Skip to content

Home

Jump to bottom
NeySlim edited this page May 11, 2026 · 52 revisions

Ultimate Certificate Manager - Wiki

Version License Docker CI/CD

Welcome to the Ultimate Certificate Manager (UCM) documentation! This wiki provides comprehensive guides for all features.

v2.155 Released! Auto-renewal UI, PostgreSQL migration recovery (closes #115), LAN-friendly rate limiting, and master-key backup safeguards. See Release Notes v2.155 and CHANGELOG.

📸 Screenshots

Dashboard

Dashboard

Certificate Management with Detail Panel

Certificates

Certificate Toolbox

Toolbox

Certificate Discovery

Discovery

Mobile & Tablet Support

Mobile Tablet
Mobile Tablet

✨ Key Features

🔐 Complete PKI Infrastructure

  • Full CA Management - Create, import, manage Certificate Authorities with hierarchy support
  • Certificate Lifecycle - Generate, sign, revoke, renew, export certificates
  • CSR Management - Create, import, sign Certificate Signing Requests
  • Certificate Templates - Predefined configurations for server, client, code signing
  • X.509 Extension Viewer - Full certificate extension display with RFC 5280 compliance (v2.76)
  • JKS Export - Java KeyStore export format for Java applications (v2.99)
  • RFC 5280 SAN Compliance - All 4 SAN types: DNS, IP, Email, URI (v2.91)
  • CRL & CDP - Certificate Revocation Lists with HTTP/HTTPS distribution points
  • Delta CRL - Incremental CRL updates per RFC 5280 §5.2.4 (v2.75)
  • OCSP Responder - Real-time certificate status validation (RFC 6960)
  • OCSP Delegated Responder - Per-CA delegated OCSP responders with EKU validation (v2.109)
  • AIA CA Issuers - CA certificate download for chain building (RFC 5280 §4.2.2.1) (v2.101)
  • Certificate Transparency - CT log submission, SCT parsing, auto-submit on issuance (RFC 6962) (v2.109)
  • Certificate Practice Statement - Per-CA CPS URI and Policy OID in CertificatePolicies extension (v2.109)
  • Multiple CDP/OCSP/AIA URLs - Multiple distribution points and access descriptions per CA (v2.109)
  • HTTP Protocol Server - Dedicated HTTP server for CDP/OCSP/AIA on port 8080 (v2.80)
  • Trust Store - Manage trusted root CA certificates
  • Approval Workflows - Policy-based certificate issuance with approval enforcement (v2.77)

🔑 SSH Certificate Authority (v2.127)

  • SSH CA Management - Create and manage SSH Certificate Authorities (Ed25519, RSA, ECDSA)
  • Certificate Signing - Sign user and host SSH certificates with principals, validity, extensions
  • Import Support - Import existing SSH CAs and certificates
  • Setup Scripts - curl-friendly one-command server trust setup
  • Dashboard Widget - SSH certificate stats on dashboard

🔍 Certificate Discovery

  • Network Scanning - Find TLS certificates on hosts, IPs, and CIDR subnets
  • Quick Scan - Instant scan without saving a profile
  • Scan Profiles - Reusable scan configurations with scheduling
  • SNI Probing - Multi-hostname TLS handshake for maximum coverage
  • Certificate Inventory - Track managed/unmanaged/expired/expiring certificates
  • Export - CSV and JSON export of discovered certificates
  • SSRF Protection - Blocks scanning of internal addresses

🧰 Certificate Toolbox

  • SSL Checker - Verify SSL certificates on any hostname (TLS version, cipher suite, expiry)
  • CSR Decoder - Parse and display CSR contents
  • Certificate Decoder - Analyze certificate details including PKCS7 bundles and PKCS12 files (v2.111)
  • Key Matcher - Verify certificate and private key match
  • SSL Converter - Convert between PEM, DER, PKCS#12, PKCS#7 formats

