automatically creates HSM provider when SoftHSM token is initialized
  • CDP Auto-Enable — CRL Distribution Point auto-enabled on new CAs when Protocol Base URL is configured
  • SoftHSM Status Fix — HSM providers no longer show "Disabled" incorrectly
  • Docker Key Encryption — Fixed /etc/ucm/ permissions for master key in Docker containers

v2.100 – v2.106

  • ACME Proxy — Full RFC 8555 compliance, dns-01 challenge fix, EAB support for upstream CAs (v2.105-v2.106)
  • AIA CA Issuers — CA certificate download endpoints for chain building (RFC 5280 §4.2.2.1) (v2.101)
  • Protocol URL Fixes — Auto-repair incorrect https:// URLs, localhost protection (v2.103)
  • API Key Permissions — Fixed creation from UI with permission scope selector (v2.102)
  • Migration System — Upgrades from pre-v2.52 no longer fail; added docker-compose.simple.yml (v2.100)
  • Security — Updated requests, cbor2, cryptography for CVE fixes (v2.106)

v2.99

  • JKS Export — Java KeyStore export format for Java applications
  • EST Full Chain — EST responses now include the full certificate chain (RFC 7030)
  • HTTP Protocol Server — Dedicated HTTP server on port 8080 for CDP/OCSP endpoints
  • Approval Workflows — Policy-based certificate issuance with approval enforcement
  • ACME Enhancements — ECDSA keys, External Account Binding (EAB), custom CA servers
  • ADCS Enroll on Behalf Of — Submit CSRs on behalf of other users via Microsoft AD CS
  • RFC 5280 SAN Compliance — All 4 SAN types: DNS, IP, Email, URI
  • X.509 Extension Viewer — Full certificate extension display with RFC compliance

v2.75

  • Delta CRL Support (RFC 5280 §5.2.4) — Incremental CRL updates with DeltaCRLIndicator, FreshestCRL, CDP endpoint, scheduler
  • Security Audit — 76 findings across 6 phases, 38 fixed (CRITICAL: RSA-512 removal, ACME JWS bypass, XXE)
  • PKI Protocol Hardening — ACME, EST, SCEP, CRL hardened per RFC specifications
  • PDF Report Templates — Professional PDF reports with custom builder and scheduling
  • Roadmap — 9-item roadmap from market comparison gap analysis

Read Full Release Notes

v2.69

  • Executive PDF Report — Multi-section PDF with cover page, risk assessment, compliance, charts
  • Report Scheduler — 6 report types with daily/weekly/monthly frequency and email delivery
  • Reports Page Redesign — List layout with stat cards, inline schedule status, mobile-responsive

Read Full Release Notes

v2.68

  • ACME Wildcard CSR Fix — Corrected wildcard certificate handling in ACME CSR generation
  • Certificate Import Metadata — Imported certificates now preserve original metadata
  • Discord UI Fixes — 4 visual fixes for the Discord theme variant

Read Full Release Notes

v2.52 ✨

  • Certificate Discovery — Scan networks for TLS certificates with profiles, quick scan, SNI probing
  • Security Hardening — 15 findings fixed: SSRF protection, brute-force limits, audit logging, LDAP encryption
  • Error Visibility — Scan errors shown with troubleshooting hints
  • In-App Help — Expanded help for discovery page (profiles, filters, errors, export, security)

Read Full Release Notes

v2.51

  • EST management page with config, stats, endpoint info
  • Certificate unhold, enriched system-status badges
  • WebSocket real-time updates, accordion sidebar
  • CSR generation form, enhanced certificate issuance
  • Global UI density harmonization

v2.50

  • Login architecture redesign with sessionChecked state guard
  • mTLS auto-login with seamless certificate-based authentication
  • 6 mTLS authentication fixes (session handling, error flows, logout)
  • Enhanced /auth/methods endpoint with dynamic capability detection
  • Consistent auth response contract across all login paths

