[{"data":1,"prerenderedAt":935},["ShallowReactive",2],{"navigation_docs":3,"-docs-guides-configuration":86,"-docs-guides-configuration-surround":930},[4,22,31,48,65],{"title":5,"path":6,"stem":7,"children":8,"page":21},"Api","\u002Fdocs\u002Fapi","docs\u002Fapi",[9,13,17],{"title":10,"path":11,"stem":12},"CLI Reference","\u002Fdocs\u002Fapi\u002Fcli-reference","docs\u002Fapi\u002F1.cli-reference",{"title":14,"path":15,"stem":16},"ZMQ Protocol Reference","\u002Fdocs\u002Fapi\u002Fzmq-protocol","docs\u002Fapi\u002F2.zmq-protocol",{"title":18,"path":19,"stem":20},"Error Codes","\u002Fdocs\u002Fapi\u002Ferror-codes","docs\u002Fapi\u002F3.error-codes",false,{"title":23,"path":24,"stem":25,"children":26,"page":21},"Community","\u002Fdocs\u002Fcommunity","docs\u002Fcommunity",[27],{"title":28,"path":29,"stem":30},"Contributing","\u002Fdocs\u002Fcommunity\u002Fcontributing","docs\u002Fcommunity\u002F1.contributing",{"title":32,"path":33,"stem":34,"children":35,"page":21},"Concepts","\u002Fdocs\u002Fconcepts","docs\u002Fconcepts",[36,40,44],{"title":37,"path":38,"stem":39},"Architecture","\u002Fdocs\u002Fconcepts\u002Farchitecture","docs\u002Fconcepts\u002F1.architecture",{"title":41,"path":42,"stem":43},"Certificate Lifecycle","\u002Fdocs\u002Fconcepts\u002Fcertificate-lifecycle","docs\u002Fconcepts\u002F2.certificate-lifecycle",{"title":45,"path":46,"stem":47},"Security Model","\u002Fdocs\u002Fconcepts\u002Fsecurity-model","docs\u002Fconcepts\u002F3.security-model",{"title":49,"path":50,"stem":51,"children":52,"page":21},"Getting Started","\u002Fdocs\u002Fgetting-started","docs\u002Fgetting-started",[53,57,61],{"title":54,"path":55,"stem":56},"Introduction","\u002Fdocs\u002Fgetting-started\u002Fintroduction","docs\u002Fgetting-started\u002F1.introduction",{"title":58,"path":59,"stem":60},"Installation","\u002Fdocs\u002Fgetting-started\u002Finstallation","docs\u002Fgetting-started\u002F2.installation",{"title":62,"path":63,"stem":64},"Quick Start","\u002Fdocs\u002Fgetting-started\u002Fquick-start","docs\u002Fgetting-started\u002F3.quick-start",{"title":66,"path":67,"stem":68,"children":69,"page":21},"Guides","\u002Fdocs\u002Fguides","docs\u002Fguides",[70,74,78,82],{"title":71,"path":72,"stem":73},"Configuration","\u002Fdocs\u002Fguides\u002Fconfiguration","docs\u002Fguides\u002F1.configuration",{"title":75,"path":76,"stem":77},"Certificate Profiles","\u002Fdocs\u002Fguides\u002Fcertificate-profiles","docs\u002Fguides\u002F2.certificate-profiles",{"title":79,"path":80,"stem":81},"Docker Deployment","\u002Fdocs\u002Fguides\u002Fdocker-deployment","docs\u002Fguides\u002F3.docker-deployment",{"title":83,"path":84,"stem":85},"Importing an Existing CA","\u002Fdocs\u002Fguides\u002Fimporting-existing-ca","docs\u002Fguides\u002F4.importing-existing-ca",{"id":87,"title":71,"body":88,"description":924,"extension":925,"links":926,"meta":927,"navigation":794,"path":72,"seo":928,"stem":73,"__hash__":929},"docs\u002Fdocs\u002Fguides\u002F1.configuration.md",{"type":89,"value":90,"toc":916},"minimark",[91,95,108,112,123,285,290,531,535,541,630,634,637,675,678,716,719,754,758,765,828,831,912],[92,93,71],"h1",{"id":94},"configuration",[96,97,98,99,103,104,107],"p",{},"uPKI CA is configured via a ",[100,101,102],"code",{},"ca.config.yml"," file that is created automatically on ",[100,105,106],{},"init",". All values can be overridden via environment variables (useful for Docker \u002F systemd