📊 Reports & Analytics

  • Executive PDF Report - Multi-section PDF with cover page, risk assessment, compliance, charts (fpdf2/matplotlib)
  • Report Scheduler - 6 report types with daily/weekly/monthly scheduling and email delivery
  • On-Demand Reports - Generate and download CSV/JSON reports for certificates, CAs, compliance, audit
  • Stat Cards - At-a-glance report overview with schedule status

📡 Industry Standard Protocols

  • SCEP Server - RFC 8894 compliant auto-enrollment for network devices
  • ACME Support - Let's Encrypt compatible (certbot, acme.sh) with account management, ECDSA keys, EAB, auto-supersede on renewal (v2.92, v2.110)
  • EST Protocol - RFC 7030 Enrollment over Secure Transport with full chain responses (v2.95)
  • TSA - RFC 3161 Time Stamp Authority for trusted timestamps (v2.109)
  • Microsoft AD CS Integration - CSR submission, status polling, Enroll on Behalf Of (v2.70, EOBO v2.93)
  • OCSP - Online Certificate Status Protocol responder
  • CRL/CDP - Certificate Revocation List distribution points

🔒 Advanced Security

  • SSO - LDAP, OAuth2 (Azure/Google/GitHub), SAML single sign-on with role mapping
  • WebAuthn/FIDO2 - Hardware security key support (YubiKey, Passkeys)
  • mTLS Authentication - Mutual TLS certificate-based authentication
  • TOTP Two-Factor - Time-based one-time passwords
  • Password Strength - Visual strength indicator with policy enforcement
  • Session Management - Timeout warning, force password change
  • Audit Logs - Full action logging with hash chain integrity verification
  • Rate Limiting - Brute force protection on all auth endpoints (v2.109)
  • CSP Headers - Content Security Policy, X-Frame-Options (v2.109)
  • Account Lockout - Configurable lockout on failed login attempts (v2.109)

👥 User & Group Management

  • RBAC - 4 system roles (Admin, Operator, Auditor, Viewer) plus custom roles with granular permissions
  • User Groups - Organize users with role-based access
  • API Keys - Generate keys for automation and integrations
  • Session History - Track all login sessions

🎨 Modern Interface

  • 6 Theme Variants - 3 color themes × Light/Dark modes
  • Auto Dark Mode - Follow system preference
  • Command Palette - Ctrl+K global search with quick actions
  • Floating Detail Windows - Draggable, resizable entity detail panels
  • Dashboard Charts - Certificate activity, status distribution, day selector
  • Real-time Updates - WebSocket-based live refresh
  • Responsive Design - Mobile-first with adaptive layouts
  • Contextual Help - Help modals on every page
  • 9 Languages - EN, FR, DE, ES, IT, PT, UK, ZH, JA

📚 Table of Contents

Getting Started

Core Features

User Interface

Advanced Topics

Administration

Development

🚀 Quick Links

Installation

  • Docker Hub: docker pull neyslim/ultimate-ca-manager:2.152
  • GHCR: docker pull ghcr.io/neyslim/ultimate-ca-manager:2.152
  • DEB: wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.152/ucm_2.152_all.deb
  • RPM: wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.152/ucm-2.152-1.fc43.noarch.rpm

