Your internal PKI, zero internet required.
uPKI CA is a self-hosted Certificate Authority that gives you complete control over your internal TLS infrastructure. Issue, renew, and revoke X.509 certificates via ZMQ — no cloud, no third party, no dependency.
Why uPKI CA?
Air-gapped by design
Runs fully offline. No internet access required — ideal for secure, regulated, or isolated environments.
ZMQ protocol
Fast, binary-safe JSON-over-ZMQ protocol. One port for CA operations, one for RA registration.
7 built-in profiles
Ready-made profiles for root CA, intermediate CA, server, client, OCSP, email, and code signing.
Flexible storage
File-based by default (TinyDB + filesystem). MongoDB adapter available for larger deployments.
Full lifecycle
Generate, sign, renew, revoke, unrevoke, and delete certificates with a clean ZMQ API.
uPKI ecosystem
Works seamlessly with uPKI RA (ACME v2) and uPKI CLI for a complete private PKI stack.