deployments).",[109,110,102],"h2",{"id":111},"caconfigyml",[96,113,114,115,118,119,122],{},"Default location: ",[100,116,117],{},"$UPKI_DATA_DIR\u002Fca.config.yml"," (or ",[100,120,121],{},"~\u002F.upki\u002Fca\u002Fca.config.yml",").",[124,125,130],"pre",{"className":126,"code":127,"language":128,"meta":129,"style":129},"language-yaml shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","company: \"Company Name\"\ndomain: \"example.com\"\nhost: \"127.0.0.1\"\nport: 5000\nclients: \"register\"\npassword: null\nseed: null\nkey_type: \"rsa\"\nkey_length: 4096\ndigest: \"sha256\"\ncrl_validity: 7\n","yaml","",[100,131,132,155,170,185,197,212,223,233,248,259,274],{"__ignoreMap":129},[133,134,137,141,145,148,152],"span",{"class":135,"line":136},"line",1,[133,138,140],{"class":139},"swJcz","company",[133,142,144],{"class":143},"sMK4o",":",[133,146,147],{"class":143}," \"",[133,149,151],{"class":150},"sfazB","Company Name",[133,153,154],{"class":143},"\"\n",[133,156,158,161,163,165,168],{"class":135,"line":157},2,[133,159,160],{"class":139},"domain",[133,162,144],{"class":143},[133,164,147],{"class":143},[133,166,167],{"class":150},"example.com",[133,169,154],{"class":143},[133,171,173,176,178,180,183],{"class":135,"line":172},3,[133,174,175],{"class":139},"host",[133,177,144],{"class":143},[133,179,147],{"class":143},[133,181,182],{"class":150},"127.0.0.1",[133,184,154],{"class":143},[133,186,188,191,193],{"class":135,"line":187},4,[133,189,190],{"class":139},"port",[133,192,144],{"class":143},[133,194,196],{"class":195},"sbssI"," 5000\n",[133,198,200,203,205,207,210],{"class":135,"line":199},5,[133,201,202],{"class":139},"clients",[133,204,144],{"class":143},[133,206,147],{"class":143},[133,208,209],{"class":150},"register",[133,211,154],{"class":143},[133,213,215,218,220],{"class":135,"line":214},6,[133,216,217],{"class":139},"password",[133,219,144],{"class":143},[133,221,222],{"class":143}," null\n",[133,224,226,229,231],{"class":135,"line":225},7,[133,227,228],{"class":139},"seed",[133,230,144],{"class":143},[133,232,222],{"class":143},[133,234,236,239,241,243,246],{"class":135,"line":235},8,[133,237,238],{"class":139},"key_type",[133,240,144],{"class":143},[133,242,147],{"class":143},[133,244,245],{"class":150},"rsa",[133,247,154],{"class":143},[133,249,251,254,256],{"class":135,"line":250},9,[133,252,253],{"class":139},"key_length",[133,255,144],{"class":143},[133,257,258],{"class":195}," 4096\n",[133,260,262,265,267,269,272],{"class":135,"line":261},10,[133,263,264],{"class":139},"digest",[133,266,144],{"class":143},[133,268,147],{"class":143},[133,270,271],{"class":150},"sha256",[133,273,154],{"class":143},[133,275,277,280,282],{"class":135,"line":276},11,[133,278,279],{"class":139},"crl_validity",[133,281,144],{"class":143},[133,283,284],{"class":195}," 7\n",[286,287,289],"h3",{"id":288},"reference","Reference",[291,292,293,312],"table",{},[294,295,296],"thead",{},[297,298,299,303,306,309],"tr",{},[300,301,302],"th",{},"Key",[300,304,305],{},"Type",[300,307,308],{},"Default",[300,310,311],{},"Description",[313,314,315,333,349,365,386,412,432,450,472,488,515],"tbody",{},[297,316,317,322,325,330],{},[318,319,320],"td",{},[100,321,140],{},[318,323,324],{},"string",[318,326,327],{},[100,328,329],{},"\"Company Name\"",[318,331,332],{},"Organisation name embedded in the CA certificate",[297,334,335,339,341,346],{},[318,336,337],{},[100,338,160],{},[318,340,324],{},[318,342,343],{},[100,344,345],{},"\"example.com\"",[318,347,348],{},"Default