Access

📖 What's New

v2.152 (Latest) ✨

  • 6 RFC-compliance fixes — OCSP (RFC 6960): mixed-format serial lookup, cache invalidation on revoke, correct keyHash, nonce bypasses cache, delegated responder must carry id-pkix-ocsp-nocheck. CRL/profile (RFC 5280): mixed-format serials, no truncation >159 bits, auto-regen on CDP fetch, 5 cert-profile fixes (SKI/AKI, BasicConstraints, EKU, KU bits, validity). ACME (RFC 8555/8737): EAB JWK thumbprint match, JWS algorithm allowlist, wildcard restricted to DNS-01, ALPN extension marked critical, case-insensitive domains, pre-authorisation §7.4.1 (migration 033). TSA (RFC 3161/5035): signing-certificate-v2 mandatory, body cap 64 KiB, correct PKIStatus separation. EST (RFC 7030): serverkeygen encrypts under client mTLS pubkey. SCEP (RFC 8894): renewal rejected on expired/not-yet-valid signer.
  • 6 ACME server bypasses closed — account binding, order ownership, authz state machine, finalize URL, key change, deactivation. ACME proxy: SSRF via forged proxy IDs blocked; finalize ownership enforced.
  • 20+ resource APIs hardened — whitelisted key params, validity capped at 3650 days, URL validation (CRL DP / AIA / OCSP / IDP), HSM key lock on bind, EC curve whitelist, CSR proof-of-possession (is_signature_valid). RBAC reserved-name check (admin/operator/viewer) + permission whitelist with wildcard. SSO OIDC: PKCE (S256) + nonce. HSM: provider secrets encrypted at rest, sign payload cap 1 MiB, runtime pip install opt-in (UCM_ALLOW_RUNTIME_PIP=1). Webhooks: secret encrypted at rest, event allowlist, ≤64 events. Discovery, audit, reports, SSH, trust store: input caps and validation throughout.
  • Silent regression fixed — CA / certificate import paths now encrypt private keys via encrypt_private_key instead of storing base64-plain.
  • One schema migration033_acme_authz_order_id_nullable.py for ACME pre-authorisation flow. Drop-in replacement for v2.151. Suite: 1676 backend / 461 frontend. RC validated 6/6 on DEB+RPM+Docker × SQLite+PostgreSQL. See Release Notes v2.152.

v2.144 ✨

  • utils/key_codec.py — 26-site refactor. New load_pem_bytes(prv, *, context) / store_pem_bytes(pem) consolidate the duplicated base64.b64decode(decrypt_private_key(model.prv)) pattern. Errors now surface a caller-supplied context ("CA 42", "certificate 17") instead of an opaque binascii.Error. See Developer Patterns.
  • commit_or_rollback() fixes 10 bare commits in critical auth/mTLS/WebAuthn paths that previously could leak partial transactions on IntegrityError. See Developer Patterns.
  • encrypt_text() / decrypt_text() close the input-contract footgun that caused #105. Text-oriented helpers (PEM, JSON blobs, plain strings) sharing the same wire format as encrypt_string() but with an unambiguous contract. 4 additional latent #105-class sites migrated.
  • Silent except Exception: pass blocks in critical auth/security paths now log with exc_info=Trueauth/unified.py, api/v2/auth.py, security/csrf.py, security/encryption.py, services/audit/core.py, services/email_service.py, services/syslog_service.py and more. Post-mortem debugging of auth failures is no longer impossible.
  • Generic release tooling + PostgreSQL CI matrixscripts/smoke_release.py parameterised via --target LABEL=URL, tests.yml runs the backend suite against both SQLite and PostgreSQL on every push (closes the gap that let #103 ship), release-smoke.yml validates published artefacts after every v* tag.
  • No breaking changes, no schema migration. Drop-in replacement for v2.143. Suite: 1645 backend / 461 frontend. RC validated 30/30 on DEB+RPM+Docker. See Release Notes v2.144.

v2.143 ✨

  • PostgreSQL migration runner crashed on startup (#103, #104)_run_pending_pg() now opens a transactional Connection via engine.begin() and passes it to mod.upgrade(conn), matching the SQLite path. Without this fix, fresh PostgreSQL deployments couldn't boot past first start and existing PG instances couldn't apply any future migration. SQLite deployments were not affected. See Release Notes v2.143, Database Backend.
  • ACME proxy account private key now encrypted at rest (#105) — previously stored in plaintext in system_config, now encrypted with the application key via encrypt_private_key() / decrypt_private_key(). Existing plaintext keys are migrated transparently on first read. See ACME Support.
  • KeyEncryption.decrypt() tolerant of plaintext PEM input — base64 detection isolated from Fernet decryption so legacy plaintext keys round-trip cleanly through the new ACME proxy decrypt path.
  • Cross-target release validation extended to PostgreSQL in addition to SQLite for every supported package (DEB, RPM, Docker) — the #103 regression only manifested on PostgreSQL and would have shipped silently against a SQLite-only matrix.

