Getting Started
Quick Start
Initialise the RA, register with your CA, and serve your first ACME certificate.
Quick Start
This guide walks you through the complete RA lifecycle: initialise, register with the CA, and start serving ACME requests.
You need a running uPKI CA instance before proceeding. See the CA quick start first.
Step 1 — Initialise the RA
upki-ra init \
--data-dir /opt/upki/ra \
--ca-host 127.0.0.1
This creates the RA's local data directory and configuration.
Step 2 — Register with the CA
upki-ra register \
--data-dir /opt/upki/ra \
--ca-host 127.0.0.1 \
--seed "the-ca-registration-seed"
The RA connects to CA port 5001 and issues itself a server certificate.
Step 3 — Start the RA daemon (with auto-bootstrap)
upki-ra start \
--data-dir /opt/upki/ra \
--ca-host 127.0.0.1 \
--tls
On the very first
start, the RA automatically bootstraps — it registers itself with the CA if not already done, obtains its TLS certificate, and then begins serving ACME requests.The RA is now available at https://localhost:8000.
Step 4 — Point an ACME client at the RA
Traefik
# traefik.yml
certificatesResolvers:
upki:
acme:
caServer: "https://upki-ra:8000/acme/directory"
storage: /acme/acme.json
tlsChallenge: {}
acme.sh
acme.sh --server https://upki-ra:8000/acme/directory \
--issue -d server.example.internal \
--standalone
Step 5 — Generate the CRL (optional)
upki-ra crl --data-dir /opt/upki/ra
Docker compose (recommended)
services:
upki-ca:
image: ghcr.io/circle-rd/upki-ca:latest
environment:
UPKI_CA_SEED: "${UPKI_CA_SEED}"
volumes:
- ca-data:/data
ports:
- "5000:5000"
- "5001:5001"
upki-ra:
image: ghcr.io/circle-rd/upki-ra:latest
environment:
UPKI_CA_HOST: upki-ca
UPKI_CA_SEED: "${UPKI_CA_SEED}"
UPKI_RA_TLS: "true"
UPKI_RA_SANS: "upki-ra,ra.example.internal"
volumes:
- ra-data:/data
ports:
- "8000:8000"
depends_on:
- upki-ca
volumes:
ca-data:
ra-data: