-
Notifications
You must be signed in to change notification settings - Fork 8
User Manual
Complete guide for using Ultimate Certificate Manager.
- Login and Interface
- Dashboard
- CA Management
- Certificate Management
- Reports
- SCEP Server
- User Management
- System Settings
- Common Operations
-
Access UCM
https://<your-server>:8443 -
Default credentials
-
Username:
admin -
Password:
admin
β οΈ Important: Change the password immediately after first login! -
Username:
-
Accept self-signed certificate
- Your browser will display a warning
- Click on "Advanced settings" β "Continue to site"
- This is normal for the first login
The UCM interface consists of:
- Navigation bar (top) - Quick access to sections
- Sidebar menu (left) - Main navigation
- Content area (center) - Main workspace
- Status bar (bottom) - System information
UCM supports two themes:
- Light - Default
- Dark - In Settings β Profile β Theme
The dashboard displays an overview of your PKI.
-
Certificate Authorities
- Total number of CAs
- Active vs revoked CAs
- Root CA / Intermediate CA breakdown
-
Certificates
- Total certificates issued
- Active certificates
- Revoked certificates
- Expired certificates
-
Upcoming Expirations
- Certificates expiring within 30 days
- Certificates expiring within 90 days
- Expiration alerts
-
SCEP Activity
- Active SCEP endpoints
- Recent enrollments
- Automatic renewals
- Issuance timeline - Certificates issued by period
- Type distribution - Server, Client, Code Signing, etc.
- Certificate status - Valid, Expired, Revoked
-
Navigation: Menu β Certificate Authorities β Create New CA
-
Basic settings
CA Type: Root CA Key Type: RSA 4096 bits (recommended for Root CA) Hash Algorithm: SHA-384 or SHA-512 Validity: 20 years (7300 days) -
Distinguished Name (DN)
Common Name (CN): My Company Root CA Organization (O): My Company Inc. Organizational Unit (OU): IT Security Country (C): FR State (ST): Ile-de-France Locality (L): Paris -
Advanced options
- β CA Certificate - Required
- β Certificate Sign - Required
- β CRL Sign - Required
- β¬ Digital Signature - Optional
-
Click "Create CA"
-
Prerequisite: A Root CA must exist
-
Configuration
CA Type: Intermediate CA Parent CA: Select your Root CA Key Type: RSA 4096 bits Hash Algorithm: SHA-384 Validity: 10 years (3650 days) -
Distinguished Name
CN: My Company Issuing CA 1 O: My Company Inc. OU: PKI Services C: FR -
Path Length Constraint
-
0= This Intermediate CA cannot create other Intermediate CAs -
1= Can create 1 additional level of Intermediate CAs - Empty = No limit
-
-
Menu β Import CA
-
Supported formats
- PEM - .pem, .crt, .key files
- PKCS#12 - .pfx, .p12 files
-
PEM import
Certificate File: ca-cert.pem Private Key File: ca-key.pem Private Key Password: (if encrypted) -
PKCS#12 import
PKCS#12 File: ca.pfx Password: ****
-
CA list β Actions β Export
-
Choose format
- Certificate only (PEM) - For public distribution
- Full chain (PEM) - Certificate + complete chain
-
PKCS#12 - Certificate + private key (
β οΈ secure)
-
For PKCS#12
Export Password: ******** Confirm Password: ********
-
CA list β Select CA β Revoke
-
Revocation reason
- Key Compromise
- Superseded
- Cessation of Operation
- Unspecified
-
Consequences
- All certificates issued by this CA become invalid
- The CA appears in the CRL
- Non-reversible operation
-
Menu β Certificates β Issue New Certificate
-
Select issuing CA
Issuing CA: My Company Issuing CA 1 -
Certificate type
- Server Certificate - Web servers, VPN, etc.
