[{"data":1,"prerenderedAt":303},["ShallowReactive",2],{"navigation_docs":3,"-docs-concepts-security-model":86,"-docs-concepts-security-model-surround":298},[4,22,31,48,65],{"title":5,"path":6,"stem":7,"children":8,"page":21},"Api","\u002Fdocs\u002Fapi","docs\u002Fapi",[9,13,17],{"title":10,"path":11,"stem":12},"CLI Reference","\u002Fdocs\u002Fapi\u002Fcli-reference","docs\u002Fapi\u002F1.cli-reference",{"title":14,"path":15,"stem":16},"ZMQ Protocol Reference","\u002Fdocs\u002Fapi\u002Fzmq-protocol","docs\u002Fapi\u002F2.zmq-protocol",{"title":18,"path":19,"stem":20},"Error Codes","\u002Fdocs\u002Fapi\u002Ferror-codes","docs\u002Fapi\u002F3.error-codes",false,{"title":23,"path":24,"stem":25,"children":26,"page":21},"Community","\u002Fdocs\u002Fcommunity","docs\u002Fcommunity",[27],{"title":28,"path":29,"stem":30},"Contributing","\u002Fdocs\u002Fcommunity\u002Fcontributing","docs\u002Fcommunity\u002F1.contributing",{"title":32,"path":33,"stem":34,"children":35,"page":21},"Concepts","\u002Fdocs\u002Fconcepts","docs\u002Fconcepts",[36,40,44],{"title":37,"path":38,"stem":39},"Architecture","\u002Fdocs\u002Fconcepts\u002Farchitecture","docs\u002Fconcepts\u002F1.architecture",{"title":41,"path":42,"stem":43},"Certificate Lifecycle","\u002Fdocs\u002Fconcepts\u002Fcertificate-lifecycle","docs\u002Fconcepts\u002F2.certificate-lifecycle",{"title":45,"path":46,"stem":47},"Security Model","\u002Fdocs\u002Fconcepts\u002Fsecurity-model","docs\u002Fconcepts\u002F3.security-model",{"title":49,"path":50,"stem":51,"children":52,"page":21},"Getting Started","\u002Fdocs\u002Fgetting-started","docs\u002Fgetting-started",[53,57,61],{"title":54,"path":55,"stem":56},"Introduction","\u002Fdocs\u002Fgetting-started\u002Fintroduction","docs\u002Fgetting-started\u002F1.introduction",{"title":58,"path":59,"stem":60},"Installation","\u002Fdocs\u002Fgetting-started\u002Finstallation","docs\u002Fgetting-started\u002F2.installation",{"title":62,"path":63,"stem":64},"Quick Start","\u002Fdocs\u002Fgetting-started\u002Fquick-start","docs\u002Fgetting-started\u002F3.quick-start",{"title":66,"path":67,"stem":68,"children":69,"page":21},"Guides","\u002Fdocs\u002Fguides","docs\u002Fguides",[70,74,78,82],{"title":71,"path":72,"stem":73},"Configuration","\u002Fdocs\u002Fguides\u002Fconfiguration","docs\u002Fguides\u002F1.configuration",{"title":75,"path":76,"stem":77},"Certificate Profiles","\u002Fdocs\u002Fguides\u002Fcertificate-profiles","docs\u002Fguides\u002F2.certificate-profiles",{"title":79,"path":80,"stem":81},"Docker Deployment","\u002Fdocs\u002Fguides\u002Fdocker-deployment","docs\u002Fguides\u002F3.docker-deployment",{"title":83,"path":84,"stem":85},"Importing an Existing CA","\u002Fdocs\u002Fguides\u002Fimporting-existing-ca","docs\u002Fguides\u002F4.importing-existing-ca",{"id":87,"title":45,"body":88,"description":291,"extension":292,"links":293,"meta":294,"navigation":295,"path":46,"seo":296,"stem":47,"__hash__":297},"docs\u002Fdocs\u002Fconcepts\u002F3.security-model.md",{"type":89,"value":90,"toc":280},"minimark",[91,95,100,104,127,131,143,156,160,164,179,183,198,202,209,221,225,228,273,277],[92,93,45],"h1",{"id":94},"security-model",[96,97,99],"h2",{"id":98},"trust-anchor-isolation","Trust anchor isolation",[101,102,103],"p",{},"The CA is the root of trust for your entire PKI. uPKI CA's design choices reflect this responsibility:",[105,106,107,115,121],"ul",{},[108,109,110,114],"li",{},[111,112,113],"strong",{},"No HTTP interface"," — the only attack surface is ZMQ, which is not reachable from the internet in a standard deployment",[108,116,117,120],{},[111,118,119],{},"No remote admin UI"," — administration is done via ZMQ from