Complete reference for kipuka.toml. Copy kipuka.toml.example and adjust for your environment.
Core server settings — listen address, workers, and request limits.
| Key | Type | Default | Description |
|---|---|---|---|
listen | string | — | Listen address and port for the EST HTTPS endpoint |
admin_listen | string | none | Admin API bind address (use localhost or internal network) |
workers | integer | CPU cores | Number of worker threads |
max_body_size | integer | 1048576 | Request body size limit in bytes (1 MiB) |
shutdown_timeout | integer | 30 | Graceful shutdown timeout in seconds |
Example
[server]
listen = "0.0.0.0:8443"
admin_listen = "127.0.0.1:9443"
workers = 4TLS configuration for the EST HTTPS endpoint. The server certificate must include the id-kp-cmcRA extended key usage (RFC 7030 §3.3.2).
| Key | Type | Default | Description |
|---|---|---|---|
cert | path | — | Server certificate (PEM) |
key | path | — | Server private key (PEM) |
min_version | string | "1.2" | Minimum TLS version (1.2 or 1.3) |
cipher_suites | array | AEAD-only | Allowed TLS 1.2 cipher suites |
| Key | Type | Default | Description |
|---|---|---|---|
trust_anchors | path | — | CA bundle for mTLS client certificate verification |
mode | string | "optional" | required, optional, or none |
Example
[tls]
cert = "/etc/kipuka/tls/server.pem"
key = "/etc/kipuka/tls/server.key"
[tls.client_auth]
trust_anchors = "/etc/kipuka/tls/client-ca-bundle.pem"
mode = "optional"Database backend configuration. Supports SQLite, PostgreSQL, and MariaDB via the sqlx Any driver.
| Key | Type | Default | Description |
|---|---|---|---|
url | string | — | Database connection URL |
max_connections | integer | 10 | Connection pool size |
connect_timeout | integer | 5 | Connection timeout in seconds |
auto_migrate | bool | false | Run migrations on startup (use kipuka migrate in production) |
Connection URL formats
# SQLite
url = "sqlite:///var/lib/kipuka/kipuka.db"
# PostgreSQL
url = "postgres://user:pass@host:5432/kipuka"
# MariaDB
url = "mysql://user:pass@host:3306/kipuka"Certificate authority definitions. Each [[ca]] block defines a CA that can issue certificates. Reference CAs by id in EST labels and HA groups.
| Key | Type | Default | Description |
|---|---|---|---|
id | string | — | Unique identifier (referenced by labels and HA groups) |
name | string | — | Display name (logs and admin API) |
cert | path | — | CA certificate (PEM) |
key | path | none | CA private key (PEM). Omit if key is in an HSM |
chain | path | none | Full chain up to (not including) root |
validity_days | integer | 398 | Default certificate validity period |
max_validity_days | integer | 398 | Maximum allowed validity (CA/B Forum BR limit) |
default_key_usage | array | see below | Key usage constraints |
default_ext_key_usage | array | see below | Extended key usage constraints |
hsm_slot | string | none | HSM slot label (omit for file-based keys) |
Example
[[ca]]
id = "rsa-ca"
name = "RSA Issuing CA"
cert = "/etc/kipuka/ca/rsa-ca.pem"
key = "/etc/kipuka/ca/rsa-ca.key"
validity_days = 398EST protocol settings and label-based certificate profile routing.
| Key | Type | Default | Description |
|---|---|---|---|
base_path | string | "/.well-known/est" | Base path for EST endpoints |
cacerts | bool | true | Enable /cacerts |
simpleenroll | bool | true | Enable /simpleenroll |
simplereenroll | bool | true | Enable /simplereenroll |
fullcmc | bool | true | Enable /fullcmc |
serverkeygen | bool | true | Enable /serverkeygen |
csrattrs | bool | true | Enable /csrattrs |
retry_after | integer | 120 | Retry-After header value (seconds) |
| Key | Type | Default | Description |
|---|---|---|---|
name | string | — | Label name (appears in URL path) |
ca_id | string | — | CA to use for this label |
allowed_key_types | array | all | Allowed key types (e.g. "rsa:2048", "ec:p256") |
required_ext_key_usage | array | none | Required EKU OIDs |
max_validity_days | integer | CA default | Maximum validity for this label |
require_san | bool | false | Require Subject Alternative Name |
subject_pattern | string | none | Restrict Subject DN pattern (regex) |
PKCS#11 HSM integration for protecting CA private keys. Only required if any [[ca]] block uses hsm_slot.
| Key | Type | Default | Description |
|---|---|---|---|
library | path | — | PKCS#11 shared library path |
slot | integer | 0 | PKCS#11 slot number |
token_label | string | none | PKCS#11 token label (alternative to slot) |
pin | string | none | HSM PIN (not recommended for production) |
pin_env | string | none | Environment variable containing PIN (preferred) |
pin_file | path | none | File containing PIN (must be mode 0400) |
Vendor library paths
# Entrust nShield
library = "/opt/nfast/toolkits/pkcs11/libcknfast.so"
# Utimaco CryptoServer
library = "/usr/lib/libcs_pkcs11_R3.so"
# Kryoptic (dev/test)
library = "/usr/lib/libkryoptic_pkcs11.so"
# Thales Luna (CSP11)
library = "/usr/safenet/lunaclient/lib/libCryptoki2_64.so"One-time password authentication for initial certificate enrollment.
| Key | Type | Default | Description |
|---|---|---|---|
enabled | bool | false | Enable OTP authentication |
token_length | integer | 24 | OTP token length (≥16 for NIAP) |
default_ttl | duration | "24h" | Default OTP validity period |
max_uses | integer | 1 | Maximum uses per OTP token |
hash_algorithm | string | "argon2id" | Hash algorithm (argon2id, bcrypt, sha256-hmac) |
max_failures | integer | 5 | Max failed attempts per IP per window |
failure_window | duration | "15m" | Rate limiting window |
lockout_duration | duration | "30m" | Lockout duration after max failures |
NIAP FAU_GEN.1 compliant audit logging. Events are always stored in the database; additional destinations can be configured.
| Key | Type | Default | Description |
|---|---|---|---|
file | path | none | Append-only audit log file (JSON lines) |
syslog | string | none | Syslog destination URI (RFC 5424) |
syslog_facility | string | "local0" | Syslog facility |
events | array | ["all"] | Events to log: all, auth, enroll, revoke, admin, config, startup, error |
include_cert_data | bool | false | Include full certificate DER in enrollment events |
High availability failover across multiple CA backends.
| Key | Type | Default | Description |
|---|---|---|---|
enabled | bool | false | Enable HA failover |
strategy | string | "active-passive" | active-passive, round-robin, or weighted |
check_interval | duration | "30s" | Health check interval |
failure_threshold | integer | 3 | Consecutive failures to mark unhealthy |
recovery_timeout | duration | "60s" | Delay before retrying failed CA |
check_timeout | duration | "10s" | Health check timeout per CA |
| Key | Type | Default | Description |
|---|---|---|---|
name | string | — | HA group name |
ca_ids | array | — | List of CA IDs in this group |
strategy | string | global | Override strategy for this group |
Administrative API for OTP provisioning, CA management, and server health.
| Key | Type | Default | Description |
|---|---|---|---|
enabled | bool | false | Enable the admin API |
auth | string | "mtls" | Auth method: mtls, bearer, or both |
trust_anchors | path | none | Admin client certificate CA bundle |
bearer_token_env | string | none | Env var containing bearer token |