- Client Certificate - User authentication
- Code Signing - Code signing
- Email Certificate - S/MIME
-
Subject information
For a server certificate:
Common Name (CN): www.example.com Organization (O): Example Inc. OU: Web Services Country (C): FRFor a client certificate:
CN: John Doe Email: john.doe@example.com O: Example Inc. -
Key configuration
Key Type: RSA 2048 bits (standard) or ECDSA P-256 (modern, faster) Hash Algorithm: SHA-256 (standard) Validity: 395 days (13 months, browser max) -
Subject Alternative Names (SANs)
For server certificates (important!):
DNS Names: - www.example.com - example.com - mail.example.com IP Addresses (if needed): - 192.168.1.100 -
Key Usage
Server certificate:
- β Digital Signature
- β Key Encipherment
- Extended: Server Authentication
Client certificate:
- β Digital Signature
- β Key Agreement
- Extended: Client Authentication
Code Signing:
- β Digital Signature
- Extended: Code Signing
-
Click "Issue Certificate"
-
Menu β Certificates β Sign CSR
-
Upload CSR file
Drag & Drop or Browse: request.csr -
UCM automatically displays
- CSR Subject DN
- Public key and type
- Requested extensions
-
Select CA and configure
Issuing CA: My Company Issuing CA 1 Validity: 365 days -
Verify/Add SANs if needed
-
Sign the CSR
-
Certificate list β Select β Renew
-
Renewal options
- Reuse same key - Keeps existing key
- Generate new key - Recommended for security
-
Adjust validity if needed
Validity: 395 days -
The new certificate
- Keeps the same Subject DN
- Keeps the same SANs
- New serial number
- New validity period
-
List β Select certificate β Revoke
-
Revocation reason
- Key Compromise β οΈ - CA Compromise β οΈβ οΈ - Affiliation Changed - Superseded - Cessation of Operation - Certificate Hold (temporary suspension) - Remove from CRL - Privilege Withdrawn -
Immediate effect
- Certificate added to CRL
- OCSP returns "revoked"
- Invalid for any use
-
List β Select β Export
-
Available formats
PEM (Base64 ASCII)
- Certificate only (.pem) - Certificate + Chain (.pem) - Full chain (.pem)DER (Binary)
- Certificate only (.der, .cer)PKCS#12
- Certificate + Private Key + Chain (.pfx, .p12) - Password protected β οΈ -
PKCS#12 export (includes private key)
Export Password: ******** Friendly Name: www.example.com Include Chain: β Recommended
Search bar
Search by:
- Common Name (CN)
- Serial Number
- Subject DN
- Issuer DN
- Email
Advanced filters
Status: Active / Revoked / Expired
Type: Server / Client / Code Signing
Issuer: Select a CA
Validity: Expiring in 30/60/90 days
UCM provides comprehensive reporting and analytics for your PKI infrastructure. For full details, see the dedicated Reports & Analytics page.
- 6 Report Types β Expiring certificates, revoked certificates, CA hierarchy, audit summary, compliance status, certificate inventory
- Executive PDF β Downloadable multi-section PDF with cover page, risk assessment, charts, and recommendations
- Report Scheduler β Automate report generation with daily/weekly/monthly email delivery (up to 50 recipients)
- On-Demand Download β Generate any report instantly in CSV or JSON format
- Navigate to Reports in the sidebar
- Browse available report types with descriptions and schedule status
- Click Generate to download a report immediately
- Click Executive PDF for the comprehensive PDF report
- Click the Schedule icon to set up automated email delivery
-
View reports:
read:audit -
Generate/download:
read:audit+export:audit -
Configure schedules:
write:settings
β Full Reports Documentation
SCEP (Simple Certificate Enrollment Protocol) enables automatic certificate enrollment.
-
Menu β SCEP β New Endpoint
-
Basic configuration
Endpoint Name: Mobile Devices SCEP Description: SCEP for iOS/Android Issuing CA: My Company Issuing CA 1 -
SCEP settings
Challenge Password: **************** Challenge Type: Dynamic (recommended) or Static Validity: 365 days Auto-renewal: β Enabled Renewal Window: 30 days before expiration -
Certificate template
Certificate Type: Client Certificate Key Type: RSA 2048 or ECDSA P-256 Hash Algorithm: SHA-256 Key Usage: - β Digital Signature - β Key Agreement Extended Key Usage: - β Client Authentication - β Email Protection (if needed) -
Generated SCEP URL
https://<server>:8443/scep/mobile-devices
-
Create a configuration profile (.mobileconfig)
UCM automatically generates the profile:
SCEP Menu β Endpoint β Generate iOS Profile -
Profile settings
Profile Name: Company PKI Organization: My Company Inc. Description: Enterprise Certificate Enrollment -
Distribute the profile
- MDM (Mobile Device Management)
- Download URL
- AirDrop
-
Installation on iOS
Settings β Profile Downloaded β Install Enter Challenge Password: ****
-
Download SCEP management app
- Use a SCEP-compatible app
- Or MDM integration
-
Manual configuration
SCEP URL: https://<server>:8443/scep/mobile-devices Challenge Password: ****
-
Via GPO (Group Policy)
Computer Configuration β Policies β Windows Settings β Security Settings β Public Key Policies β Certificate Services Client - Auto-Enrollment -
NDES-like configuration
SCEP URL: https://<server>:8443/scep/windows Challenge: ****
SCEP Menu β Endpoint β Activity
Displays:
- Successful enrollments
- Failures and reasons
- Automatic renewals
- Revocations
UCM uses an RBAC (Role-Based Access Control) system.
