[{"data":1,"prerenderedAt":314},["ShallowReactive",2],{"navigation_docs":3,"-docs-concepts-architecture":86,"-docs-concepts-architecture-surround":309},[4,22,31,48,65],{"title":5,"path":6,"stem":7,"children":8,"page":21},"Api","\u002Fdocs\u002Fapi","docs\u002Fapi",[9,13,17],{"title":10,"path":11,"stem":12},"CLI Reference","\u002Fdocs\u002Fapi\u002Fcli-reference","docs\u002Fapi\u002F1.cli-reference",{"title":14,"path":15,"stem":16},"ZMQ Protocol Reference","\u002Fdocs\u002Fapi\u002Fzmq-protocol","docs\u002Fapi\u002F2.zmq-protocol",{"title":18,"path":19,"stem":20},"Error Codes","\u002Fdocs\u002Fapi\u002Ferror-codes","docs\u002Fapi\u002F3.error-codes",false,{"title":23,"path":24,"stem":25,"children":26,"page":21},"Community","\u002Fdocs\u002Fcommunity","docs\u002Fcommunity",[27],{"title":28,"path":29,"stem":30},"Contributing","\u002Fdocs\u002Fcommunity\u002Fcontributing","docs\u002Fcommunity\u002F1.contributing",{"title":32,"path":33,"stem":34,"children":35,"page":21},"Concepts","\u002Fdocs\u002Fconcepts","docs\u002Fconcepts",[36,40,44],{"title":37,"path":38,"stem":39},"Architecture","\u002Fdocs\u002Fconcepts\u002Farchitecture","docs\u002Fconcepts\u002F1.architecture",{"title":41,"path":42,"stem":43},"Certificate Lifecycle","\u002Fdocs\u002Fconcepts\u002Fcertificate-lifecycle","docs\u002Fconcepts\u002F2.certificate-lifecycle",{"title":45,"path":46,"stem":47},"Security Model","\u002Fdocs\u002Fconcepts\u002Fsecurity-model","docs\u002Fconcepts\u002F3.security-model",{"title":49,"path":50,"stem":51,"children":52,"page":21},"Getting Started","\u002Fdocs\u002Fgetting-started","docs\u002Fgetting-started",[53,57,61],{"title":54,"path":55,"stem":56},"Introduction","\u002Fdocs\u002Fgetting-started\u002Fintroduction","docs\u002Fgetting-started\u002F1.introduction",{"title":58,"path":59,"stem":60},"Installation","\u002Fdocs\u002Fgetting-started\u002Finstallation","docs\u002Fgetting-started\u002F2.installation",{"title":62,"path":63,"stem":64},"Quick Start","\u002Fdocs\u002Fgetting-started\u002Fquick-start","docs\u002Fgetting-started\u002F3.quick-start",{"title":66,"path":67,"stem":68,"children":69,"page":21},"Guides","\u002Fdocs\u002Fguides","docs\u002Fguides",[70,74,78,82],{"title":71,"path":72,"stem":73},"Configuration","\u002Fdocs\u002Fguides\u002Fconfiguration","docs\u002Fguides\u002F1.configuration",{"title":75,"path":76,"stem":77},"Certificate Profiles","\u002Fdocs\u002Fguides\u002Fcertificate-profiles","docs\u002Fguides\u002F2.certificate-profiles",{"title":79,"path":80,"stem":81},"Docker Deployment","\u002Fdocs\u002Fguides\u002Fdocker-deployment","docs\u002Fguides\u002F3.docker-deployment",{"title":83,"path":84,"stem":85},"Importing an Existing CA","\u002Fdocs\u002Fguides\u002Fimporting-existing-ca","docs\u002Fguides\u002F4.importing-existing-ca",{"id":87,"title":37,"body":88,"description":302,"extension":303,"links":304,"meta":305,"navigation":306,"path":38,"seo":307,"stem":39,"__hash__":308},"docs\u002Fdocs\u002Fconcepts\u002F1.architecture.md",{"type":89,"value":90,"toc":287},"minimark",[91,95,100,104,115,119,126,133,149,156,159,181,188,196,200,249,253,259,263],[92,93,37],"h1",{"id":94},"architecture",[96,97,99],"h2",{"id":98},"overview","Overview",[101,102,103],"p",{},"uPKI CA follows a single-process, single-authority model. All external communication happens over ZMQ sockets. There is no HTTP interface, no REST API, and no web UI — by design.",[105,106,111],"pre",{"className":107,"code":109,"language":110},[108],"language-text","┌─────────────────────────────────────┐\n│             uPKI CA process         │\n│                                     │\n│  ┌──────────┐     ┌──────────────┐  │\n│  │ Authority │────▶│ FileStorage  │  │\n│  └──────────┘     └──────────────┘  │\n│       │                             │\n│  ┌────▼────────────────────────┐    │\n│  │    ZMQ REP Listeners         │    │\n│  │  port 5000 (CA operations)  │    │\n│  │  port 5001 (RA registration) │    │\n│  └─────────────────────────────┘    │\n└─────────────────────────────────────┘\n        ▲                  ▲\n   uPKI RA \u002F CLI       new RA nodes\n   (ZMQ REQ)           (ZMQ REQ)\n","text",[112,113,109],"code",{"__ignoreMap":114},"",[96,116,118],{"id":117},"core-components","Core