[{"data":1,"prerenderedAt":512},["ShallowReactive",2],{"navigation_docs":3,"-docs-guides-importing-existing-ca":86,"-docs-guides-importing-existing-ca-surround":509},[4,22,31,48,65],{"title":5,"path":6,"stem":7,"children":8,"page":21},"Api","\u002Fdocs\u002Fapi","docs\u002Fapi",[9,13,17],{"title":10,"path":11,"stem":12},"CLI Reference","\u002Fdocs\u002Fapi\u002Fcli-reference","docs\u002Fapi\u002F1.cli-reference",{"title":14,"path":15,"stem":16},"ZMQ Protocol Reference","\u002Fdocs\u002Fapi\u002Fzmq-protocol","docs\u002Fapi\u002F2.zmq-protocol",{"title":18,"path":19,"stem":20},"Error Codes","\u002Fdocs\u002Fapi\u002Ferror-codes","docs\u002Fapi\u002F3.error-codes",false,{"title":23,"path":24,"stem":25,"children":26,"page":21},"Community","\u002Fdocs\u002Fcommunity","docs\u002Fcommunity",[27],{"title":28,"path":29,"stem":30},"Contributing","\u002Fdocs\u002Fcommunity\u002Fcontributing","docs\u002Fcommunity\u002F1.contributing",{"title":32,"path":33,"stem":34,"children":35,"page":21},"Concepts","\u002Fdocs\u002Fconcepts","docs\u002Fconcepts",[36,40,44],{"title":37,"path":38,"stem":39},"Architecture","\u002Fdocs\u002Fconcepts\u002Farchitecture","docs\u002Fconcepts\u002F1.architecture",{"title":41,"path":42,"stem":43},"Certificate Lifecycle","\u002Fdocs\u002Fconcepts\u002Fcertificate-lifecycle","docs\u002Fconcepts\u002F2.certificate-lifecycle",{"title":45,"path":46,"stem":47},"Security Model","\u002Fdocs\u002Fconcepts\u002Fsecurity-model","docs\u002Fconcepts\u002F3.security-model",{"title":49,"path":50,"stem":51,"children":52,"page":21},"Getting Started","\u002Fdocs\u002Fgetting-started","docs\u002Fgetting-started",[53,57,61],{"title":54,"path":55,"stem":56},"Introduction","\u002Fdocs\u002Fgetting-started\u002Fintroduction","docs\u002Fgetting-started\u002F1.introduction",{"title":58,"path":59,"stem":60},"Installation","\u002Fdocs\u002Fgetting-started\u002Finstallation","docs\u002Fgetting-started\u002F2.installation",{"title":62,"path":63,"stem":64},"Quick Start","\u002Fdocs\u002Fgetting-started\u002Fquick-start","docs\u002Fgetting-started\u002F3.quick-start",{"title":66,"path":67,"stem":68,"children":69,"page":21},"Guides","\u002Fdocs\u002Fguides","docs\u002Fguides",[70,74,78,82],{"title":71,"path":72,"stem":73},"Configuration","\u002Fdocs\u002Fguides\u002Fconfiguration","docs\u002Fguides\u002F1.configuration",{"title":75,"path":76,"stem":77},"Certificate Profiles","\u002Fdocs\u002Fguides\u002Fcertificate-profiles","docs\u002Fguides\u002F2.certificate-profiles",{"title":79,"path":80,"stem":81},"Docker Deployment","\u002Fdocs\u002Fguides\u002Fdocker-deployment","docs\u002Fguides\u002F3.docker-deployment",{"title":83,"path":84,"stem":85},"Importing an Existing CA","\u002Fdocs\u002Fguides\u002Fimporting-existing-ca","docs\u002Fguides\u002F4.importing-existing-ca",{"id":87,"title":83,"body":88,"description":503,"extension":504,"links":505,"meta":506,"navigation":416,"path":84,"seo":507,"stem":85,"__hash__":508},"docs\u002Fdocs\u002Fguides\u002F4.importing-existing-ca.md",{"type":89,"value":90,"toc":495},"minimark",[91,95,99,104,117,121,179,182,229,236,240,350,354,357,440,444,447,476,479,483,491],[92,93,83],"h1",{"id":94},"importing-an-existing-ca",[96,97,98],"p",{},"If you already have a CA (from OpenSSL, cfssl, or another tool), you can import it into uPKI CA instead of generating a fresh root.",[100,101,103],"h2",{"id":102},"requirements","Requirements",[105,106,107,111,114],"ul",{},[108,109,110],"li",{},"An existing CA private key in PEM format",[108,112,113],{},"The corresponding CA certificate in PEM format",[108,115,116],{},"Optional: the key's password, stored in a file",[100,118,120],{"id":119},"import-at-init-time","Import at init time",[122,123,128],"pre",{"className":124,"code":125,"language":126,"meta":127,"style":127},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","upki-ca init \\\n  --data-dir \u002Fopt\u002Fupki\u002Fca \\\n  --ca-key \u002Fpath\u002Fto\u002Fexisting-ca.key \\\n  --ca-cert \u002Fpath\u002Fto\u002Fexisting-ca.crt\n","bash","",[129,130,131,148,159,170],"code",{"__ignoreMap":127},[132,133,136,140,144],"span",{"class":134,"line":135},"line",1,[132,137,139],{"class":138},"sBMFI","upki-ca",[132,141,143],{"class":142},"sfazB"," init",[132,145,147],{"class":146},"sTEyZ"," \\\n",[132,149,151,154,157],{"class":134,"line":150},2,[132,152,153],{"class":142},"  --data-dir",[132,155,156],{"class":142}," \u002Fopt\u002Fupki\u002Fca",[132,158,147],{"class":146},[132,160,162,165,168],{"class":134,"line":161},3,[132,163,164],{"class":142},"  --ca-key",[132,166,167],{"class":142}," \u002Fpath\u002Fto\u002Fexisting-ca.key",[132,169,147],{"class":146},[132,171,173,176],{"class":134,"line":172},4,[132,174,175],{"class":142},"  --ca-cert",[132,177,178],{"class":142}," \u002Fpath\u002Fto\u002Fexisting-ca.crt\n",[96,180,181],{},"For a password-protected key:",[122,183,185],{"className":124,"code":184,"language":126,"meta":127,"style":127},"upki-ca init \\\n  --data-dir \u002Fopt\u002Fupki\u002Fca \\\n  --ca-key \u002Fpath\u002Fto\u002Fexisting-ca.key \\\n  --ca-cert \u002Fpath\u002Fto\u002Fexisting-ca.crt \\\n  --ca-password-file \u002Frun\u002Fsecrets\u002Fca_pass\n",[129,186,187,195,203,211,220],{"__ignoreMap":127},[132,188,189,191,193],{"class":134,"line":135},[132,190,139],{"class":138},[132,192,143],{"class":142},[132,194,147],{"class":146},[132,196,197,199,201],{"class":134,"line":150},[132,198,153],{"class":142},[132,200,156],{"class":142},[132,202,147],{"class":146},[132,204,205,207,209],{"class":134,"line":161},[132,206,164],{"class":142},[132,208,167],{"class":142},[132,210,147],{"class":146},[132,212,213,215,218],{"class":134,"line":172},[132,214,175],{"class":142},[132,216,217],{"class":142}," \u002Fpath\u002Fto\u002Fexisting-ca.crt",[132,219,147],{"class":146},[132,221,223,226],{"class":134,"line":222},5,[132,224,225],{"class":142},"  --ca-password-file",[132,227,228],{"class":142}," \u002Frun\u002Fsecrets\u002Fca_pass\n",[96,230,231,232,235],{},"After import, uPKI CA copies the key and certificate into ",[129,233,234],{},"UPKI_DATA_DIR"," and uses them for all future signing operations. The original files are not modified.",[100,237,239],{"id":238},"via-environment-variables-docker","Via environment variables (Docker)",[122,241,245],{"className":242,"code":243,"language":244,"meta":127,"style":127},"language-yaml shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","services:\n  upki-ca:\n    image: ghcr.io\u002Fcircle-rd\u002Fupki-ca:latest\n    environment:\n      UPKI_DATA_DIR: \u002Fdata\n      UPKI_CA_SEED: ${PKI_SEED}\n      UPKI_CA_KEY_FILE: \u002Fsecrets\u002Fca.key\n      UPKI_CA_CERT_FILE: \u002Fsecrets\u002Fca.crt\n    volumes:\n      - upki-ca-data:\u002Fdata\n      - .\u002Fsecrets:\u002Fsecrets:ro\n","yaml",[129,246,247,257,264,275,282,292,303,314,325,333,342],{"__ignoreMap":127},[132,248,249,253],{"class":134,"line":135},[132,250,252],{"class":251},"swJcz","services",[132,254,256],{"class":255},"sMK4o",":\n",[132,258,259,262],{"class":134,"line":150},[132,260,261],{"class":251},"  upki-ca",[132,263,256],{"class":255},[132,265,266,269,272],{"class":134,"line":161},[132,267,268],{"class":251},"    image",[132,270,271],{"class":255},":",[132,273,274],{"class":142}," ghcr.io\u002Fcircle-rd\u002Fupki-ca:latest\n",[132,276,277,280],{"class":134,"line":172},[132,278,279],{"class":251},"    environment",[132,281,256],{"class":255},[132,283,284,287,289],{"class":134,"line":222},[132,285,286],{"class":251},"      UPKI_DATA_DIR",[132,288,271],{"class":255},[132,290,291],{"class":142}," \u002Fdata\n",[132,293,295,298,300],{"class":134,"line":294},6,[132,296,297],{"class":251},"      UPKI_CA_SEED",[132,299,271],{"class":255},[132,301,302],{"class":142}," ${PKI_SEED}\n",[132,304,306,309,311],{"class":134,"line":305},7,[132,307,308],{"class":251},"      UPKI_CA_KEY_FILE",[132,310,271],{"class":255},[132,312,313],{"class":142}," \u002Fsecrets\u002Fca.key\n",[132,315,317,320,322],{"class":134,"line":316},8,[132,318,319],{"class":251},"      UPKI_CA_CERT_FILE",[132,321,271],{"class":255},[132,323,324],{"class":142}," \u002Fsecrets\u002Fca.crt\n",[132,326,328,331],{"class":134,"line":327},9,[132,329,330],{"class":251},"    volumes",[132,332,256],{"class":255},[132,334,336,339],{"class":134,"line":335},10,[132,337,338],{"class":255},"      -",[132,340,341],{"class":142}," upki-ca-data:\u002Fdata\n",[132,343,345,347],{"class":134,"line":344},11,[132,346,338],{"class":255},[132,348,349],{"class":142}," .