Welcome to the Ultimate Certificate Manager (UCM) documentation! This wiki provides comprehensive guides for all features.

v2.112 Released! SSH Certificate Authority, HTTPS certificate picker modal, comprehensive security audit. View Changelog

---

Mobile	Tablet

---

• Full CA Management - Create, import, manage Certificate Authorities with hierarchy support
• Certificate Lifecycle - Generate, sign, revoke, renew, export certificates
• CSR Management - Create, import, sign Certificate Signing Requests
• Certificate Templates - Predefined configurations for server, client, code signing
• X.509 Extension Viewer - Full certificate extension display with RFC 5280 compliance (v2.76)
• JKS Export - Java KeyStore export format for Java applications (v2.99)
• RFC 5280 SAN Compliance - All 4 SAN types: DNS, IP, Email, URI (v2.91)
• CRL & CDP - Certificate Revocation Lists with HTTP/HTTPS distribution points
• Delta CRL - Incremental CRL updates per RFC 5280 §5.2.4 (v2.75)
• OCSP Responder - Real-time certificate status validation (RFC 6960)
• OCSP Delegated Responder - Per-CA delegated OCSP responders with EKU validation (v2.109)
• AIA CA Issuers - CA certificate download for chain building (RFC 5280 §4.2.2.1) (v2.101)
• Certificate Transparency - CT log submission, SCT parsing, auto-submit on issuance (RFC 6962) (v2.109)
• Certificate Practice Statement - Per-CA CPS URI and Policy OID in CertificatePolicies extension (v2.109)
• Multiple CDP/OCSP/AIA URLs - Multiple distribution points and access descriptions per CA (v2.109)
• HTTP Protocol Server - Dedicated HTTP server for CDP/OCSP/AIA on port 8080 (v2.80)
• Trust Store - Manage trusted root CA certificates
• Approval Workflows - Policy-based certificate issuance with approval enforcement (v2.77)

• SSH CA Management - Create and manage SSH Certificate Authorities (Ed25519, RSA, ECDSA)
• Certificate Signing - Sign user and host SSH certificates with principals, validity, extensions
• Import Support - Import existing SSH CAs and certificates
• Setup Scripts - curl-friendly one-command server trust setup
• Dashboard Widget - SSH certificate stats on dashboard

• Network Scanning - Find TLS certificates on hosts, IPs, and CIDR subnets
• Quick Scan - Instant scan without saving a profile
• Scan Profiles - Reusable scan configurations with scheduling
• SNI Probing - Multi-hostname TLS handshake for maximum coverage
• Certificate Inventory - Track managed/unmanaged/expired/expiring certificates
• Export - CSV and JSON export of discovered certificates
• SSRF Protection - Blocks scanning of internal addresses

• SSL Checker - Verify SSL certificates on any hostname (TLS version, cipher suite, expiry)
• CSR Decoder - Parse and display CSR contents
• Certificate Decoder - Analyze certificate details including PKCS7 bundles and PKCS12 files (v2.111)
• Key Matcher - Verify certificate and private key match
• SSL Converter - Convert between PEM, DER, PKCS#12, PKCS#7 formats

• Executive PDF Report - Multi-section PDF with cover page, risk assessment, compliance, charts (fpdf2/matplotlib)
• Report Scheduler - 6 report types with daily/weekly/monthly scheduling and email delivery
• On-Demand Reports - Generate and download CSV/JSON reports for certificates, CAs, compliance, audit
• Stat Cards - At-a-glance report overview with schedule status

• SCEP Server - RFC 8894 compliant auto-enrollment for network devices
• ACME Support - Let's Encrypt compatible (certbot, acme.sh) with account management, ECDSA keys, EAB, auto-supersede on renewal (v2.92, v2.110)
• EST Protocol - RFC 7030 Enrollment over Secure Transport with full chain responses (v2.95)
• TSA - RFC 3161 Time Stamp Authority for trusted timestamps (v2.109)
• Microsoft AD CS Integration - CSR submission, status polling, Enroll on Behalf Of (v2.70, EOBO v2.93)
• OCSP - Online Certificate Status Protocol responder
• CRL/CDP - Certificate Revocation List distribution points

