Home
Welcome to the Ultimate Certificate Manager (UCM) documentation! This wiki provides comprehensive guides for all features.
v2.107 Released! SoftHSM auto-register in Docker, CDP auto-enable on CA creation, ACME Proxy RFC 8555 compliance, AIA CA Issuers. View Changelog
| Mobile | Tablet |
|---|---|
 |
 |
- Full CA Management - Create, import, manage Certificate Authorities with hierarchy support
- Certificate Lifecycle - Generate, sign, revoke, renew, export certificates
- CSR Management - Create, import, sign Certificate Signing Requests
- Certificate Templates - Predefined configurations for server, client, code signing
- X.509 Extension Viewer - Full certificate extension display with RFC 5280 compliance (v2.76)
- JKS Export - Java KeyStore export format for Java applications (v2.99)
- RFC 5280 SAN Compliance - All 4 SAN types: DNS, IP, Email, URI (v2.91)
- CRL & CDP - Certificate Revocation Lists with HTTP/HTTPS distribution points
- Delta CRL - Incremental CRL updates per RFC 5280 §5.2.4 (v2.75)
- OCSP Responder - Real-time certificate status validation (RFC 6960)
- AIA CA Issuers - CA certificate download for chain building (RFC 5280 §4.2.2.1) (v2.101)
- HTTP Protocol Server - Dedicated HTTP server for CDP/OCSP/AIA on port 8080 (v2.80)
- Trust Store - Manage trusted root CA certificates
- Approval Workflows - Policy-based certificate issuance with approval enforcement (v2.77)
- Network Scanning - Find TLS certificates on hosts, IPs, and CIDR subnets
- Quick Scan - Instant scan without saving a profile
- Scan Profiles - Reusable scan configurations with scheduling
- SNI Probing - Multi-hostname TLS handshake for maximum coverage
- Certificate Inventory - Track managed/unmanaged/expired/expiring certificates
- Export - CSV and JSON export of discovered certificates
- SSRF Protection - Blocks scanning of internal addresses
- SSL Checker - Verify SSL certificates on any hostname (TLS version, cipher suite, expiry)
- CSR Decoder - Parse and display CSR contents
- Certificate Decoder - Analyze certificate details (extensions, SANs, key usage)
- Key Matcher - Verify certificate and private key match
- SSL Converter - Convert between PEM, DER, PKCS#12, PKCS#7 formats
- Executive PDF Report - Multi-section PDF with cover page, risk assessment, compliance, charts (fpdf2/matplotlib)
- Report Scheduler - 6 report types with daily/weekly/monthly scheduling and email delivery
- On-Demand Reports - Generate and download CSV/JSON reports for certificates, CAs, compliance, audit
- Stat Cards - At-a-glance report overview with schedule status
- SCEP Server - RFC 8894 compliant auto-enrollment for network devices
- ACME Support - Let's Encrypt compatible (certbot, acme.sh) with account management, ECDSA keys, EAB, custom CA servers (v2.92)
- EST Protocol - RFC 7030 Enrollment over Secure Transport with full chain responses (v2.95)
- Microsoft AD CS Integration - CSR submission, status polling, Enroll on Behalf Of (v2.70, EOBO v2.93)
- OCSP - Online Certificate Status Protocol responder
- CRL/CDP - Certificate Revocation List distribution points
- SSO - LDAP, OAuth2 (Azure/Google/GitHub), SAML single sign-on with role mapping
- WebAuthn/FIDO2 - Hardware security key support (YubiKey, Passkeys)
- mTLS Authentication - Mutual TLS certificate-based authentication
- TOTP Two-Factor - Time-based one-time passwords
- Password Strength - Visual strength indicator with policy enforcement
- Session Management - Timeout warning, force password change
- Audit Logs - Full action logging with hash chain integrity verification
- Rate Limiting - Brute force protection on login
- RBAC - 4 system roles (Admin, Operator, Auditor, Viewer) plus custom roles with granular permissions
- User Groups - Organize users with role-based access
- API Keys - Generate keys for automation and integrations
- Session History - Track all login sessions
- 6 Theme Variants - 3 color themes × Light/Dark modes
- Auto Dark Mode - Follow system preference
- Command Palette - Ctrl+K global search with quick actions
- Floating Detail Windows - Draggable, resizable entity detail panels
- Dashboard Charts - Certificate activity, status distribution, day selector