domain fragment appended to CN if not fully qualified",[297,350,351,355,357,362],{},[318,352,353],{},[100,354,175],{},[318,356,324],{},[318,358,359],{},[100,360,361],{},"\"127.0.0.1\"",[318,363,364],{},"Bind address for ZMQ sockets",[297,366,367,371,374,379],{},[318,368,369],{},[100,370,190],{},[318,372,373],{},"integer",[318,375,376],{},[100,377,378],{},"5000",[318,380,381,382,385],{},"CA operations socket. Registration socket uses ",[100,383,384],{},"port + 1"," (5001)",[297,387,388,392,394,399],{},[318,389,390],{},[100,391,202],{},[318,393,324],{},[318,395,396],{},[100,397,398],{},"\"register\"",[318,400,401,402,405,406,408,409],{},"Who can request certificates: ",[100,403,404],{},"all",", ",[100,407,209],{}," (registered nodes only), ",[100,410,411],{},"manual",[297,413,414,418,421,426],{},[318,415,416],{},[100,417,217],{},[318,419,420],{},"string\u002Fnull",[318,422,423],{},[100,424,425],{},"null",[318,427,428,429,431],{},"Password to encrypt the CA private key at rest (",[100,430,425],{}," = no encryption)",[297,433,434,438,440,444],{},[318,435,436],{},[100,437,228],{},[318,439,420],{},[318,441,442],{},[100,443,425],{},[318,445,446,447,449],{},"RA registration seed (auto-generated on first ",[100,448,106],{}," if absent)",[297,451,452,456,458,463],{},[318,453,454],{},[100,455,238],{},[318,457,324],{},[318,459,460],{},[100,461,462],{},"\"rsa\"",[318,464,465,466,468,469],{},"Key algorithm: ",[100,467,245],{}," or ",[100,470,471],{},"dsa",[297,473,474,478,480,485],{},[318,475,476],{},[100,477,253],{},[318,479,373],{},[318,481,482],{},[100,483,484],{},"4096",[318,486,487],{},"Key size in bits",[297,489,490,494,496,501],{},[318,491,492],{},[100,493,264],{},[318,495,324],{},[318,497,498],{},[100,499,500],{},"\"sha256\"",[318,502,503,504,405,507,405,510,405,512],{},"Signature hash algorithm: ",[100,505,506],{},"md5",[100,508,509],{},"sha1",[100,511,271],{},[100,513,514],{},"sha512",[297,516,517,521,523,528],{},[318,518,519],{},[100,520,279],{},[318,522,373],{},[318,524,525],{},[100,526,527],{},"7",[318,529,530],{},"CRL validity period in days",[109,532,534],{"id":533},"environment-variables","Environment variables",[96,536,537,538,540],{},"Environment variables take precedence over ",[100,539,102],{},". They are the recommended approach for Docker and systemd deployments.",[291,542,543,555],{},[294,544,545],{},[297,546,547,550,553],{},[300,548,549],{},"Variable",[300,551,552],{},"Equivalent config key",[300,554,311],{},[313,556,557,573,587,601,616],{},[297,558,559,564,570],{},[318,560,561],{},[100,562,563],{},"UPKI_DATA_DIR",[318,565,566,569],{},[100,567,568],{},"--path"," CLI flag",[318,571,572],{},"Override the data directory path",[297,574,575,580,584],{},[318,576,577],{},[100,578,579],{},"UPKI_CA_SEED",[318,581,582],{},[100,583,228],{},[318,585,586],{},"RA registration seed",[297,588,589,594,598],{},[318,590,591],{},[100,592,593],{},"UPKI_CA_HOST",[318,595,596],{},[100,597,175],{},[318,599,600],{},"Bind address for both ZMQ sockets",[297,602,603,608,611],{},[318,604,605],{},[100,606,607],{},"UPKI_CA_KEY_FILE",[318,609,610],{},"—",[318,612,613,614],{},"Path to an existing CA private key to import on ",[100,615,106],{},[297,617,618,623,625],{},[318,619,620],{},[100,621,622],{},"UPKI_CA_CERT_FILE",[318,624,610],{},[318,626,627,628],{},"Path to an existing CA certificate to import on ",[100,629,106],{},[109,631,633],{"id":632},"importing-an-existing-ca","Importing an existing CA",[96,635,636],{},"If you have an existing CA key\u002Fcertificate, pass them at init time:",[124,638,642],{"className":639,"code":640,"language":641,"meta":129,"style":129},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","upki-ca init \\\n  --ca-key \u002Fpath\u002Fto\u002Fexisting-ca.key \\\n  --ca-cert \u002Fpath\u002Fto\u002Fexisting-ca.crt\n","bash",[100,643,644,657,667],{"__ignoreMap":129},[133,645,646,650,653],{"class":135,"line":136},[133,647,649],{"class":648},"sBMFI","upki-ca",[133,651,652],{"class":150}," init",[133,654,656],{"class":655},"sTEyZ"," \\\n",[133,658,659,662,665],{"class":135,"line":157},[133,660,661],{"class":150},"  --ca-key",[133,663,664],{"class":150}," \u002Fpath\u002Fto\u002Fexisting-ca.key",[133,666,656],{"class":655},[133,668,669,672],{"class":135,"line":172},[133,670,671],{"class":150},"  --ca-cert",[133,673,674],{"class":150}," \u002Fpath\u002Fto\u002Fexisting-ca.crt\n",[96,676,677],{},"For a password-protected key:",[124,679,681],{"className":639,"code":680,"language":641,"meta":129,"style":129},"upki-ca init \\\n  --ca-key \u002Fpath\u002Fto\u002Fexisting-ca.key \\\n  --ca-cert \u002Fpath\u002Fto\u002Fexisting-ca.crt \\\n  --ca-password-file \u002Frun\u002Fsecrets\u002Fca_pass\n",[100,682,683,691,699,708],{"__ignoreMap":129},[133,684,685,687,689],{"class":135,"line":136},[133,686,649],{"class":648},[133,688,652],{"class":150},[133,690,656],{"class":655},[133,692,693,695,697],{"class":135,"line":157},[133,694,661],{"class":150},[133,696,664],{"class":150},[133,698,656],{"class":655},[133,700,701,703,706],{"class":135,"line":172},[133,702,671],{"class":150},[133,704,705],{"class":150}," \u002Fpath\u002Fto\u002Fexisting-ca.crt",[133,707,656],{"class":655},[133,709,710,713],{"class":135,"line":187},[133,711,712],{"class":150},"  --ca-password-file",[133,714,715],{"class":150}," \u002Frun\u002Fsecrets\u002Fca_pass\n",[96,717,718],{},"Equivalently via environment variables:",[124,720,722],{"className":639,"code":721,"language":641,"meta":129,"style":129},"UPKI_DATA_DIR=\u002Fopt\u002Fupki\u002Fca \\\nUPKI_CA_KEY_FILE=\u002Fpath\u002Fto\u002Fexisting-ca.key \\\nUPKI_CA_CERT_FILE=\u002Fpath\u002Fto\u002Fexisting-ca.crt \\\nupki-ca start\n",[100,723,724,736,741,746],{"__ignoreMap":129},[133,725,726,728,731,734],{"class":135,"line":136},[133,727,563],{"class":655},[133,729,730],{"class":143},"=",[133,732,733],{"class":150},"\u002Fopt\u002Fupki\u002Fca",[133,735,656],{"class":648},[133,737,738],{"class":135,"line":157},[133,739,740],{"class":655},"UPKI_CA_KEY_FILE=\u002Fpath\u002Fto\u002Fexisting-ca.key \\\n",[133,742,743],{"class":135,"line":172},[133,744,745],{"class":655},"UPKI_CA_CERT_FILE=\u002Fpath\u002Fto\u002Fexisting-ca.crt \\\n",[133,747,748,751],{"class":135,"line":187},[133,749,750],{"class":655},"upki-ca ",[133,752,753],{"class":150},"start\n",[109,755,757],{"id":756},"securing-the-seed","Securing the seed",[96,759,760,761,764],{},"The seed is a shared secret. On Docker, use a secret or an encrypted ",[100,762,763],{},".env"," file:",[124,766,768],{"className":639,"code":767,"language":641,"meta":129,"style":129},"# Generate a strong seed\nopenssl rand -base64 48\n\n# Pass it via Docker secret\ndocker secret create upki_ca_seed - \u003C\u003C\u003C \"your-generated-seed\"\n",[100,769,770,776,790,796,801],{"__ignoreMap":129},[133,771,772],{"class":135,"line":136},[133,773,775],{"class":774},"sHwdD","# Generate