kipuka

EST enrollment server

A standards-compliant, post-quantum ready certificate enrollment server for private networks. Built in Rust.

Get Started View on Codeberg
kipuka (Hawaiian) — an area of older land surrounded by younger lava flows, an island of stability. Like a kipuka preserves established growth amid change, this server provides stable certificate enrollment amid evolving security requirements.

Built for Private Infrastructure

Everything you need to run a production EST certificate authority on your own terms.

RFC 7030 EST

All six EST operations: cacerts, simpleenroll, simplereenroll, fullcmc, serverkeygen, and csrattrs. Plus STAR auto-renewal (RFC 8739).

Multi-CA & HA

Active-passive, round-robin, weighted, and latency-based failover strategies across multiple certificate authorities.

HSM / PKCS#11

CA private keys loaded from HSMs via PKCS#11. Entrust nShield, Utimaco, Thales Luna, and Kryoptic for dev/test.

Post-Quantum Ready

ML-DSA signing (FIPS 204), ML-KEM key encapsulation (FIPS 203), and composite hybrid algorithms via Synta.

Multi-Database

SQLite for single-node, PostgreSQL or MariaDB for scale. One config line to switch. Automatic migrations.

EAB & Kerberos

mTLS client certificates, one-time passwords with rate limiting, and GSSAPI/Kerberos enterprise SSO integration.

Up and Running in Minutes

Configure, start, and enroll your first certificate.

terminal
$ kipuka /etc/kipuka/kipuka.toml INFO kipuka: loading config from '/etc/kipuka/kipuka.toml' INFO kipuka: opening database 'sqlite:///var/lib/kipuka/kipuka.db' INFO kipuka::ca: loaded CA 'rsa-ca' (RSA 3072-bit, expires 2035-06-24) INFO kipuka::tls: TLS 1.2+ with client auth (optional) INFO kipuka: EST server listening on 0.0.0.0:9443
Read the full quickstart guide →
8

IETF RFCs and standards implemented

From RFC 7030 EST to FIPS 204 post-quantum signatures and NIAP CA Protection Profile v2.0. kipuka tracks the standards so you don't have to.

View RFC Compliance →

Quick Start

Container

# No login required podman pull registry.kipuka.dev/kipuka:latest podman run --rm \ -v ./kipuka.toml:/etc/kipuka/kipuka.toml:ro \ -v ./certs:/etc/kipuka/certs:ro \ -p 9443:9443 \ registry.kipuka.dev/kipuka:latest

Build from source

git clone https://codeberg.org/czinda/kipuka cd kipuka cargo build --release cp kipuka.toml.example kipuka.toml cargo run --release -- --config kipuka.toml

Architecture

A Cargo workspace with six internal crates and zero external CA dependencies.

Clients | TLS + mTLS/OTP | +-------+-------+ | kipuka-est | axum routes, EST protocol +---+---+---+---+ | | | +---------+ | +---------+ | | | kipuka-otp kipuka-hsm kipuka-util OTP lifecycle PKCS#11 shared types HSM ops & config | | | kipuka-dogtag | Dogtag PKI | REST client | +----+----+ kipuka-coap | sqlx | CoAP transport | sqlite | (RFC 7252) | postgres| | mariadb | +---------+