• SSO - LDAP, OAuth2 (Azure/Google/GitHub), SAML single sign-on with role mapping
• WebAuthn/FIDO2 - Hardware security key support (YubiKey, Passkeys)
• mTLS Authentication - Mutual TLS certificate-based authentication
• TOTP Two-Factor - Time-based one-time passwords
• Password Strength - Visual strength indicator with policy enforcement
• Session Management - Timeout warning, force password change
• Audit Logs - Full action logging with hash chain integrity verification
• Rate Limiting - Brute force protection on all auth endpoints (v2.109)
• CSP Headers - Content Security Policy, X-Frame-Options (v2.109)
• Account Lockout - Configurable lockout on failed login attempts (v2.109)

• RBAC - 4 system roles (Admin, Operator, Auditor, Viewer) plus custom roles with granular permissions
• User Groups - Organize users with role-based access
• API Keys - Generate keys for automation and integrations
• Session History - Track all login sessions

• 6 Theme Variants - 3 color themes × Light/Dark modes
• Auto Dark Mode - Follow system preference
• Command Palette - Ctrl+K global search with quick actions
• Floating Detail Windows - Draggable, resizable entity detail panels
• Dashboard Charts - Certificate activity, status distribution, day selector
• Real-time Updates - WebSocket-based live refresh
• Responsive Design - Mobile-first with adaptive layouts
• Contextual Help - Help modals on every page
• 9 Languages - EN, FR, DE, ES, IT, PT, UK, ZH, JA

---

• Installation Guide
• Quick Start
• First Steps
• Configuration

• Certificate Authority Management
• Certificate Operations
• Certificate Templates
• Certificate Toolbox
• CRL & CDP Distribution
• AIA CA Issuers
• SCEP Server
• OCSP Responder
• ACME Protocol Support
• EST Protocol
• TSA — Timestamp Authority
• Certificate Transparency
• Microsoft CA Integration
• Certificate Discovery
• Reports & Analytics
• Approval Workflows
• SSH Certificate Authority
• HSM Support

• Dashboard Overview
• Theme Customization
• User Settings
• Audit Logs

• Import & Export
• Import from OPNsense
• SSO Configuration
• mTLS Authentication
• WebAuthn/FIDO2
• Trust Store
• Troubleshooting
• Security Best Practices

• User Management
• User Groups
• System Configuration
• Backup & Restore
• Monitoring

• Building from Source
• Contributing
• API Reference
• Architecture

---

• Docker Hub: docker pull neyslim/ultimate-ca-manager:2.112
• GHCR: docker pull ghcr.io/neyslim/ultimate-ca-manager:2.112
• DEB: `wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.112/ucm_2.112_all.deb
• RPM: `wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.112/ucm-2.112-1.fc43.noarch.rpm

• Web UI: https://your-server:8443
• Default Credentials: admin / changeme123 ⚠️ You must change on first login!
• GitHub: NeySlim/ultimate-ca-manager
• Docker Hub: neyslim/ultimate-ca-manager

---

• PKCS7/PKCS12 Decode — Certificate decoder handles P7B bundles and PKCS12 files with chain info
• Security — cryptography 46.0.7 (CVE-2026-39892)

• ACME Auto-Supersede — Automatically revoke old certificates on ACME renewal (controlled by revoke_on_renewal setting)
• DER File Upload Detection — All file uploads detect PEM vs DER by content instead of extension
• CA Template Fix — Remove CA template from Certificates page dropdown

• Certificate Transparency (RFC 6962) — CT log submission, SCT parsing, auto-submit on issuance
• OCSP Delegated Responder (RFC 5019) — Per-CA delegated responder assignment with EKU validation
• Certificate Practice Statement (CPS) — Per-CA CPS URI and Policy OID in certificates
• Multiple CDP/OCSP/AIA URLs — Multiple distribution points and access descriptions per CA
• RFC 3161 Timestamp Authority (TSA) — Time stamping server with configurable policy and accuracy
• RFC 5280 Extensions — PathLength, NameConstraints, PolicyConstraints, InhibitAnyPolicy, SIA, OCSP Must-Staple
• ACME Enhancements — Order management, newAuthz, External Account Binding (EAB)
• In-App Help Translations — 208 help files across 8 languages for all 26 sections
• Security Audit — 38 fixes across CRITICAL/HIGH/MEDIUM: CSP headers, rate limiting, account lockout, CSRF rotation

