UCM

Ultimate Certificate Manager

Your PKI, one install away.

Open Source • GPLv3

The self-hosted certificate authority with a modern web UI. Create, manage, discover, and automate your certificates — no YAML, no CLI expertise needed.

Get Started View on GitHub

Up and running in 60 seconds

Choose your platform. One command, full PKI. 

docker run -d --restart=unless-stopped \
  --name ucm \
  -p 8443:8443 \
  -v ucm-data:/opt/ucm/data \
  neyslim/ultimate-ca-manager:latest

Then open https://localhost:8443 and log in with admin / changeme123

Everything you need for PKI

A complete certificate management platform, not just a CLI tool.

CA Hierarchy

Build complete CA hierarchies. Root CAs and intermediate CAs with full chain management — all from the web UI.

Certificate Discovery

Scan your network to find every certificate. Identify expiring, misconfigured, or unknown certs automatically.

ACME Server

Built-in ACME server compatible with certbot, Caddy, and any ACME client. Automate certificate issuance.

Certificate Templates

Define reusable certificate profiles with pre-set fields, key usages, and validity periods.

HSM Support

Protect your CA keys with PKCS#11 hardware security modules. SoftHSM included for testing.

RBAC & Audit

4 roles — admin, operator, auditor, viewer. Tamper-evident audit logs with SHA-256 hash chains.

SCEP & EST

Industry-standard enrollment protocols (RFC 8894 & RFC 7030) for network devices and automated provisioning.

Easy Deployment

One package install on Debian, RHEL, or Docker. No Java, no application server, no complexity.

Built-in Help

Contextual help panel on every page with guides, tips, and keyboard shortcuts. No need to leave the app.

A UI you'll actually want to use

Not just a CLI with a web wrapper. A real, modern interface — on desktop and mobile.

Fully responsive

Manage your PKI from any device.

Under the hood

A complete PKI platform — from certificate authority to network discovery.

🏛️

CA Hierarchy

Create Root and Intermediate Certificate Authorities with full chain validation. Manage keys, CRLs, and OCSP responders from a single interface.

📜

Certificate Lifecycle

Issue, renew, revoke, and export certificates in PEM, DER, PKCS#12, and JKS formats. Track expiration with automated alerts and dashboard widgets.

🔍

Network Discovery

Scan your network to find all TLS certificates in use. Identify unmanaged, expired, or soon-to-expire certificates across your infrastructure with SNI probing and SAN extraction.

🤖

ACME Server

Built-in ACME server (RFC 8555) for automated certificate issuance. Compatible with certbot, acme.sh, and any standard ACME client.

📡

SCEP & EST Protocols

Enroll devices via SCEP (RFC 8894) and EST (RFC 7030). Ideal for network equipment, MDM, and IoT deployments.

🔐

HSM Support

Protect CA private keys with Hardware Security Modules via PKCS#11. Compatible with YubiHSM, SoftHSM, Thales Luna, and other PKCS#11 devices.

🛡️

Role-Based Access Control

Four built-in roles — Admin, Operator, Auditor, Viewer — with granular permissions. Supports LDAP, mTLS, WebAuthn, and SSO authentication.

📋

Audit Logging

Tamper-evident audit trail with SHA-256 hash chains. Every action is logged with user, timestamp, IP, and integrity verification.

📦

Easy Deployment

Install in under a minute with native DEB and RPM packages, or run as a Docker container. No Java, no Kubernetes, no external database required.

🌍

Multilingual

Full interface available in 9 languages: English, French, German, Spanish, Italian, Portuguese, Japanese, Chinese, and Ukrainian.

📄

Certificate Templates

Define reusable certificate profiles with pre-configured subject fields, key usages, extensions, and validity periods for consistent issuance.

⚖️

Open Source

Licensed under GPLv3. Fully self-hosted, no vendor lock-in, no telemetry. Audit the code yourself on GitHub.