kipuka

EST enrollment server

A standards-compliant, post-quantum ready certificate enrollment server for private networks. Built in Rust.

kipuka (Hawaiian) — an area of older land surrounded by younger lava flows, an island of stability. Like a kipuka preserves established growth amid change, this server provides stable certificate enrollment amid evolving security requirements.

Built for Private Infrastructure

All six EST operations, CMP, multi-CA failover, HSM key protection, and NIAP-compliant audit logging.

RFC 7030 EST

All six EST operations: cacerts (PKCS#7), simpleenroll, simplereenroll, fullcmc (RFC 5272), serverkeygen, and csrattrs. STAR auto-renewal (RFC 8739) with integrated renewal loop.

CMP Protocol

Certificate Management Protocol (RFC 4210) with MAC-based and signature-based protection verification. Initialization, certification, and revocation request handling.

Multi-CA & HA

Active-passive, round-robin, weighted, and latency-based failover strategies with circuit breaker health tracking and automatic recovery.

HSM / PKCS#11

CA private keys loaded from HSMs via PKCS#11. Entrust nShield, Utimaco, Thales Luna, and Kryoptic for dev/test.

Post-Quantum Ready

ML-DSA signing (FIPS 204) and ML-KEM key encapsulation (FIPS 203) in enrollment and server keygen. Composite hybrid algorithms for migration. Requires OpenSSL 3.5+.

Dogtag PKI

REST API client for Red Hat Certificate System. Enrollment via profiles, CMC passthrough, and KRA server-side key generation.

Multi-Database

SQLite for single-node, PostgreSQL or MariaDB for scale. One config line to switch. Automatic migrations.

Authentication

OTP with timing-safe validation, mTLS with OCSP revocation checking and stapling, GSSAPI/Kerberos with libgssapi cryptographic verification (compile-time feature flag), and CMS SignedData RA authentication.


Up and Running in Minutes

Configure, start, and enroll your first certificate.

terminal
$ kipuka /etc/kipuka/kipuka.toml INFO kipuka: loading config from '/etc/kipuka/kipuka.toml' INFO kipuka: opening database 'sqlite:///var/lib/kipuka/kipuka.db' INFO kipuka::ca: loaded CA 'rsa-ca' (RSA 3072-bit, expires 2035-06-24) INFO kipuka::tls: TLS 1.2+ with client auth (optional) INFO kipuka: EST server listening on 0.0.0.0:9443
Read the full quickstart guide →

11

RFCs and standards implemented

EST enrollment, CMP certificate management, Full CMC, STAR renewal, OCSP revocation checking, post-quantum ML-DSA/ML-KEM, and NIAP compliance.

Planned: RFC 7252 CoAP · Composite ML-DSA hybrids

View RFC Compliance →

Quick Start

Container

# No login required podman pull registry.kipuka.dev/kipuka:latest podman run --rm \ -v ./kipuka.toml:/etc/kipuka/kipuka.toml:ro \ -v ./certs:/etc/kipuka/certs:ro \ -p 9443:9443 \ registry.kipuka.dev/kipuka:latest

Build from source

git clone https://codeberg.org/czinda/kipuka cd kipuka cargo build --release cp kipuka.toml.example kipuka.toml cargo run --release -- --config kipuka.toml

Architecture

A Cargo workspace with six internal crates and zero external CA dependencies.

Clients | TLS + mTLS/OTP | +-------+-------+ | kipuka-est | axum routes, EST protocol +---+---+---+---+ | | | +---------+ | +---------+ | | | kipuka-otp kipuka-hsm kipuka-util OTP lifecycle PKCS#11 shared types HSM ops & config | | | kipuka-dogtag | Dogtag PKI | REST client | +----+----+ kipuka-coap | sqlx | CoAP transport | sqlite | (RFC 7252) | postgres| | mariadb | +---------+