Home
Welcome to the Ultimate Certificate Manager (UCM) documentation! This wiki provides comprehensive guides for all features.
v2.69 Released! Executive PDF reports, full report scheduler (6 types, email delivery), redesigned Reports page, security & accessibility fixes. View Release Notes
| Mobile | Tablet |
|---|---|
 |
 |
- Full CA Management - Create, import, manage Certificate Authorities with hierarchy support
- Certificate Lifecycle - Generate, sign, revoke, renew, export certificates
- CSR Management - Create, import, sign Certificate Signing Requests
- Certificate Templates - Predefined configurations for server, client, code signing
- CRL & CDP - Certificate Revocation Lists with HTTP/HTTPS distribution points
- OCSP Responder - Real-time certificate status validation (RFC 6960)
- Trust Store - Manage trusted root CA certificates
- Network Scanning - Find TLS certificates on hosts, IPs, and CIDR subnets
- Quick Scan - Instant scan without saving a profile
- Scan Profiles - Reusable scan configurations with scheduling
- SNI Probing - Multi-hostname TLS handshake for maximum coverage
- Certificate Inventory - Track managed/unmanaged/expired/expiring certificates
- Export - CSV and JSON export of discovered certificates
- SSRF Protection - Blocks scanning of internal addresses
- SSL Checker - Verify SSL certificates on any hostname (TLS version, cipher suite, expiry)
- CSR Decoder - Parse and display CSR contents
- Certificate Decoder - Analyze certificate details (extensions, SANs, key usage)
- Key Matcher - Verify certificate and private key match
- SSL Converter - Convert between PEM, DER, PKCS#12, PKCS#7 formats
- Executive PDF Report - Multi-section PDF with cover page, risk assessment, compliance, charts (fpdf2/matplotlib)
- Report Scheduler - 6 report types with daily/weekly/monthly scheduling and email delivery
- On-Demand Reports - Generate and download CSV/JSON reports for certificates, CAs, compliance, audit
- Stat Cards - At-a-glance report overview with schedule status
- SCEP Server - RFC 8894 compliant auto-enrollment for network devices
- ACME Support - Let's Encrypt compatible (certbot, acme.sh) with account management
- EST Protocol - RFC 7030 Enrollment over Secure Transport
- OCSP - Online Certificate Status Protocol responder
- CRL/CDP - Certificate Revocation List distribution points
- SSO - LDAP, OAuth2 (Azure/Google/GitHub), SAML single sign-on with role mapping
- WebAuthn/FIDO2 - Hardware security key support (YubiKey, Passkeys)
- mTLS Authentication - Mutual TLS certificate-based authentication
- TOTP Two-Factor - Time-based one-time passwords
- Password Strength - Visual strength indicator with policy enforcement
- Session Management - Timeout warning, force password change
- Audit Logs - Full action logging with hash chain integrity verification
- Rate Limiting - Brute force protection on login
- RBAC - 4 system roles (Admin, Operator, Auditor, Viewer) plus custom roles with granular permissions
- User Groups - Organize users with role-based access
- API Keys - Generate keys for automation and integrations
- Session History - Track all login sessions
- 6 Theme Variants - 3 color themes × Light/Dark modes
- Auto Dark Mode - Follow system preference
- Command Palette - Ctrl+K global search with quick actions
- Floating Detail Windows - Draggable, resizable entity detail panels
- Dashboard Charts - Certificate activity, status distribution, day selector
- Real-time Updates - WebSocket-based live refresh
- Responsive Design - Mobile-first with adaptive layouts
- Contextual Help - Help modals on every page
- 9 Languages - EN, FR, DE, ES, IT, PT, UK, ZH, JA
- Certificate Authority Management
- Certificate Operations
- Certificate Templates
- Certificate Toolbox
- CRL & CDP Distribution
- SCEP Server
- OCSP Responder
- ACME Protocol Support
- EST Protocol
- Certificate Discovery
- Reports & Analytics
- Import & Export
- Import from OPNsense
- SSO Configuration
- mTLS Authentication
- WebAuthn/FIDO2
- Trust Store
- Troubleshooting
- Security Best Practices
-
Docker Hub:
docker pull neyslim/ultimate-ca-manager:2.69 -
GHCR:
docker pull ghcr.io/neyslim/ultimate-ca-manager:2.69 -
DEB:
wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.69/ucm_2.69_all.deb -
RPM:
wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.69/ucm-2.69-1.fc43.noarch.rpm
-
Web UI:
https://your-server:8443 -
Default Credentials:
admin/changeme123⚠️ You must change on first login! - GitHub: NeySlim/ultimate-ca-manager
- Docker Hub: neyslim/ultimate-ca-manager
- Executive PDF Report — Multi-section PDF with cover page, risk assessment, compliance, charts
- Report Scheduler — 6 report types with daily/weekly/monthly frequency and email delivery
- Reports Page Redesign — List layout with stat cards, inline schedule status, mobile-responsive
- Security Hardening — Input validation, email signature fix, info disclosure removal
-
Accessibility —