- Real-time Updates - WebSocket-based live refresh
- Responsive Design - Mobile-first with adaptive layouts
- Contextual Help - Help modals on every page
- 9 Languages - EN, FR, DE, ES, IT, PT, UK, ZH, JA
- Certificate Authority Management
- Certificate Operations
- Certificate Templates
- Certificate Toolbox
- CRL & CDP Distribution
- AIA CA Issuers
- SCEP Server
- OCSP Responder
- ACME Protocol Support
- EST Protocol
- Microsoft CA Integration
- Certificate Discovery
- Reports & Analytics
- Import & Export
- Import from OPNsense
- SSO Configuration
- mTLS Authentication
- WebAuthn/FIDO2
- Trust Store
- Troubleshooting
- Security Best Practices
-
Docker Hub:
docker pull neyslim/ultimate-ca-manager:2.107 -
GHCR:
docker pull ghcr.io/neyslim/ultimate-ca-manager:2.107 -
DEB:
wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.107/ucm_2.107_all.deb -
RPM:
wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.107/ucm-2.107-1.fc43.noarch.rpm
-
Web UI:
https://your-server:8443 -
Default Credentials:
admin/changeme123⚠️ You must change on first login! - GitHub: NeySlim/ultimate-ca-manager
- Docker Hub: neyslim/ultimate-ca-manager
- SoftHSM Auto-Register — Docker automatically creates HSM provider when SoftHSM token is initialized
- CDP Auto-Enable — CRL Distribution Point auto-enabled on new CAs when Protocol Base URL is configured
- SoftHSM Status Fix — HSM providers no longer show "Disabled" incorrectly
-
Docker Key Encryption — Fixed
/etc/ucm/permissions for master key in Docker containers
- ACME Proxy — Full RFC 8555 compliance, dns-01 challenge fix, EAB support for upstream CAs (v2.105-v2.106)
- AIA CA Issuers — CA certificate download endpoints for chain building (RFC 5280 §4.2.2.1) (v2.101)
- Protocol URL Fixes — Auto-repair incorrect https:// URLs, localhost protection (v2.103)
- API Key Permissions — Fixed creation from UI with permission scope selector (v2.102)
- Migration System — Upgrades from pre-v2.52 no longer fail; added docker-compose.simple.yml (v2.100)
- Security — Updated requests, cbor2, cryptography for CVE fixes (v2.106)
- JKS Export — Java KeyStore export format for Java applications
- EST Full Chain — EST responses now include the full certificate chain (RFC 7030)
- HTTP Protocol Server — Dedicated HTTP server on port 8080 for CDP/OCSP endpoints
- Approval Workflows — Policy-based certificate issuance with approval enforcement
- ACME Enhancements — ECDSA keys, External Account Binding (EAB), custom CA servers
- ADCS Enroll on Behalf Of — Submit CSRs on behalf of other users via Microsoft AD CS
- RFC 5280 SAN Compliance — All 4 SAN types: DNS, IP, Email, URI
- X.509 Extension Viewer — Full certificate extension display with RFC compliance
- Delta CRL Support (RFC 5280 §5.2.4) — Incremental CRL updates with DeltaCRLIndicator, FreshestCRL, CDP endpoint, scheduler
- Security Audit — 76 findings across 6 phases, 38 fixed (CRITICAL: RSA-512 removal, ACME JWS bypass, XXE)
- PKI Protocol Hardening — ACME, EST, SCEP, CRL hardened per RFC specifications
- PDF Report Templates — Professional PDF reports with custom builder and scheduling
- Roadmap — 9-item roadmap from market comparison gap analysis
- Executive PDF Report — Multi-section PDF with cover page, risk assessment, compliance, charts
- Report Scheduler — 6 report types with daily/weekly/monthly frequency and email delivery
- Reports Page Redesign — List layout with stat cards, inline schedule status, mobile-responsive
- ACME Wildcard CSR Fix — Corrected wildcard certificate handling in ACME CSR generation
- Certificate Import Metadata — Imported certificates now preserve original metadata
- Discord UI Fixes — 4 visual fixes for the Discord theme variant
- Certificate Discovery — Scan networks for TLS certificates with profiles, quick scan, SNI probing
- Security Hardening — 15 findings fixed: SSRF protection, brute-force limits, audit logging, LDAP encryption
- Error Visibility — Scan errors shown with troubleshooting hints
- In-App Help — Expanded help for discovery page (profiles, filters, errors, export, security)
- EST management page with config, stats, endpoint info
- Certificate unhold, enriched system-status badges
- WebSocket real-time updates, accordion sidebar