Read Full Release Notes

v2.1.0 ✨

  • Redesigned Operations page (Import/Export/Bulk Actions)
  • Unified ExportModal with RBAC permission guards
  • Dashboard charts with day selector (7d/15d/30d)
  • RBAC with 4 system roles (Admin, Operator, Auditor, Viewer) plus custom roles
  • SSO support: LDAP, OAuth2 (Azure/Google/GitHub), SAML with role mapping
  • ACME multi-CA support
  • In-app contextual help system
  • Force password change on first login
  • 9 languages, 2273+ keys each
  • Reports & governance (policies, approvals)

Read Full Release Notes

v2.0.3 🔧 STABLE

  • CA Creation Fix - Fixed crash with null validity/keySize values on Docker
  • DN Validation - Country code auto-uppercased, CSR validation added
  • Docker Path Unified - All data in /opt/ucm/data (same as DEB/RPM)
  • Migration Support - Auto-migrate from old Docker path on upgrade

Read Full Release Notes

v2.0.0 ✅ STABLE

  • Complete UI Redesign - New React 18 frontend with Radix UI
  • 12 Theme Variants - 6 color themes × Light/Dark modes
  • Enhanced Dashboard - Real-time stats, charts, activity feed
  • Certificate Toolbox - SSL checker, decoders, key matcher, converter
  • User Groups - Organize users with permissions
  • Certificate Templates - Predefined configurations
  • Trust Store - Manage trusted root CAs
  • Audit Trail - Complete action logging with hash chain verification
  • Password Security - Strength indicator, forgot password flow
  • Session Management - Timeout warning, force password change
  • API v2 - RESTful JSON API with OpenAPI docs
  • Docker Hub - Now available on Docker Hub
  • Auto-migration - Seamless upgrade from v1.8.x

Read Full Release Notes

v1.8.3 ✅ STABLE

  • Nginx Dependency Fixed
    • Nginx is now truly optional
    • UCM can run standalone with built-in HTTPS server
    • Fixed GitHub Actions workflow packaging bug
  • Deployment Flexibility
    • Standalone mode (no reverse proxy needed)
    • Reverse proxy mode (nginx/apache)
    • Docker deployment
  • Documentation Updates
    • All guides updated to v1.8.3
    • CHANGELOG with full history
    • Clear deployment options

Read Full Release Notes

v1.8.3

  • Export Authentication - All formats (PEM, DER, PKCS#12) with JWT
  • Visual Theme Previews - 2×4 grid with live previews
  • Docker/Native Compatibility - Dynamic path resolution
  • Global PKCS#12 Modal - Available across all pages

Read Release Notes

v1.7.5

  • Dependency Updates (Python 3.13 compatible)
  • Security: cryptography 46.0.3, pyOpenSSL 25.3.0
  • WebAuthn: Updated to 2.7.0 with FIDO2 improvements
  • Bug Fixes: Certificate selector, Dockerfile improvements

v1.7.0

  • Collapsible sidebar submenus with smooth animations
  • My Account section relocated to bottom of sidebar
  • Optimized sidebar width (220px uniform across all themes)
  • 14×14px submenu icons for better visual hierarchy
  • localStorage persistence for submenu states

v1.6.2

  • Fixed OPNsense import JavaScript errors
  • Fixed import statistics display
  • Improved toast notification system

v1.6.0

  • Complete Tailwind CSS removal (~827 classes)
  • Custom themed scrollbars
  • CRL Information pages (public & integrated)
  • Modal system improvements
  • Full responsive design
  • 8 beautiful themes

See Full Changelog

📊 System Information

Property Value
Latest Stable 2.140
Previous Stable 2.110
Python 3.10+ (3.13 compatible)
Platform Linux, Docker (multi-arch)
License BSD-3-Clause
Repository GitHub
Docker Registry GHCR

🎯 Additional Resources

💡 Need Help?

Last Updated: 2026-04-09
Maintained By: NeySlim

Clone this wiki locally