Getting Started
Introduction
What is uPKI RA and how does it fit in the uPKI ecosystem?
Introduction
uPKI RA is a fully compliant ACME v2 Registration Authority (RFC 8555) written in Python. It acts as the bridge between ACME clients (Traefik, cert-manager, acme.sh…) and a uPKI CA instance, enabling fully private TLS certificate automation without any internet dependency.
What it does
- Implements the complete ACME v2 protocol — new-account, new-order, authorization, challenge, finalize, certificate download, revocation
- Translates ACME requests into ZMQ calls on the uPKI CA
- Manages its own state in SQLite (accounts, orders, authorizations, certificates)
- Protects admin endpoints with mutual TLS (mTLS)
- Auto-bootstraps its own certificate on first start
What it does NOT do
- It does not issue certificates itself — it delegates all signing to uPKI CA
- It does not replace Let's Encrypt for public-facing internet certificates
- It does not support legacy ACME v1
Where it fits
[Traefik / cert-manager / acme.sh]
│ ACME v2 (HTTPS)
▼
[uPKI RA :8000] ─── ZMQ :5000 ───► [uPKI CA]
│ on first start
└─── ZMQ :5001 ──► CA registration
Related projects
| Project | Role |
|---|---|
| upki-ca | The Certificate Authority |
| upki-ra | This project — ACME v2 RA |
| upki-cli | Command-line admin tool |
Technology stack
- Python 3.12+
- FastAPI + uvicorn — ACME HTTP server
- pyzmq — ZMQ client to uPKI CA
- SQLite — ACME state persistence
- cryptography — JWS verification, CSR handling
- Click — CLI framework