components",[120,121,123],"h3",{"id":122},"authority",[112,124,125],{},"Authority",[101,127,128,129,132],{},"The central singleton class (",[112,130,131],{},"upki_ca\u002Fca\u002Fauthority.py","). Responsible for:",[134,135,136,140,143,146],"ul",{},[137,138,139],"li",{},"Loading\u002Fcreating the root key pair and self-signed certificate",[137,141,142],{},"Maintaining the certificate store and CRL",[137,144,145],{},"Executing all certificate operations (generate, sign, renew, revoke…)",[137,147,148],{},"Delegating persistence to the configured storage backend",[120,150,152,155],{"id":151},"zmqlistener-port-5000",[112,153,154],{},"ZmqListener"," (port 5000)",[101,157,158],{},"Handles all ongoing CA operations from registered RA nodes and admin tools:",[134,160,161,164,167,170,173],{},[137,162,163],{},"Certificate sign \u002F generate \u002F renew \u002F revoke \u002F unrevoke \u002F delete",[137,165,166],{},"CRL generation and retrieval",[137,168,169],{},"Profile listing and inspection",[137,171,172],{},"Admin node management (list_admins, add_admin, remove_admin)",[137,174,175,176,180],{},"ACME state synchronisation (acme",[177,178,179],"em",{},"sync","*)",[120,182,184,187],{"id":183},"zmqregister-port-5001",[112,185,186],{},"ZmqRegister"," (port 5001)",[101,189,190,191,195],{},"Accepts new RA node registrations. This socket is intentionally ",[192,193,194],"strong",{},"not"," protected by mTLS — it uses a shared seed as the authentication mechanism. Once an RA has registered, all further communication goes through port 5000.",[120,197,199],{"id":198},"storage-backends","Storage backends",[201,202,203,219],"table",{},[204,205,206],"thead",{},[207,208,209,213,216],"tr",{},[210,211,212],"th",{},"Backend",[210,214,215],{},"Status",[210,217,218],{},"Use case",[220,221,222,236],"tbody",{},[207,223,224,230,233],{},[225,226,227],"td",{},[112,228,229],{},"FileStorage",[225,231,232],{},"Production-ready",[225,234,235],{},"Default. TinyDB for metadata, plain files for PEM data.",[207,237,238,243,246],{},[225,239,240],{},[112,241,242],{},"MongoStorage",[225,244,245],{},"Stub \u002F experimental",[225,247,248],{},"Future: centralised multi-CA deployments.",[96,250,252],{"id":251},"data-directory-layout","Data directory layout",[105,254,257],{"className":255,"code":256,"language":110},[108],"\u002Fdata (UPKI_DATA_DIR)\n├── ca.config.yml       # CA configuration\n├── ca.crt              # Root CA certificate (UPKI_CA_CERT_FILE)\n├── ca.key              # Root CA private key  (UPKI_CA_KEY_FILE)\n├── crl.pem             # Current CRL\n├── nodes\u002F              # Node certificates (one subdirectory per CN)\n│   └── \u003Ccn>\u002F\n│       ├── cert.pem\n│       └── key.pem\n└── db\u002F\n    ├── nodes.json      # TinyDB — node metadata\n    ├── certs.json      # TinyDB — certificate records\n    └── admins.json     # TinyDB — admin list\n",[112,258,256],{"__ignoreMap":114},[96,260,262],{"id":261},"startup-sequence","Startup sequence",[264,265,266,272,278,281,284],"ol",{},[137,267,268,269],{},"Load or create root key + certificate from ",[112,270,271],{},"UPKI_DATA_DIR",[137,273,274,275],{},"Apply configuration from ",[112,276,277],{},"ca.config.yml",[137,279,280],{},"Bind ZMQ REP socket on port 5000",[137,282,283],{},"Bind ZMQ REP socket on port 5001",[137,285,286],{},"Enter event loop — process requests until SIGTERM\u002FSIGINT",{"title":114,"searchDepth":288,"depth":288,"links":289},2,[290,291,300,301],{"id":98,"depth":288,"text":99},{"id":117,"depth":288,"text":118,"children":292},[293,295,297,299],{"id":122,"depth":294,"text":125},3,{"id":151,"depth":294,"text":296},"ZmqListener (port 5000)",{"id":183,"depth":294,"text":298},"ZmqRegister (port 5001)",{"id":198,"depth":294,"text":199},{"id":251,"depth":288,"text":252},{"id":261,"depth":288,"text":262},"How uPKI CA is structured internally and how it communicates with the outside world.","md",null,{},true,{"title":37,"description":302},"EMfk3uznznn0Zc71ShHhGi4zxM1sVPI29C0Uw72tgK0",[310,312],{"title":28,"path":29,"stem":30,"description":311,"children":-1},"How to contribute to uPKI CA.",{"title":41,"path":42,"stem":43,"description":313,"children":-1},"How certificates are created, renewed, and revoked in uPKI CA.",1775569478524]