v2.142 ✨

  • Major security hardening sweep (16 fixes) — EST /cacerts / /simpleenroll / /simplereenroll / /serverkeygen / /csrattrs enforce est_enabled per-request (503 EST disabled instead of SPA fallthrough); EST + SCEP mTLS client certs only honoured behind a trusted proxy (security.trusted_proxies); same gate on the mTLS login route. See EST Protocol, SCEP Server, mTLS Authentication.
  • 2FA backup codes hashed at rest (Argon2id) and consumed atomically; plaintext returned only at generation time. See WebAuthn Support.
  • Approval quorum is race-safe and idempotent — concurrent approvals can no longer over-approve, double-submits dedup. See Approval Workflows.
  • On-demand CRL generation serialised per-CA with 503 Retry-After: 5 under contention — closes a CPU/IO DoS vector on /cdp/<ca>.crl. See CRL CDP.
  • Outbound webhooks revalidate the resolved IP at delivery time (DNS-rebinding window closed) and reject cloud-metadata IPs everywhere (SSO/IdP, ACME proxy, OPNsense import share the same SSRF helper). RFC1918 / .lan / .local remain allowed by design. See Notifications.
  • CSV bulk user-import capped at 5 MB / 10 000 rows with 413 on overflow. See User Management.
  • Runtime HSM pip install disabled by default — returns 403 with a hint to set UCM_ALLOW_RUNTIME_PIP=1 or install via the system package manager. See HSM Support.
  • SCEP CSR KU/EKU whitelist + RFC 8894 P0/P1/P2 hardening (PKCS#7 parsing, transaction-ID, signed/encrypted envelopes); iOS/macOS enrollment fixes (#102). See SCEP Server.
  • ACME account private keys encrypted at rest with the application key. See ACME Support.
  • ProxyFix is opt-in via security.trusted_proxies (prevents X-Forwarded-For spoofing); session directory enforced at 0o700 with boot-time refusal if loose; CSRF token entropy raised; password hash algorithm tightened; DB migration identifiers allow-listed; password-change endpoint ignores client-supplied force_change. See Security, Installation Guide.
  • PKCS12/PFX export honours the include_chain flag (#100) — previously the chain was always included.
  • Dashboard chart cards no longer overflow the grid (#99) and System Health gained an internal scrollbar.
  • Massive backend modularisationsystem.py, certificates.py, cas.py, ssh_cas.py, acme_service, trust_store, scep_service, discovery_service, pdf_generator and ~15 more split into focused submodules; identical behaviour, smaller review surface. Frontend CAsPage, CertificatesPage, DiscoveryPage, ACMEPage, SettingsPage, SsoProviderForm split per-section. New useCRUDPage hook covers 4 list/create/edit pages.

v2.141

  • Admin lockout prevented on database backend switch (#96) — boolean/JSON columns coerced correctly during SQLite ↔ PostgreSQL migration, per-table transactions so a single bad row no longer aborts the whole switch, active admin session survives the cutover. See Database Backend.
  • PostgreSQL backups via pg_dump — Docker image now ships postgresql-client so PostgreSQL-backed instances produce native pg_dump backups during backend migrations and scheduled backups. See Backup & Restore.
  • In-app help covers v2.128 → v2.140 features in English plus all 8 translated languages (fr, de, es, it, ja, pt, uk, zh).

v2.140

  • SAN database columns derived from final SAN list (#94) — when a CN is auto-promoted to an rfc822Name SAN at issuance, the san_email / san_dns / san_ip / san_uri columns are now written from the canonical SAN list (matching the X.509 extension). Migration 027 re-parses existing certificate PEMs and backfills out-of-sync rows.
  • Certificate and CA files written to disk on creation (#95).crt / .key files are auto-materialized under data/certs/ and data/cas/ for every creation path (UI, CSR signing, ACME, SCEP, import). Startup file-regeneration scan kept as a safety net.