\u002Fsecrets:\u002Fsecrets:ro\n",[100,351,353],{"id":352},"converting-from-openssl","Converting from OpenSSL",[96,355,356],{},"If your existing CA uses PKCS#12 or other formats:",[122,358,360],{"className":124,"code":359,"language":126,"meta":127,"style":127},"# Extract key and cert from a PKCS#12 bundle\nopenssl pkcs12 -in ca.p12 -nocerts -noenc -out ca.key\nopenssl pkcs12 -in ca.p12 -nokeys -out ca.crt\n\n# Import into uPKI CA\nupki-ca init --ca-key ca.key --ca-cert ca.crt\n",[129,361,362,368,394,412,418,423],{"__ignoreMap":127},[132,363,364],{"class":134,"line":135},[132,365,367],{"class":366},"sHwdD","# Extract key and cert from a PKCS#12 bundle\n",[132,369,370,373,376,379,382,385,388,391],{"class":134,"line":150},[132,371,372],{"class":138},"openssl",[132,374,375],{"class":142}," pkcs12",[132,377,378],{"class":142}," -in",[132,380,381],{"class":142}," ca.p12",[132,383,384],{"class":142}," -nocerts",[132,386,387],{"class":142}," -noenc",[132,389,390],{"class":142}," -out",[132,392,393],{"class":142}," ca.key\n",[132,395,396,398,400,402,404,407,409],{"class":134,"line":161},[132,397,372],{"class":138},[132,399,375],{"class":142},[132,401,378],{"class":142},[132,403,381],{"class":142},[132,405,406],{"class":142}," -nokeys",[132,408,390],{"class":142},[132,410,411],{"class":142}," ca.crt\n",[132,413,414],{"class":134,"line":172},[132,415,417],{"emptyLinePlaceholder":416},true,"\n",[132,419,420],{"class":134,"line":222},[132,421,422],{"class":366},"# Import into uPKI CA\n",[132,424,425,427,429,432,435,438],{"class":134,"line":294},[132,426,139],{"class":138},[132,428,143],{"class":142},[132,430,431],{"class":142}," --ca-key",[132,433,434],{"class":142}," ca.key",[132,436,437],{"class":142}," --ca-cert",[132,439,411],{"class":142},[100,441,443],{"id":442},"verifying-the-import","Verifying the import",[96,445,446],{},"After import, inspect the CA certificate:",[122,448,450],{"className":124,"code":449,"language":126,"meta":127,"style":127},"openssl x509 -in \u002Fopt\u002Fupki\u002Fca\u002Fca.crt -noout -subject -issuer -dates\n",[129,451,452],{"__ignoreMap":127},[132,453,454,456,459,461,464,467,470,473],{"class":134,"line":135},[132,455,372],{"class":138},[132,457,458],{"class":142}," x509",[132,460,378],{"class":142},[132,462,463],{"class":142}," \u002Fopt\u002Fupki\u002Fca\u002Fca.crt",[132,465,466],{"class":142}," -noout",[132,468,469],{"class":142}," -subject",[132,471,472],{"class":142}," -issuer",[132,474,475],{"class":142}," -dates\n",[96,477,478],{},"The CN and validity dates should match your existing CA.",[100,480,482],{"id":481},"limitations","Limitations",[105,484,485,488],{},[108,486,487],{},"uPKI CA cannot import intermediate CAs directly — it always acts as the root signer. If you need an intermediate CA, issue it from your existing CA and configure uPKI CA with that as the signing certificate.",[108,489,490],{},"The key algorithm must be RSA or DSA. ECDSA keys are not currently supported.",[492,493,494],"style",{},"html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}",{"title":127,"searchDepth":150,"depth":150,"links":496},[497,498,499,500,501,502],{"id":102,"depth":150,"text":103},{"id":119,"depth":150,"text":120},{"id":238,"depth":150,"text":239},{"id":352,"depth":150,"text":353},{"id":442,"depth":150,"text":443},{"id":481,"depth":150,"text":482},"How to bootstrap uPKI CA from an existing key\u002Fcertificate pair.","md",null,{},{"title":83,"description":503},"KZOUHU7lB7ioS3lY9l-MVqk-uBz_7v3uyKZ6xQbFdHg",[510,505],{"title":79,"path":80,"stem":81,"description":511,"children":-1},"Run uPKI CA in Docker or Docker Compose with production-ready settings.",1775569478524]