Ultimate Certificate Manager (UCM) is a web-based Certificate Authority management platform with PKI protocol support (ACME, SCEP, EST, OCSP, CRL/CDP), Microsoft ADCS integration, multi-factor authentication, and certificate lifecycle management.

🚀 UCM is a young and actively developed project. Feedback, bug reports, and feature requests are very welcome! Feel free to open an issue — every report helps make UCM better.

✨ Latest release — v2.140 (2026-04-27): SAN database columns now derived from the canonical SAN list (auto-backfill via migration 027), and CA / certificate .crt / .key files are now materialized to disk on every creation path. See the v2.140 release notes and the full CHANGELOG for v2.128 → v2.140.

• CA Management -- Root and intermediate CAs, hierarchy view, import/export, HSM-backed signing keys (private key never leaves the HSM)
• Certificate Lifecycle -- Issue, sign, revoke, renew, export (PEM, DER, PKCS#12, JKS), bulk operations
• CSR Management -- Create, import, sign Certificate Signing Requests with custom Extra EKU OIDs (RFC 5280 §4.2.1.12)
• Certificate Templates -- Predefined profiles for server, client, code signing, email
• Certificate Discovery -- Network scanning, scan profiles, scheduled scans, certificate import
• Trust Store -- Manage trusted root CA certificates with expiry alerts
• Chain Repair -- AKI/SKI-based chain validation with automatic repair scheduler
• SSH Certificates -- SSH Certificate Authority management, sign host/user certificates, import CAs and certs, curl-friendly setup scripts

• ACME -- RFC 8555, auto-enrollment, auto-renewal, DNS-01/HTTP-01/TLS-ALPN-01 challenges, wildcard support, External Account Binding (EAB, RFC 8555 §7.3.4), custom DNS resolvers for split-horizon, ACME on internal/private IPs, proxy mode
• SCEP -- RFC 8894 device auto-enrollment with approval workflows
• EST -- RFC 7030 Enrollment over Secure Transport
• OCSP -- RFC 6960 real-time certificate status
• CRL/CDP -- Certificate Revocation List distribution with Delta CRL support (RFC 5280 §5.2.4)
• AIA CA Issuers -- Authority Information Access CA certificate download (RFC 5280 §4.2.2.1)

• Microsoft ADCS -- Certificate signing via AD CS, template discovery, EOBO (Enroll On Behalf Of)
• HSM -- SoftHSM included, PKCS#11, Azure Key Vault, Google Cloud KMS, OpenBao/Vault Transit; HSM-backed CAs with non-exportable signing keys
• Kubernetes / cert-manager -- Reference manifests for ClusterIssuer (HTTP-01 + DNS-01 with EAB), sample Certificate, Secret template under examples/kubernetes/cert-manager/
• DNS Providers -- Cloudflare, Route53, Azure DNS and more for ACME DNS-01 challenges
• Webhooks -- Event-driven notifications for certificate lifecycle events (15+ event types)

• Authentication -- Password, WebAuthn/FIDO2, TOTP 2FA, mTLS, API keys
• SSO -- LDAP, OAuth2 (Azure/Google/GitHub), SAML single sign-on with role mapping; per-user auth_source tracking and opt-in role sync on login
• RBAC -- 4 built-in roles (Admin, Operator, Auditor, Viewer) plus custom roles with granular permissions
• Policies & Approvals -- Certificate issuance policies with approval workflows
• Audit Logs -- Action logging with integrity verification and remote syslog forwarding

• Dashboard -- Customizable drag-and-drop widgets, real-time stats, certificate trends
• Reports -- Scheduled PDF reports, executive summaries, custom templates
• Certificate Toolbox -- SSL checker, CSR/cert decoder, key matcher, format converter
• Email Notifications -- SMTP with OAuth2 (XOAUTH2) for Gmail, Outlook.com & Microsoft 365, customizable HTML/text templates, certificate expiry alerts
• Backup & Restore -- Manual and scheduled backups with retention policies
• Software Updates -- In-app update checker with one-click install
• Global Search -- Cross-resource search and command palette (Ctrl+K)

• 6 Themes -- 3 color schemes (Gray, Purple Night, Orange Sunset) × Light/Dark; per-user preferences persisted server-side (language, theme, mode)
• i18n -- 9 languages (EN, FR, DE, ES, IT, PT, UK, ZH, JA)
• Persisted UI state -- Filter selections persist across reloads on every list page
• Database -- SQLite (default) or native PostgreSQL backend with bidirectional migration UI
• Responsive UI -- React 18 + Radix UI, mobile-friendly
• Real-time -- WebSocket live updates
• Multi-platform -- Docker, Debian/Ubuntu (.deb), RHEL/Rocky/Fedora (.rpm)

docker run -d --restart=unless-stopped \
  --name ucm \
  -p 8443:8443 \
  -p 8080:8080 \
  -v ucm-data:/opt/ucm/data \
  neyslim/ultimate-ca-manager:latest

Also available from GitHub Container Registry: ghcr.io/neyslim/ultimate-ca-manager

Download the .deb package from the latest release:

sudo dpkg -i ucm_<version>_all.deb
sudo systemctl enable --now ucm

Download the .rpm package from the latest release:

sudo dnf install ./ucm-VERSION-1.noarch.rpm
sudo systemctl enable --now ucm

Access: https://localhost:8443 or https://your-server-fqdn:8443 Default credentials: admin / changeme123 — you will be prompted to change on first login.

