Guides
Importing an Existing CA
How to bootstrap uPKI CA from an existing key/certificate pair.
Importing an Existing CA
If you already have a CA (from OpenSSL, cfssl, or another tool), you can import it into uPKI CA instead of generating a fresh root.
Requirements
- An existing CA private key in PEM format
- The corresponding CA certificate in PEM format
- Optional: the key's password, stored in a file
Import at init time
upki-ca init \
--data-dir /opt/upki/ca \
--ca-key /path/to/existing-ca.key \
--ca-cert /path/to/existing-ca.crt
For a password-protected key:
upki-ca init \
--data-dir /opt/upki/ca \
--ca-key /path/to/existing-ca.key \
--ca-cert /path/to/existing-ca.crt \
--ca-password-file /run/secrets/ca_pass
After import, uPKI CA copies the key and certificate into UPKI_DATA_DIR and uses them for all future signing operations. The original files are not modified.
Via environment variables (Docker)
services:
upki-ca:
image: ghcr.io/circle-rd/upki-ca:latest
environment:
UPKI_DATA_DIR: /data
UPKI_CA_SEED: ${PKI_SEED}
UPKI_CA_KEY_FILE: /secrets/ca.key
UPKI_CA_CERT_FILE: /secrets/ca.crt
volumes:
- upki-ca-data:/data
- ./secrets:/secrets:ro
Converting from OpenSSL
If your existing CA uses PKCS#12 or other formats:
# Extract key and cert from a PKCS#12 bundle
openssl pkcs12 -in ca.p12 -nocerts -noenc -out ca.key
openssl pkcs12 -in ca.p12 -nokeys -out ca.crt
# Import into uPKI CA
upki-ca init --ca-key ca.key --ca-cert ca.crt
Verifying the import
After import, inspect the CA certificate:
openssl x509 -in /opt/upki/ca/ca.crt -noout -subject -issuer -dates
The CN and validity dates should match your existing CA.
Limitations
- uPKI CA cannot import intermediate CAs directly — it always acts as the root signer. If you need an intermediate CA, issue it from your existing CA and configure uPKI CA with that as the signing certificate.
- The key algorithm must be RSA or DSA. ECDSA keys are not currently supported.