type="button"on 18 buttons,aria-labelon 9 icon-only buttons - Performance — Memoization, N+1 query fix, DB-level GROUP BY
- ACME Wildcard CSR Fix — Corrected wildcard certificate handling in ACME CSR generation
- Certificate Import Metadata — Imported certificates now preserve original metadata
- Discord UI Fixes — 4 visual fixes for the Discord theme variant
- Certificate Discovery — Scan networks for TLS certificates with profiles, quick scan, SNI probing
- Security Hardening — 15 findings fixed: SSRF protection, brute-force limits, audit logging, LDAP encryption
- Error Visibility — Scan errors shown with troubleshooting hints
- In-App Help — Expanded help for discovery page (profiles, filters, errors, export, security)
- EST management page with config, stats, endpoint info
- Certificate unhold, enriched system-status badges
- WebSocket real-time updates, accordion sidebar
- CSR generation form, enhanced certificate issuance
- Global UI density harmonization
- Login architecture redesign with
sessionCheckedstate guard - mTLS auto-login with seamless certificate-based authentication
- 6 mTLS authentication fixes (session handling, error flows, logout)
- Enhanced
/auth/methodsendpoint with dynamic capability detection - Consistent auth response contract across all login paths
- Redesigned Operations page (Import/Export/Bulk Actions)
- Unified ExportModal with RBAC permission guards
- Dashboard charts with day selector (7d/15d/30d)
- RBAC with 4 system roles (Admin, Operator, Auditor, Viewer) plus custom roles
- SSO support: LDAP, OAuth2 (Azure/Google/GitHub), SAML with role mapping
- ACME multi-CA support
- In-app contextual help system
- Force password change on first login
- 9 languages, 2273+ keys each
- Reports & governance (policies, approvals)
- CA Creation Fix - Fixed crash with null validity/keySize values on Docker
- DN Validation - Country code auto-uppercased, CSR validation added
-
Docker Path Unified - All data in
/opt/ucm/data(same as DEB/RPM) - Migration Support - Auto-migrate from old Docker path on upgrade
- Complete UI Redesign - New React 18 frontend with Radix UI
- 12 Theme Variants - 6 color themes × Light/Dark modes
- Enhanced Dashboard - Real-time stats, charts, activity feed
- Certificate Toolbox - SSL checker, decoders, key matcher, converter
- User Groups - Organize users with permissions
- Certificate Templates - Predefined configurations
- Trust Store - Manage trusted root CAs
- Audit Trail - Complete action logging with hash chain verification
- Password Security - Strength indicator, forgot password flow
- Session Management - Timeout warning, force password change
- API v2 - RESTful JSON API with OpenAPI docs
- Docker Hub - Now available on Docker Hub
- Auto-migration - Seamless upgrade from v1.8.x
-
Nginx Dependency Fixed
- Nginx is now truly optional
- UCM can run standalone with built-in HTTPS server
- Fixed GitHub Actions workflow packaging bug
-
Deployment Flexibility
- Standalone mode (no reverse proxy needed)
- Reverse proxy mode (nginx/apache)
- Docker deployment
-
Documentation Updates
- All guides updated to v1.8.3
- CHANGELOG with full history
- Clear deployment options
- ✅ Export Authentication - All formats (PEM, DER, PKCS#12) with JWT
- Visual Theme Previews - 2×4 grid with live previews
- Docker/Native Compatibility - Dynamic path resolution
- Global PKCS#12 Modal - Available across all pages
- Dependency Updates (Python 3.13 compatible)
- Security: cryptography 46.0.3, pyOpenSSL 25.3.0
- WebAuthn: Updated to 2.7.0 with FIDO2 improvements
- Bug Fixes: Certificate selector, Dockerfile improvements
- Collapsible sidebar submenus with smooth animations
- My Account section relocated to bottom of sidebar
- Optimized sidebar width (220px uniform across all themes)
- 14×14px submenu icons for better visual hierarchy
- localStorage persistence for submenu states
- Fixed OPNsense import JavaScript errors
- Fixed import statistics display
- Improved toast notification system
- Complete Tailwind CSS removal (~827 classes)
- Custom themed scrollbars
- CRL Information pages (public & integrated)
- Modal system improvements
- Full responsive design
- 8 beautiful themes
| Property | Value |
|---|---|
| Latest Stable | 2.69 |
| Previous Stable | 2.68 |
| Python | 3.10+ (3.13 compatible) |
| Platform | Linux, Docker (multi-arch) |
| License | BSD-3-Clause |
| Repository | GitHub |
| Docker Registry | GHCR |
- Release Notes - All versions
- v2.69 Release - Latest stable with executive PDF reports, report scheduler, accessibility
- v2.68 Release - ACME wildcard CSR fix, cert import metadata, Discord UI fixes
- v2.52 Release - Certificate discovery and security hardening
- v2.50 Release - Login architecture redesign, mTLS auto-login
- Screenshots Gallery - See v2.0 in action
- CI/CD Workflows - Build status
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Documentation: This wiki
Last Updated: 2025-07-22
Maintained By: NeySlim