EST enrollment server
A Rust implementation of RFC 7030 with multi-CA high availability, hardware security module support, and NIAP CA Protection Profile compliance.
kipuka (Hawaiian) — an area of older land surrounded by younger lava flows, an island of stability. Like a kipuka preserves established growth amid change, this server provides stable certificate enrollment amid evolving security requirements.
All six EST operations: cacerts, simpleenroll, simplereenroll, fullcmc, serverkeygen, and csrattrs. Plus STAR auto-renewal (RFC 8739).
Active-passive, round-robin, weighted, and latency-based failover strategies across multiple certificate authorities.
PKCS#11 integration with Entrust nShield, Utimaco CryptoServer, Thales Luna, and Kryoptic for dev/test.
CA Protection Profile v2.0 mapping, FIPS 140-3 via HSM, CA/B Forum Baseline Requirements enforcement.
ML-DSA signing (FIPS 204), ML-KEM key encapsulation (FIPS 203), and composite hybrid algorithms.
mTLS client certificates, one-time passwords with expiration and use limits, and GSSAPI/Kerberos enterprise SSO.
SQLite for single-node, PostgreSQL and MariaDB for production. Unified via sqlx Any driver with automatic migrations.
Multi-arch OCI images (x86_64 & arm64). Compose profiles for SQLite, PostgreSQL, MariaDB, and HSM development.
Container
# Pull the image
podman pull registry.heebh.st/heebus/kipuka:latest
# Run with your configuration
podman run --rm \
-v ./kipuka.toml:/etc/kipuka/kipuka.toml:ro \
-v ./certs:/etc/kipuka/certs:ro \
-p 9443:9443 \
registry.heebh.st/heebus/kipuka:latestBuild from source
cargo build --release
cp kipuka.toml.example kipuka.toml
cargo run --release -- --config kipuka.toml