• SoftHSM Auto-Register — Docker automatically creates HSM provider when SoftHSM token is initialized
• CDP Auto-Enable — CRL Distribution Point auto-enabled on new CAs when Protocol Base URL is configured
• SoftHSM Status Fix — HSM providers no longer show "Disabled" incorrectly
• Docker Key Encryption — Fixed /etc/ucm/ permissions for master key in Docker containers

• ACME Proxy — Full RFC 8555 compliance, dns-01 challenge fix, EAB support for upstream CAs (v2.105-v2.106)
• AIA CA Issuers — CA certificate download endpoints for chain building (RFC 5280 §4.2.2.1) (v2.101)
• Protocol URL Fixes — Auto-repair incorrect https:// URLs, localhost protection (v2.103)
• API Key Permissions — Fixed creation from UI with permission scope selector (v2.102)
• Migration System — Upgrades from pre-v2.52 no longer fail; added docker-compose.simple.yml (v2.100)
• Security — Updated requests, cbor2, cryptography for CVE fixes (v2.106)

• JKS Export — Java KeyStore export format for Java applications
• EST Full Chain — EST responses now include the full certificate chain (RFC 7030)
• HTTP Protocol Server — Dedicated HTTP server on port 8080 for CDP/OCSP endpoints
• Approval Workflows — Policy-based certificate issuance with approval enforcement
• ACME Enhancements — ECDSA keys, External Account Binding (EAB), custom CA servers
• ADCS Enroll on Behalf Of — Submit CSRs on behalf of other users via Microsoft AD CS
• RFC 5280 SAN Compliance — All 4 SAN types: DNS, IP, Email, URI
• X.509 Extension Viewer — Full certificate extension display with RFC compliance

• Delta CRL Support (RFC 5280 §5.2.4) — Incremental CRL updates with DeltaCRLIndicator, FreshestCRL, CDP endpoint, scheduler
• Security Audit — 76 findings across 6 phases, 38 fixed (CRITICAL: RSA-512 removal, ACME JWS bypass, XXE)
• PKI Protocol Hardening — ACME, EST, SCEP, CRL hardened per RFC specifications
• PDF Report Templates — Professional PDF reports with custom builder and scheduling
• Roadmap — 9-item roadmap from market comparison gap analysis

Read Full Release Notes

• Executive PDF Report — Multi-section PDF with cover page, risk assessment, compliance, charts
• Report Scheduler — 6 report types with daily/weekly/monthly frequency and email delivery
• Reports Page Redesign — List layout with stat cards, inline schedule status, mobile-responsive

Read Full Release Notes

• ACME Wildcard CSR Fix — Corrected wildcard certificate handling in ACME CSR generation
• Certificate Import Metadata — Imported certificates now preserve original metadata
• Discord UI Fixes — 4 visual fixes for the Discord theme variant

Read Full Release Notes

• Certificate Discovery — Scan networks for TLS certificates with profiles, quick scan, SNI probing
• Security Hardening — 15 findings fixed: SSRF protection, brute-force limits, audit logging, LDAP encryption
• Error Visibility — Scan errors shown with troubleshooting hints
• In-App Help — Expanded help for discovery page (profiles, filters, errors, export, security)

Read Full Release Notes

• EST management page with config, stats, endpoint info
• Certificate unhold, enriched system-status badges
• WebSocket real-time updates, accordion sidebar
• CSR generation form, enhanced certificate issuance
• Global UI density harmonization

• Login architecture redesign with sessionChecked state guard
• mTLS auto-login with seamless certificate-based authentication
• 6 mTLS authentication fixes (session handling, error flows, logout)
• Enhanced /auth/methods endpoint with dynamic capability detection
• Consistent auth response contract across all login paths