v2.139

  • ACME External Account Binding (RFC 8555 §7.3.4) — full server-side EAB credentials manager (issue, list, rotate, revoke kid / hmac pairs). Brings UCM in line with public ACME CAs (Let's Encrypt EAB, ZeroSSL, Google Trust Services). See ACME Support.
  • ACME custom DNS resolvers for DNS-01 — per-account override of system resolvers when validating _acme-challenge TXT records (split-horizon DNS, internal authoritatives).
  • ACME on internal / private IPs — gated by acme.allow_private_ips SystemConfig (default true). HTTP-01 and TLS-ALPN-01 work out of the box for RFC1918, loopback, .lan / .local / .corp targets.
  • Kubernetes & cert-manager integration — reference manifests under examples/kubernetes/cert-manager/ (HTTP-01 ClusterIssuer, DNS-01 ClusterIssuer with EAB, sample Certificate). See Kubernetes / cert-manager.

v2.138

  • CAs page returns the full set when no pagination requested (#89) — fresh imports beyond 20 CAs no longer disappear silently.
  • API key creation UX overhaul (#90) — full-key reveal modal, key_prefix column for list-view copy affordance, support for never-expiring keys.

v2.134

  • SMTP OAuth2 (XOAUTH2) — modern OAuth2 authentication for outbound mail (Gmail, Microsoft 365, Outlook.com), replacing legacy app passwords.

v2.133

  • SSO sync_role_on_login (#81) — opt-in, per-provider toggle that stops UCM-managed roles being silently reverted by the provider's default_role on every login. auto_update_users now governs userinfo (email / full name) only.
  • User authentication source trackingusers.auth_source + users.sso_provider_id. Users & Groups page shows a colour-coded Source column (e.g. LDAP · Corporate AD).

v2.132

  • HSM provider dropdown fix in Create CA wizard (#80) — uses the actual enabled field returned by /api/v2/hsm/providers.

v2.131

  • PostgreSQL backend on DEB/RPM (#78)psycopg2-binary declared in requirements.txt; Test connection no longer fails with No module named 'psycopg2' on a fresh package install.
  • SSO callback no longer crashes on role auto-update (#79)AuditService.log_action call signature corrected.
  • HSM warning is now provider-aware — "SoftHSM not detected" only shows when SoftHSM is actually configured.

v2.130

  • HSM-backed Certificate Authorities (#77.3) — CA private signing keys can now be generated or stored inside an HSM and never leave it. Certificate issuance, CRL generation and OCSP responses are signed by the HSM. PKCS#12 / JKS / raw-key export return HTTP 409 for HSM-backed CAs. See HSM Support.

v2.129

  • ACME client / proxy SSL verification togglesverify_ssl / proxy_verify_ssl persisted per-instance; default on; UI warning when disabled.
  • Outbound HTTP TLS verification on by default in utils.safe_requests.create_session().
  • CSRF exemptions narrowed for SSO and mTLS — admin-write endpoints under those prefixes are now CSRF-protected.
  • WebSocket admin endpoints require admin:system, forgot-password is rate-limited, API keys for deactivated users are rejected.
  • Migration runner is fail-closed and uses DATABASE_URL as single source of truth.
  • Background-task audit logs are no longer attributed to anonymous (now system / scheduler / acme).

v2.128

  • Custom Extra EKUs (RFC 5280 §4.2.1.12, #76)Issue Certificate form and Sign CSR modal expose an "Extra EKUs" multi-select (18-EKU catalog + free-text dotted OIDs, capped at 16). For CSR signing, the existing EKU is rebuilt with the merged set.
  • Filter state persisted across reloads (#57) — Certificates, CAs, Audit, Templates, Policies, TrustStore, HSM, RBAC, SSH Certificates, SSH CAs, Users/Groups, User Certificates.
  • Windows quick-install script for SSH CA trust (#75) — PowerShell .ps1 for Windows OpenSSH Server, alongside the existing Linux/macOS .sh.
  • User UI preferences persisted server-side (#73) — language, theme family, theme mode in users.preferences. Restored across browsers / devices.
  • ACME proxy orders linked to local accounts (#71) — proxy orders display the originating account; account detail "Orders" tab merges local + proxy with a "Proxy" badge.
  • ACME renewal storm with Let's Encrypt fixed (#74)expires_at now stores the leaf certificate's notAfter, not the order's 7-day expires.
  • No more compilation toolchain at install timegcc / python3-dev / python3-devel removed from package deps; pyjks installed via pip --no-deps.

