ACME v2 for private networks.
uPKI RA is a fully compliant ACME v2 Registration Authority (RFC 8555) that connects your internal infrastructure to a self-hosted CA. Use Traefik, cert-manager, or any ACME client — no Let's Encrypt required.
Why uPKI RA?
RFC 8555 compliant
Full ACME v2 implementation — new-account, new-order, challenges, certificate issuance and revocation.
Auto-bootstrap
First start automatically registers the RA with the CA and issues its own mTLS certificate.
mTLS by default
Mutual TLS protects all admin and client endpoints. Docker image ships with TLS enabled by default.
Traefik native
Works out of the box as a Traefik ACME provider. Point caServer at the RA and you're done.
Air-gapped friendly
Zero internet dependency. Deploy behind a firewall, in a DMZ, or in a fully isolated network.
SQLite state
ACME state (accounts, orders, authorizations) stored in SQLite. Simple, reliable, zero operational overhead.