Api
CLI Reference
Complete reference for the ra_server.py command-line interface.
CLI Reference
Global flags
These flags apply to all commands:
| Flag | Short | Default | Env variable | Description |
|---|---|---|---|---|
--dir <path> | -d | ~/.upki/ra | UPKI_DATA_DIR | Data directory |
--ip <host> | -i | 127.0.0.1 | UPKI_CA_HOST | CA ZMQ host |
--port <int> | -p | 5000 | UPKI_CA_PORT | CA ZMQ port |
--web-ip <host> | 127.0.0.1 | UPKI_RA_HOST | RA bind address | |
--web-port <int> | 8000 | UPKI_RA_PORT | RA HTTP/HTTPS port | |
--debug | false | — | Enable debug logging |
Commands
init
Initialise the RA data directory structure. Idempotent.
python ra_server.py init
Prints the path to the data directory and the next steps.
register
Register the RA with the CA. Connects to CA port 5001, presents the seed, and receives a signed certificate.
python ra_server.py register -s <seed> [-c <cn>]
| Option | Short | Required | Description |
|---|---|---|---|
--seed <seed> | -s | Yes | CA registration seed |
--cn <name> | -c | No | RA Common Name (default: RA) |
listen
Start the RA HTTP/HTTPS server. The RA must already be registered.
python ra_server.py listen
Uses --web-ip / --web-port for the bind address. TLS is enabled when UPKI_RA_TLS=true.
start
Auto-bootstrap mode — the Docker default entrypoint.
- If the RA is not registered (no
ra.crt/ra.key): readsUPKI_CA_SEED, callsregister, then starts the server. - If already registered: starts the server directly.
python ra_server.py start
Requires UPKI_CA_SEED environment variable on first boot.
crl
Fetch a new CRL from the CA and save it to $UPKI_DATA_DIR/crl.pem.
python ra_server.py crl
Environment variables
| Variable | CLI flag | Description |
|---|---|---|
UPKI_DATA_DIR | -d | Data directory path |
UPKI_CA_HOST | -i | CA ZMQ host |
UPKI_CA_PORT | -p | CA ZMQ port |
UPKI_RA_HOST | --web-ip | RA bind address |
UPKI_RA_PORT | --web-port | RA HTTP/HTTPS port |
UPKI_CA_SEED | — | CA registration seed (used by start) |
UPKI_RA_CN | — | RA Common Name for auto-registration (default: RA) |
UPKI_RA_TLS | — | Enable HTTPS: true / false (default in Docker: true) |
UPKI_RA_SANS | — | Comma-separated DNS SANs for the RA certificate (first boot only) |
Exit codes
| Code | Meaning |
|---|---|
0 | Success |
1 | Error (registration failure, server startup error, missing seed) |