v2.127

  • Native PostgreSQL backend — UCM now supports PostgreSQL 13+ alongside SQLite via DATABASE_URL. New Settings → Database UI with bidirectional migration and safety checks (PG version validation, non-empty target refusal, source backup on failure). See Database Backend.

v2.126

  • SSRF guard relaxed for on-prem — Local ACME (HTTP-01 / TLS-ALPN-01), webhooks, OPNsense import and discovery scans now allow RFC1918 / .lan / loopback targets again. Cloud metadata IPs remain blocked.

v2.125

  • Backup format v2 — Encrypted container with Argon2id KDF (memory-hard), AES-256-GCM, magic header bound as AAD. Backward-compatible restore.

v2.110

  • ACME Auto-Supersede — Automatically revoke old certificates on ACME renewal (controlled by revoke_on_renewal setting)
  • DER File Upload Detection — All file uploads detect PEM vs DER by content instead of extension
  • CA Template Fix — Remove CA template from Certificates page dropdown

v2.108 – v2.109

  • Certificate Transparency (RFC 6962) — CT log submission, SCT parsing, auto-submit on issuance
  • OCSP Delegated Responder (RFC 5019) — Per-CA delegated responder assignment with EKU validation
  • Certificate Practice Statement (CPS) — Per-CA CPS URI and Policy OID in certificates
  • Multiple CDP/OCSP/AIA URLs — Multiple distribution points and access descriptions per CA
  • RFC 3161 Timestamp Authority (TSA) — Time stamping server with configurable policy and accuracy
  • RFC 5280 Extensions — PathLength, NameConstraints, PolicyConstraints, InhibitAnyPolicy, SIA, OCSP Must-Staple
  • ACME Enhancements — Order management, newAuthz, External Account Binding (EAB)
  • In-App Help Translations — 208 help files across 8 languages for all 26 sections
  • Security Audit — 38 fixes across CRITICAL/HIGH/MEDIUM: CSP headers, rate limiting, account lockout, CSRF rotation

v2.107

  • SoftHSM Auto-Register — Docker automatically creates HSM provider when SoftHSM token is initialized
  • CDP Auto-Enable — CRL Distribution Point auto-enabled on new CAs when Protocol Base URL is configured
  • SoftHSM Status Fix — HSM providers no longer show "Disabled" incorrectly
  • Docker Key Encryption — Fixed /etc/ucm/ permissions for master key in Docker containers

v2.100 – v2.106

  • ACME Proxy — Full RFC 8555 compliance, dns-01 challenge fix, EAB support for upstream CAs (v2.105-v2.106)
  • AIA CA Issuers — CA certificate download endpoints for chain building (RFC 5280 §4.2.2.1) (v2.101)
  • Protocol URL Fixes — Auto-repair incorrect https:// URLs, localhost protection (v2.103)
  • API Key Permissions — Fixed creation from UI with permission scope selector (v2.102)
  • Migration System — Upgrades from pre-v2.52 no longer fail; added docker-compose.simple.yml (v2.100)
  • Security — Updated requests, cbor2, cryptography for CVE fixes (v2.106)

v2.99

  • JKS Export — Java KeyStore export format for Java applications
  • EST Full Chain — EST responses now include the full certificate chain (RFC 7030)
  • HTTP Protocol Server — Dedicated HTTP server on port 8080 for CDP/OCSP endpoints
  • Approval Workflows — Policy-based certificate issuance with approval enforcement
  • ACME Enhancements — ECDSA keys, External Account Binding (EAB), custom CA servers
  • ADCS Enroll on Behalf Of — Submit CSRs on behalf of other users via Microsoft AD CS
  • RFC 5280 SAN Compliance — All 4 SAN types: DNS, IP, Email, URI
  • X.509 Extension Viewer — Full certificate extension display with RFC compliance

v2.75

  • Delta CRL Support (RFC 5280 §5.2.4) — Incremental CRL updates with DeltaCRLIndicator, FreshestCRL, CDP endpoint, scheduler
  • Security Audit — 76 findings across 6 phases, 38 fixed (CRITICAL: RSA-512 removal, ACME JWS bypass, XXE)
  • PKI Protocol Hardening — ACME, EST, SCEP, CRL hardened per RFC specifications
  • PDF Report Templates — Professional PDF reports with custom builder and scheduling
  • Roadmap — 9-item roadmap from market comparison gap analysis

