Introduction

uPKI CA is a self-hosted, air-gapped Certificate Authority built in Python. It exposes a ZMQ REP socket so Registration Authorities (RA) and other tooling can request certificate operations without ever touching the internet.

What it does

• Issues X.509 v3 certificates using 7 pre-defined profiles (root CA, intermediate, server, client, OCSP, email, code-signing)
• Maintains a Certificate Revocation List (CRL)
• Stores certificates, keys, and metadata on the local filesystem backed by TinyDB
• Listens on two ZMQ ports: 5000 (CA operations) and 5001 (RA registration)

What it does NOT do

• It does not speak ACME — that is the job of uPKI RA
• It does not have an HTTP interface — all communication is ZMQ
• It does not require internet access at any point

Where it fits

[ACME Client]  →  [uPKI RA :8000]  →  ZMQ :5000  →  [uPKI CA]
                                                 ↗
                       [uPKI CLI]  →  ZMQ :5000

The CA is the trust anchor. The RA translates ACME protocol requests into ZMQ calls and registers itself with the CA on first start. The CLI provides direct ZMQ access for admin operations.

Related projects

Technology stack

• Python 3.11+
• pyzmq — ZMQ bindings
• cryptography — X.509 operations
• TinyDB — lightweight JSON database
• Click — CLI framework