-
Admin
- Full access
- CA management
- User management
- System configuration
-
Operator
- Issue certificates
- Revoke certificates
- Export certificates
- View CAs (read-only)
-
Viewer
- View CAs
- View certificates
- Download public certificates
- No modifications
-
Menu β Settings β Users β Add User
-
User information
Username: john.doe Full Name: John Doe Email: john.doe@example.com Role: Operator -
Password
Password: ********** (min 8 characters) Confirm: ********** Requirements: - 8+ characters - Uppercase + lowercase - At least 1 digit - 1 special character recommended -
Options
β Force password change on first login β Account enabled β¬ API access enabled
-
User list β Edit
-
Possible modifications
- Full name
- Role
- Account status
- Reset password
-
User menu (top right) β Profile
-
Security β Change Password
Current Password: **** New Password: ******** Confirm New Password: ********
Menu β Settings β System
System Name: My Company PKI
Base URL: https://pki.example.com:8443
Administrator Email: pki-admin@example.com
Organization: Example Inc.
CRL Update Interval: 24 hours
CRL Distribution Point: http://pki.example.com:8080/crl/<ca-id>.crl
Next CRL Update: 7 days
OCSP Responder: β
Enabled
OCSP URL: http://ocsp.example.com:8080
OCSP Signing Certificate: Auto-generated
Response Validity: 7 days
Session Timeout: 30 minutes
Max Login Attempts: 5
Lockout Duration: 15 minutes
Force HTTPS: β
Enabled
HSTS: β
Enabled
Automatic backup
Backup Interval: Daily
Backup Time: 02:00 AM
Retention: 7 days
Backup Path: /opt/ucm/backups/
Maintenance
Auto-cleanup expired certificates: β
90 days after expiration
Auto-cleanup revoked certificates: β Keep
Database optimization: Weekly
Scenario: Secure www.example.com
1. Certificates β Issue New Certificate
2. Issuing CA: Intermediate CA
3. Certificate Type: Server Certificate
4. Subject DN:
CN: www.example.com
O: Example Inc.
5. SANs:
- www.example.com
- example.com
6. Key: RSA 2048, SHA-256
7. Validity: 395 days
8. Issue β Export PKCS#12
9. Install on web server
Scenario: VPN authentication by certificate
1. Certificates β Issue New Certificate
2. Type: Client Certificate
3. Subject:
CN: john.doe
Email: john.doe@example.com
4. Key Usage:
- Digital Signature
- Key Agreement
- Client Authentication
5. Export PKCS#12 with password
6. Send securely to user
7. Configure VPN to accept this CA
Scenario: Sign applications
1. Certificates β Issue New Certificate
2. Type: Code Signing
3. Subject:
CN: Example Inc. Code Signing
O: Example Inc.
4. Key: RSA 4096 (recommended for code signing)
5. Validity: 3 years maximum
6. Extended Key Usage: Code Signing
7. Export PKCS#12
8. Use with signtool, jarsigner, etc.
Scenario: Sign and encrypt emails
1. Certificates β Issue New Certificate
2. Type: Email Certificate
3. Subject:
CN: John Doe
Email: john.doe@example.com
4. SANs:
Email: john.doe@example.com
5. Key Usage:
- Digital Signature
- Key Encipherment
- Email Protection
6. Export PKCS#12
7. Import into email client (Outlook, Thunderbird)
Scenario: Deploy certificates on 100 iPads
1. SCEP β New Endpoint
2. Name: iPad Fleet
3. Type: Client Certificate
4. Challenge: Dynamic
5. Auto-renewal: β
6. Generate iOS Profile
7. Distribute via MDM
8. iPads enroll automatically
9. Auto-renewal 30 days before expiration
- Root CA created with 4096-bit key and 20-year validity
- Intermediate CA created for daily issuance
- Root CA backup performed and stored offline
- Root CA stored offline (cold storage)
- Admin password changed
- Users created with appropriate roles
- HTTPS configured with valid certificate
- CRL and OCSP configured and accessible
- Automatic backup configured
- Firewall configured (port 8443 HTTPS, 8080 HTTP for CRL/OCSP)
- Certificate issuance test
- Revocation test and CRL verification
- OCSP test
- SCEP enrollment test
- Renewal test
- Backup verification
- Procedure documentation
- Operator training
- Documentation: GitHub Wiki
- Issues: GitHub Issues
- Discussions: GitHub Discussions
Next section: Troubleshooting | API Reference