Read Full Release Notes

v2.69

  • Executive PDF Report — Multi-section PDF with cover page, risk assessment, compliance, charts
  • Report Scheduler — 6 report types with daily/weekly/monthly frequency and email delivery
  • Reports Page Redesign — List layout with stat cards, inline schedule status, mobile-responsive

Read Full Release Notes

v2.68

  • ACME Wildcard CSR Fix — Corrected wildcard certificate handling in ACME CSR generation
  • Certificate Import Metadata — Imported certificates now preserve original metadata
  • Discord UI Fixes — 4 visual fixes for the Discord theme variant

Read Full Release Notes

v2.52 ✨

  • Certificate Discovery — Scan networks for TLS certificates with profiles, quick scan, SNI probing
  • Security Hardening — 15 findings fixed: SSRF protection, brute-force limits, audit logging, LDAP encryption
  • Error Visibility — Scan errors shown with troubleshooting hints
  • In-App Help — Expanded help for discovery page (profiles, filters, errors, export, security)

Read Full Release Notes

v2.51

  • EST management page with config, stats, endpoint info
  • Certificate unhold, enriched system-status badges
  • WebSocket real-time updates, accordion sidebar
  • CSR generation form, enhanced certificate issuance
  • Global UI density harmonization

v2.50

  • Login architecture redesign with sessionChecked state guard
  • mTLS auto-login with seamless certificate-based authentication
  • 6 mTLS authentication fixes (session handling, error flows, logout)
  • Enhanced /auth/methods endpoint with dynamic capability detection
  • Consistent auth response contract across all login paths

Read Full Release Notes

v2.1.0 ✨

  • Redesigned Operations page (Import/Export/Bulk Actions)
  • Unified ExportModal with RBAC permission guards
  • Dashboard charts with day selector (7d/15d/30d)
  • RBAC with 4 system roles (Admin, Operator, Auditor, Viewer) plus custom roles
  • SSO support: LDAP, OAuth2 (Azure/Google/GitHub), SAML with role mapping
  • ACME multi-CA support
  • In-app contextual help system
  • Force password change on first login
  • 9 languages, 2273+ keys each
  • Reports & governance (policies, approvals)

Read Full Release Notes

v2.0.3 🔧 STABLE

  • CA Creation Fix - Fixed crash with null validity/keySize values on Docker
  • DN Validation - Country code auto-uppercased, CSR validation added
  • Docker Path Unified - All data in /opt/ucm/data (same as DEB/RPM)
  • Migration Support - Auto-migrate from old Docker path on upgrade

Read Full Release Notes

v2.0.0 ✅ STABLE

  • Complete UI Redesign - New React 18 frontend with Radix UI
  • 12 Theme Variants - 6 color themes × Light/Dark modes
  • Enhanced Dashboard - Real-time stats, charts, activity feed
  • Certificate Toolbox - SSL checker, decoders, key matcher, converter
  • User Groups - Organize users with permissions
  • Certificate Templates - Predefined configurations
  • Trust Store - Manage trusted root CAs
  • Audit Trail - Complete action logging with hash chain verification
  • Password Security - Strength indicator, forgot password flow
  • Session Management - Timeout warning, force password change
  • API v2 - RESTful JSON API with OpenAPI docs
  • Docker Hub - Now available on Docker Hub
  • Auto-migration - Seamless upgrade from v1.8.x