- CSR generation form, enhanced certificate issuance
- Global UI density harmonization
- Login architecture redesign with
sessionCheckedstate guard - mTLS auto-login with seamless certificate-based authentication
- 6 mTLS authentication fixes (session handling, error flows, logout)
- Enhanced
/auth/methodsendpoint with dynamic capability detection - Consistent auth response contract across all login paths
- Redesigned Operations page (Import/Export/Bulk Actions)
- Unified ExportModal with RBAC permission guards
- Dashboard charts with day selector (7d/15d/30d)
- RBAC with 4 system roles (Admin, Operator, Auditor, Viewer) plus custom roles
- SSO support: LDAP, OAuth2 (Azure/Google/GitHub), SAML with role mapping
- ACME multi-CA support
- In-app contextual help system
- Force password change on first login
- 9 languages, 2273+ keys each
- Reports & governance (policies, approvals)
- CA Creation Fix - Fixed crash with null validity/keySize values on Docker
- DN Validation - Country code auto-uppercased, CSR validation added
-
Docker Path Unified - All data in
/opt/ucm/data(same as DEB/RPM) - Migration Support - Auto-migrate from old Docker path on upgrade
- Complete UI Redesign - New React 18 frontend with Radix UI
- 12 Theme Variants - 6 color themes × Light/Dark modes
- Enhanced Dashboard - Real-time stats, charts, activity feed
- Certificate Toolbox - SSL checker, decoders, key matcher, converter
- User Groups - Organize users with permissions
- Certificate Templates - Predefined configurations
- Trust Store - Manage trusted root CAs
- Audit Trail - Complete action logging with hash chain verification
- Password Security - Strength indicator, forgot password flow
- Session Management - Timeout warning, force password change
- API v2 - RESTful JSON API with OpenAPI docs
- Docker Hub - Now available on Docker Hub
- Auto-migration - Seamless upgrade from v1.8.x
-
Nginx Dependency Fixed
- Nginx is now truly optional
- UCM can run standalone with built-in HTTPS server
- Fixed GitHub Actions workflow packaging bug
-
Deployment Flexibility
- Standalone mode (no reverse proxy needed)
- Reverse proxy mode (nginx/apache)
- Docker deployment
-
Documentation Updates
- All guides updated to v1.8.3
- CHANGELOG with full history
- Clear deployment options
- ✅ Export Authentication - All formats (PEM, DER, PKCS#12) with JWT
- Visual Theme Previews - 2×4 grid with live previews
- Docker/Native Compatibility - Dynamic path resolution
- Global PKCS#12 Modal - Available across all pages
- Dependency Updates (Python 3.13 compatible)
- Security: cryptography 46.0.3, pyOpenSSL 25.3.0
- WebAuthn: Updated to 2.7.0 with FIDO2 improvements
- Bug Fixes: Certificate selector, Dockerfile improvements
- Collapsible sidebar submenus with smooth animations
- My Account section relocated to bottom of sidebar
- Optimized sidebar width (220px uniform across all themes)
- 14×14px submenu icons for better visual hierarchy
- localStorage persistence for submenu states
- Fixed OPNsense import JavaScript errors
- Fixed import statistics display
- Improved toast notification system
- Complete Tailwind CSS removal (~827 classes)
- Custom themed scrollbars
- CRL Information pages (public & integrated)
- Modal system improvements
- Full responsive design
- 8 beautiful themes
| Property | Value |
|---|---|
| Latest Stable | 2.107 |
| Previous Stable | 2.106 |
| Python | 3.10+ (3.13 compatible) |
| Platform | Linux, Docker (multi-arch) |
| License | BSD-3-Clause |
| Repository | GitHub |
| Docker Registry | GHCR |
- Release Notes - All versions
- v2.107 Release - Latest stable with SoftHSM auto-register, CDP auto-enable, ACME Proxy improvements
- v2.75 Release - Delta CRL, security audit, PDF templates
- v2.69 Release - Executive PDF reports, report scheduler, accessibility
- v2.68 Release - ACME wildcard CSR fix, cert import metadata, Discord UI fixes
- v2.52 Release - Certificate discovery and security hardening
- v2.50 Release - Login architecture redesign, mTLS auto-login
- Screenshots Gallery - See v2.0 in action
- CI/CD Workflows - Build status
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Documentation: This wiki
Last Updated: 2026-04-02
Maintained By: NeySlim