a strong seed\n",[133,777,778,781,784,787],{"class":135,"line":157},[133,779,780],{"class":648},"openssl",[133,782,783],{"class":150}," rand",[133,785,786],{"class":150}," -base64",[133,788,789],{"class":195}," 48\n",[133,791,792],{"class":135,"line":172},[133,793,795],{"emptyLinePlaceholder":794},true,"\n",[133,797,798],{"class":135,"line":187},[133,799,800],{"class":774},"# Pass it via Docker secret\n",[133,802,803,806,809,812,815,818,821,823,826],{"class":135,"line":199},[133,804,805],{"class":648},"docker",[133,807,808],{"class":150}," secret",[133,810,811],{"class":150}," create",[133,813,814],{"class":150}," upki_ca_seed",[133,816,817],{"class":150}," -",[133,819,820],{"class":143}," \u003C\u003C\u003C",[133,822,147],{"class":143},[133,824,825],{"class":150},"your-generated-seed",[133,827,154],{"class":143},[96,829,830],{},"In Docker Compose:",[124,832,834],{"className":126,"code":833,"language":128,"meta":129,"style":129},"services:\n  upki-ca:\n    environment:\n      UPKI_CA_SEED_FILE: \u002Frun\u002Fsecrets\u002Fupki_ca_seed\n    secrets:\n      - upki_ca_seed\n\nsecrets:\n  upki_ca_seed:\n    external: true\n",[100,835,836,844,851,858,868,875,883,887,894,901],{"__ignoreMap":129},[133,837,838,841],{"class":135,"line":136},[133,839,840],{"class":139},"services",[133,842,843],{"class":143},":\n",[133,845,846,849],{"class":135,"line":157},[133,847,848],{"class":139},"  upki-ca",[133,850,843],{"class":143},[133,852,853,856],{"class":135,"line":172},[133,854,855],{"class":139},"    environment",[133,857,843],{"class":143},[133,859,860,863,865],{"class":135,"line":187},[133,861,862],{"class":139},"      UPKI_CA_SEED_FILE",[133,864,144],{"class":143},[133,866,867],{"class":150}," \u002Frun\u002Fsecrets\u002Fupki_ca_seed\n",[133,869,870,873],{"class":135,"line":199},[133,871,872],{"class":139},"    secrets",[133,874,843],{"class":143},[133,876,877,880],{"class":135,"line":214},[133,878,879],{"class":143},"      -",[133,881,882],{"class":150}," upki_ca_seed\n",[133,884,885],{"class":135,"line":225},[133,886,795],{"emptyLinePlaceholder":794},[133,888,889,892],{"class":135,"line":235},[133,890,891],{"class":139},"secrets",[133,893,843],{"class":143},[133,895,896,899],{"class":135,"line":250},[133,897,898],{"class":139},"  upki_ca_seed",[133,900,843],{"class":143},[133,902,903,906,908],{"class":135,"line":261},[133,904,905],{"class":139},"    external",[133,907,144],{"class":143},[133,909,911],{"class":910},"sfNiH"," true\n",[913,914,915],"style",{},"html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html pre.shiki code .sfNiH, html code.shiki .sfNiH{--shiki-light:#FF5370;--shiki-default:#FF9CAC;--shiki-dark:#FF9CAC}",{"title":129,"searchDepth":157,"depth":157,"links":917},[918,921,922,923],{"id":111,"depth":157,"text":102,"children":919},[920],{"id":288,"depth":172,"text":289},{"id":533,"depth":157,"text":534},{"id":632,"depth":157,"text":633},{"id":756,"depth":157,"text":757},"Complete reference for ca.config.yml and environment variables.","md",null,{},{"title":71,"description":924},"z3F9Rk7g96hzt_xP4q2M83DDctWBlEnt9M6IrMQmTto",[931,933],{"title":62,"path":63,"stem":64,"description":932,"children":-1},"Initialise your CA and issue your first certificate in minutes.",{"title":75,"path":76,"stem":77,"description":934,"children":-1},"Built-in profiles and how to create custom ones.",1775569478524]