authorised nodes or the CLI",[108,122,123,126],{},[111,124,125],{},"Seed-based authentication"," — the CA only issues node certificates to callers who present the correct registration seed (port 5001)",[96,128,130],{"id":129},"seed-security","Seed security",[101,132,133,134,138,139,142],{},"The ",[135,136,137],"code",{},"--seed"," flag (or ",[135,140,141],{},"UPKI_CA_SEED"," environment variable) is a shared secret used to:",[144,145,146,153],"ol",{},[108,147,148,149,152],{},"Derive the CA's private key material deterministically (on ",[135,150,151],{},"init",")",[108,154,155],{},"Authenticate new RA registration requests (port 5001)",[157,158,159],"caution",{},"Treat the seed as a root credential. Store it in a secrets manager (Vault, AWS SSM, etc.), not in plain text on disk. If the seed is compromised, any node could register itself with the CA.",[96,161,163],{"id":162},"admin-node-list","Admin node list",[101,165,166,167,170,171,174,175,178],{},"After bootstrapping, only nodes listed in the CA's admin list (managed via ",[135,168,169],{},"add_admin"," \u002F ",[135,172,173],{},"remove_admin",") are allowed to perform sensitive CA operations. The ",[135,176,177],{},"list_admins"," command returns the current list.",[96,180,182],{"id":181},"crl-and-ocsp","CRL and OCSP",[105,184,185,191],{},[108,186,187,188],{},"The CA maintains a CRL that is updated on ",[135,189,190],{},"generate_crl",[108,192,193,194,197],{},"OCSP status is available via ",[135,195,196],{},"ocsp_check"," — but there is no built-in OCSP responder HTTP endpoint (use a reverse proxy if needed)",[96,199,201],{"id":200},"key-storage","Key storage",[101,203,204,205,208],{},"Private keys are stored as plain PEM files under ",[135,206,207],{},"UPKI_DATA_DIR\u002Fnodes\u002F\u003Ccn>\u002Fkey.pem",". Filesystem permissions are the only protection at rest.",[210,211,212,213,216,217,220],"note",{},"For production deployments, mount ",[135,214,215],{},"UPKI_DATA_DIR"," on an encrypted volume and restrict access to the ",[135,218,219],{},"upki-ca"," process user.",[96,222,224],{"id":223},"network-exposure","Network exposure",[101,226,227],{},"Recommended firewall rules:",[229,230,231,247],"table",{},[232,233,234],"thead",{},[235,236,237,241,244],"tr",{},[238,239,240],"th",{},"Port",[238,242,243],{},"Exposed to",[238,245,246],{},"Rationale",[248,249,250,262],"tbody",{},[235,251,252,256,259],{},[253,254,255],"td",{},"5000",[253,257,258],{},"RA nodes, admin tools only",[253,260,261],{},"CA operations require authenticated nodes",[235,263,264,267,270],{},[253,265,266],{},"5001",[253,268,269],{},"RA nodes during initial registration only",[253,271,272],{},"Close after all RAs are registered",[96,274,276],{"id":275},"docker-security","Docker security",[101,278,279],{},"The official Docker image runs as a non-root user. The data directory is mounted as a volume — ensure its host path is owned by the same UID as the container process.",{"title":281,"searchDepth":282,"depth":282,"links":283},"",2,[284,285,286,287,288,289,290],{"id":98,"depth":282,"text":99},{"id":129,"depth":282,"text":130},{"id":162,"depth":282,"text":163},{"id":181,"depth":282,"text":182},{"id":200,"depth":282,"text":201},{"id":223,"depth":282,"text":224},{"id":275,"depth":282,"text":276},"How uPKI CA protects the root of trust.","md",null,{},true,{"title":45,"description":291},"hCznUJkLAa4-NJivlK5ACdArfGb4jqtEwMxDHqJE8b4",[299,301],{"title":41,"path":42,"stem":43,"description":300,"children":-1},"How certificates are created, renewed, and revoked in uPKI CA.",{"title":54,"path":55,"stem":56,"description":302,"children":-1},"What is uPKI CA and how does it fit in the uPKI ecosystem?",1775569478524]