See Installation Guide for all methods including Docker Compose and source install.

Docker: data at /opt/ucm/data/ (mount as volume), config via environment variables, logs to stdout.

• Code Signing — Issue and manage code signing certificates (Authenticode, JAR, macOS)
• High Availability / Clustering — Active-passive or active-active HA deployment
• Helm chart — Package UCM itself as a Helm chart for in-cluster deployment (k8s clusters can already consume UCM today via the cert-manager integration shipped in v2.139)
• Post-Quantum Cryptography — ML-DSA, ML-KEM, SLH-DSA key types (NIST FIPS 203/204/205)
• CMP Protocol (RFC 4210) — Certificate Management Protocol support
• Key Archival & Recovery — Secure key escrow with recovery workflows
• SAN database columns derived from final SAN list — san_email / san_dns / san_ip / san_uri always match the X.509 extension, with backfill migration (v2.140)
• On-disk certificate & CA files — .crt / .key materialized to disk on every creation path (v2.140)
• ACME External Account Binding (EAB, RFC 8555 §7.3.4) — Issue/rotate/revoke kid+hmac pairs for cert-manager / certbot / acme.sh (v2.139)
• ACME custom DNS resolvers + private-IP validation — Split-horizon DNS, RFC1918/.lan/.local HTTP-01 & TLS-ALPN-01 (v2.139)
• Kubernetes / cert-manager integration — Reference manifests for ClusterIssuer (HTTP-01 + DNS-01 with EAB) (v2.139)
• SMTP OAuth2 (XOAUTH2) — Gmail, Outlook.com, Microsoft 365 modern auth (v2.134)
• SSO auth_source tracking + role preservation — Per-user origin, optional sync-on-login, UI never overwritten (v2.133)
• HSM-backed Certificate Authorities — Signing key generated/stored in HSM, never exportable (v2.130)
• Native PostgreSQL backend — Bidirectional migration UI with safety checks (v2.127)
• PostgreSQL feature parity — Database stats, optimize, integrity check, certificate activity chart all work natively on PostgreSQL (v2.135)
• Custom Extra EKU OIDs — Microsoft RDP, smartcard logon, document signing, IPsec, Kerberos PKINIT… (RFC 5280 §4.2.1.12) (v2.128)
• Persisted UI filters — Filter selections survive reloads on every list page (v2.128)
• User preferences server-side — Language/theme follow the user across browsers (v2.128)
• Windows SSH CA setup script (.ps1) — One-command trust setup for Windows OpenSSH Server (v2.128/v2.134)
• SSH Certificates — SSH CA management, host/user certificate signing, import, setup scripts (v2.112)
• Security Audit — Comprehensive security hardening: session fixation, export passwords, LDAP injection, LIKE escaping (v2.112)
• Certificate Transparency (RFC 6962) — CT log submission, SCT parsing, auto-submit on issuance (v2.109)
• OCSP Delegated Responder (RFC 5019) — Per-CA delegated responder assignment with EKU validation (v2.109)
• Certificate Practice Statement (CPS) — Per-CA CPS URI and Policy OID in CertificatePolicies extension (v2.109)
• Multiple CDP/OCSP/AIA URLs — Multiple distribution points and access descriptions per CA (v2.109)
• RFC 3161 Timestamp Authority (TSA) — Time stamping server with configurable policy, hash algorithms, and accuracy (v2.109)
• In-App Help Translations — 208 help files across 8 languages for all 26 sections (v2.109)
• ACME Auto-Supersede — Automatically revoke old certificates on ACME renewal (v2.110)
• Universal Format Detection — DER/PEM detection by content across all file uploads (v2.110)
• PKCS7/PKCS12 Decode — Certificate decoder supports P7B bundles and PKCS12 files (v2.111)
• Delta CRL — Incremental CRL updates for large deployments (v2.75)

1. Fork the repository
2. Create feature branch (git checkout -b feature/my-feature)
3. Commit and push
4. Open Pull Request

BSD 3-Clause License with Commons Clause -- see LICENSE.

• GitHub Issues
• GitHub Wiki

If you find UCM useful, consider supporting its development: