Getting Started
Quick Start
Initialise your CA and issue your first certificate in minutes.
Quick Start
This guide walks you through initialising uPKI CA, registering it on the network, and issuing your first certificate.
Step 1 — Initialise the CA
upki-ca init \
--data-dir /opt/upki/ca \
--seed "a-long-random-passphrase" \
--common-name "My Internal CA"
This creates the CA root key and self-signed root certificate under --data-dir.
Store the
--seed securely. It is required to restart the CA and cannot be recovered automatically.Step 2 — Register the CA node
upki-ca register \
--data-dir /opt/upki/ca \
--seed "a-long-random-passphrase"
This step creates the CA's own node certificate used for inter-service authentication.
Step 3 — Start the CA daemon
upki-ca start \
--data-dir /opt/upki/ca \
--seed "a-long-random-passphrase"
The CA now listens on:
| Port | Purpose |
|---|---|
5000 | CA operations (sign, revoke, renew…) |
5001 | RA registration |
Step 4 — Issue a certificate (via CLI)
Using uPKI CLI:
upki-cli generate \
--host 127.0.0.1 \
--cn "server.example.internal" \
--profile server \
--sans "server.example.internal,192.168.1.10"
Docker one-liner
docker run --rm \
-e UPKI_CA_SEED="your-seed" \
-v /opt/upki/ca:/data \
ghcr.io/circle-rd/upki-ca:latest
Next steps
- Configure certificate profiles
- Set up uPKI RA alongside the CA
- Read the ZMQ protocol reference