Open Source • BSD-3-Clause

Your PKI,
one install away.

The self-hosted certificate authority with a modern web UI. Create, manage, discover, and automate your certificates — no YAML, no CLI expertise needed.

$ docker run -d -p 8443:8443 neyslim/ultimate-ca-manager
🔒 pki.example.com
UCM dashboard — certificate overview, activity, system health and expiration tracking

Up and running in 60 seconds

Choose your platform. One command, full PKI.

docker run -d --restart=unless-stopped \
  --name ucm \
  -p 8443:8443 \
  -p 8080:8080 \
  -v ucm-data:/opt/ucm/data \
  neyslim/ultimate-ca-manager:latest

Then open https://localhost:8443 and log in with admin / changeme123

A complete PKI platform, not just a CLI tool.

Everything from your root CA down to network discovery — in one self-hosted app.

CA Hierarchy

Build complete trust chains from the web UI — no openssl gymnastics.

  • Root & intermediate CAs
  • Full chain management
  • Offline / HSM-backed keys

Certificate Lifecycle

Issue, sign, renew, revoke and export — in bulk when you need it.

  • PKCS#12 / PEM / DER export
  • Auto-renewal & expiry alerts
  • RFC 5280 / CA-B Forum linting

ACME Server

RFC 8555 + ARI (RFC 9773). Works with certbot, acme.sh, Caddy.

Discovery

Scan your network, find every certificate, auto-import.

SCEP & EST

RFC 8894 & 7030 enrollment for devices and MDM.

HSM Support

PKCS#11 — SoftHSM, Azure Key Vault, Google Cloud KMS.

SSH CA

Sign user & host keys, manage SSH certificates.

CRL & OCSP

Delta CRL, public CDP, OCSP responder (RFC 6960).

Microsoft ADCS

Sign CSRs via ADCS. Template discovery, EOBO support.

Reports & Webhooks

Scheduled PDFs, email alerts, 15+ webhook events with retry.

And more: Timestamping (TSA)Templates & policiesTrust store & toolsRBAC & audit chainsPrometheus metricsEncrypted backupsSQLite / PostgreSQL9 languagesCommand palette (⌘K)mTLS · WebAuthn · SSO

A UI you'll actually want to use

Not just a CLI with a web wrapper. A real, modern interface — on desktop and mobile.

Fully responsive

Manage your PKI from any device.