UCM

Ultimate Certificate Manager

Your PKI, one install away.

Open Source • BSD-3-Clause

The self-hosted certificate authority with a modern web UI. Create, manage, discover, and automate your certificates — no YAML, no CLI expertise needed.

Get Started View on GitHub Support

Up and running in 60 seconds

Choose your platform. One command, full PKI.

docker run -d --restart=unless-stopped \
  --name ucm \
  -p 8443:8443 \
  -p 8080:8080 \
  -v ucm-data:/opt/ucm/data \
  neyslim/ultimate-ca-manager:latest

# Download the latest .deb package
wget https://github.com/NeySlim/ultimate-ca-manager/releases/latest/download/ucm_VERSION_all.deb

# Install
sudo dpkg -i ucm_*_all.deb
sudo apt-get install -f

# Start
sudo systemctl enable --now ucm

# Download the latest .rpm package
wget https://github.com/NeySlim/ultimate-ca-manager/releases/latest/download/ucm-VERSION-1.noarch.rpm

# Install
sudo dnf install ./ucm-*-1.noarch.rpm

# Start
sudo systemctl enable --now ucm

Then open https://localhost:8443 and log in with admin / changeme123

Everything you need for PKI

A complete certificate management platform, not just a CLI tool.

CA Hierarchy

Build complete CA hierarchies. Root CAs and intermediate CAs with full chain management — all from the web UI.

Certificate Lifecycle

Issue, sign, revoke, renew, export. Bulk operations, auto-renewal, PKCS#12/PEM/DER export with full chain.

Certificate Discovery

Scan your network to find every certificate. Scheduled scans, scan profiles, and automatic import.

ACME Server

RFC 8555 with auto-enrollment, auto-renewal, DNS-01/HTTP-01 challenges, wildcard support. Works with certbot, acme.sh, Caddy.

SCEP & EST

Industry-standard enrollment protocols (RFC 8894 & RFC 7030) for network devices and automated provisioning.

CRL & OCSP

Full and Delta CRL (RFC 5280), public CDP endpoints, OCSP responder (RFC 6960). Real-time revocation status.

Microsoft ADCS

Sign CSRs via Active Directory Certificate Services. Template discovery, EOBO (Enroll On Behalf Of) support.

Templates & Policies

Certificate templates with pre-set fields and key usages. Issuance policies with approval workflows.

HSM Support

Protect your CA keys with PKCS#11 hardware security modules. SoftHSM included, Azure Key Vault, Google Cloud KMS.

SSH Certificate Authority

Create SSH CAs, sign user and host keys, manage SSH certificates. Import existing CAs or use X.509 CAs for SSH signing.

Timestamping (TSA)

RFC 3161 Time-Stamp Authority. Sign timestamps for code signing, document integrity, and compliance audit trails.

Authentication

Password, WebAuthn/FIDO2, TOTP 2FA, mTLS, API keys. SSO via LDAP, OAuth2 (Azure/Google/GitHub), SAML.

RBAC & Audit

Built-in and custom roles with granular permissions. Tamper-evident audit logs with SHA-256 hash chains.

Reports & Notifications

Scheduled PDF reports, email alerts, webhooks (15+ event types). Certificate expiry notifications.

Trust Store & Tools

Manage trusted root CAs. SSL checker, CSR/cert decoder, key matcher, format converter — all built in.

Backup & Updates

Scheduled backups with retention policies. In-app update checker with one-click install.

Easy Deployment

One command install on Docker, Debian, or RHEL. No Java, no application server, no complexity.

Modern UI

6 themes, 9 languages, drag-and-drop dashboard, command palette (Ctrl+K), real-time WebSocket updates.

A UI you'll actually want to use

Not just a CLI with a web wrapper. A real, modern interface — on desktop and mobile.

Fully responsive

Manage your PKI from any device.