Read Full Release Notes

• Redesigned Operations page (Import/Export/Bulk Actions)
• Unified ExportModal with RBAC permission guards
• Dashboard charts with day selector (7d/15d/30d)
• RBAC with 4 system roles (Admin, Operator, Auditor, Viewer) plus custom roles
• SSO support: LDAP, OAuth2 (Azure/Google/GitHub), SAML with role mapping
• ACME multi-CA support
• In-app contextual help system
• Force password change on first login
• 9 languages, 2273+ keys each
• Reports & governance (policies, approvals)

Read Full Release Notes

• CA Creation Fix - Fixed crash with null validity/keySize values on Docker
• DN Validation - Country code auto-uppercased, CSR validation added
• Docker Path Unified - All data in /opt/ucm/data (same as DEB/RPM)
• Migration Support - Auto-migrate from old Docker path on upgrade

Read Full Release Notes

• Complete UI Redesign - New React 18 frontend with Radix UI
• 12 Theme Variants - 6 color themes × Light/Dark modes
• Enhanced Dashboard - Real-time stats, charts, activity feed
• Certificate Toolbox - SSL checker, decoders, key matcher, converter
• User Groups - Organize users with permissions
• Certificate Templates - Predefined configurations
• Trust Store - Manage trusted root CAs
• Audit Trail - Complete action logging with hash chain verification
• Password Security - Strength indicator, forgot password flow
• Session Management - Timeout warning, force password change
• API v2 - RESTful JSON API with OpenAPI docs
• Docker Hub - Now available on Docker Hub
• Auto-migration - Seamless upgrade from v1.8.x

Read Full Release Notes

• Nginx Dependency Fixed
  • Nginx is now truly optional
  • UCM can run standalone with built-in HTTPS server
  • Fixed GitHub Actions workflow packaging bug
• Deployment Flexibility
  • Standalone mode (no reverse proxy needed)
  • Reverse proxy mode (nginx/apache)
  • Docker deployment
• Documentation Updates
  • All guides updated to v1.8.3
  • CHANGELOG with full history
  • Clear deployment options

Read Full Release Notes

• ✅ Export Authentication - All formats (PEM, DER, PKCS#12) with JWT
• Visual Theme Previews - 2×4 grid with live previews
• Docker/Native Compatibility - Dynamic path resolution
• Global PKCS#12 Modal - Available across all pages

Read Release Notes

• Dependency Updates (Python 3.13 compatible)
• Security: cryptography 46.0.3, pyOpenSSL 25.3.0
• WebAuthn: Updated to 2.7.0 with FIDO2 improvements
• Bug Fixes: Certificate selector, Dockerfile improvements

• Collapsible sidebar submenus with smooth animations
• My Account section relocated to bottom of sidebar
• Optimized sidebar width (220px uniform across all themes)
• 14×14px submenu icons for better visual hierarchy
• localStorage persistence for submenu states

• Fixed OPNsense import JavaScript errors
• Fixed import statistics display
• Improved toast notification system

• Complete Tailwind CSS removal (~827 classes)
• Custom themed scrollbars
• CRL Information pages (public & integrated)
• Modal system improvements
• Full responsive design
• 8 beautiful themes

See Full Changelog

---

Property	Value
Latest Stable	2.112
Previous Stable	2.110
Python	3.10+ (3.13 compatible)
Platform	Linux, Docker (multi-arch)
License	BSD-3-Clause
Repository	GitHub
Docker Registry	GHCR

---

• Release Notes - All versions
• v2.112 Release - SSH Certificate Authority, HTTPS cert picker, security audit
• v2.109 Release - CT logs, OCSP delegated, TSA, CPS, security audit
• v2.107 Release - SoftHSM auto-register, CDP auto-enable, ACME Proxy
• v2.75 Release - Delta CRL, security audit, PDF templates
• v2.69 Release - Executive PDF reports, report scheduler, accessibility
• v2.68 Release - ACME wildcard CSR fix, cert import metadata, Discord UI fixes
• v2.52 Release - Certificate discovery and security hardening
• v2.50 Release - Login architecture redesign, mTLS auto-login
• Screenshots Gallery - See v2.0 in action
• CI/CD Workflows - Build status

---

• Issues: GitHub Issues
• Discussions: GitHub Discussions
• Documentation: This wiki

---

Last Updated: 2026-04-09
Maintained By: NeySlim