Read Full Release Notes

v1.8.3 ✅ STABLE

  • Nginx Dependency Fixed
    • Nginx is now truly optional
    • UCM can run standalone with built-in HTTPS server
    • Fixed GitHub Actions workflow packaging bug
  • Deployment Flexibility
    • Standalone mode (no reverse proxy needed)
    • Reverse proxy mode (nginx/apache)
    • Docker deployment
  • Documentation Updates
    • All guides updated to v1.8.3
    • CHANGELOG with full history
    • Clear deployment options

Read Full Release Notes

v1.8.3

  • Export Authentication - All formats (PEM, DER, PKCS#12) with JWT
  • Visual Theme Previews - 2×4 grid with live previews
  • Docker/Native Compatibility - Dynamic path resolution
  • Global PKCS#12 Modal - Available across all pages

Read Release Notes

v1.7.5

  • Dependency Updates (Python 3.13 compatible)
  • Security: cryptography 46.0.3, pyOpenSSL 25.3.0
  • WebAuthn: Updated to 2.7.0 with FIDO2 improvements
  • Bug Fixes: Certificate selector, Dockerfile improvements

v1.7.0

  • Collapsible sidebar submenus with smooth animations
  • My Account section relocated to bottom of sidebar
  • Optimized sidebar width (220px uniform across all themes)
  • 14×14px submenu icons for better visual hierarchy
  • localStorage persistence for submenu states

v1.6.2

  • Fixed OPNsense import JavaScript errors
  • Fixed import statistics display
  • Improved toast notification system

v1.6.0

  • Complete Tailwind CSS removal (~827 classes)
  • Custom themed scrollbars
  • CRL Information pages (public & integrated)
  • Modal system improvements
  • Full responsive design
  • 8 beautiful themes

See Full Changelog

📊 System Information

Property Value
Latest Stable 2.152
Previous Stable 2.151
Python 3.10+ (3.13 compatible)
Platform Linux, Docker (multi-arch)
License BSD-3-Clause
Repository GitHub
Docker Registry GHCR

🎯 Additional Resources

  • Release Notes - All versions
  • v2.152 Release - Security + RFC compliance hardening pass (OCSP/CRL/ACME/EST/SCEP/TSA), 6 ACME server bypasses closed, 20+ resource APIs hardened, import paths now encrypt at rest
  • v2.144 Release - Backend hardening: key_codec 26-site refactor, commit_or_rollback() for auth/mTLS/WebAuthn, encrypt_text/decrypt_text helpers, exc_info=True across silent excepts, generic release tooling + PostgreSQL CI matrix
  • v2.143 Release - PostgreSQL migration runner hotfix (#103, #104); ACME proxy account key encrypted at rest (#105); cross-target validation extended to PostgreSQL
  • v2.142 Release - Major security hardening sweep (16 fixes) + large modular refactor; PKCS12 include_chain honoured; Dashboard chart fix
  • v2.141 Release - Admin lockout prevented on DB backend switch; pg_dump in Docker image
  • v2.140 Release - SAN DB columns from final SAN list, on-disk certificate files
  • v2.139 Release - ACME EAB credentials, custom DNS resolvers, ACME on private IPs, Kubernetes/cert-manager integration
  • v2.130 Release - HSM-backed CAs (signing key never leaves the HSM)
  • v2.128 Release - Custom EKU OIDs, persisted filters, server-side preferences, Windows SSH .ps1
  • v2.127 Release - Native PostgreSQL backend, bidirectional migration UI, safety checks
  • v2.109 Release - CT logs, OCSP delegated, TSA, CPS, security audit
  • v2.107 Release - SoftHSM auto-register, CDP auto-enable, ACME Proxy
  • v2.75 Release - Delta CRL, security audit, PDF templates
  • v2.69 Release - Executive PDF reports, report scheduler, accessibility
  • v2.68 Release - ACME wildcard CSR fix, cert import metadata, Discord UI fixes
  • v2.52 Release - Certificate discovery and security hardening
  • v2.50 Release - Login architecture redesign, mTLS auto-login
  • Screenshots Gallery - See v2.0 in action
  • CI/CD Workflows - Build status

💡 Need Help?

Last Updated: 2026-05-03
Maintained By: NeySlim

Clone this wiki locally