EST enrollment server
A standards-compliant certificate enrollment server for private networks. Built in Rust.
kipuka (Hawaiian) — an area of older land surrounded by younger lava flows, an island of stability. Like a kipuka preserves established growth amid change, this server provides stable certificate enrollment amid evolving security requirements.
All six EST operations, multi-CA failover, HSM key protection, OCSP, and NIAP-compliant audit logging.
All six EST operations: cacerts (PKCS#7), simpleenroll, simplereenroll, fullcmc (RFC 5272), serverkeygen, and csrattrs. STAR auto-renewal (RFC 8739) with integrated renewal loop.
Active-passive, round-robin, weighted, and latency-based failover strategies across multiple certificate authorities with circuit breaker health tracking.
CA private keys loaded from HSMs via PKCS#11. Entrust nShield, Utimaco, Thales Luna, and Kryoptic for dev/test.
REST API client for Red Hat Certificate System. Enrollment via profiles, CMC passthrough, and KRA server-side key generation.
SQLite for single-node, PostgreSQL or MariaDB for scale. One config line to switch. Automatic migrations.
OTP with timing-safe validation, mTLS with OCSP revocation checking, and Kerberos/GSSAPI principal extraction. Full OCSP client with signature verification and caching.
Configure, start, and enroll your first certificate.
$ kipuka /etc/kipuka/kipuka.toml
INFO kipuka: loading config from '/etc/kipuka/kipuka.toml'
INFO kipuka: opening database 'sqlite:///var/lib/kipuka/kipuka.db'
INFO kipuka::ca: loaded CA 'rsa-ca' (RSA 3072-bit, expires 2035-06-24)
INFO kipuka::tls: TLS 1.2+ with client auth (optional)
INFO kipuka: EST server listening on 0.0.0.0:9443IETF RFCs and standards implemented
All six EST operations (RFC 7030), Full CMC (RFC 5272), STAR renewal (RFC 8739), OCSP revocation checking (RFC 6960), and NIAP CA Protection Profile compliance.
Planned: RFC 7252 CoAP · ML-DSA (FIPS 204) · ML-KEM (FIPS 203)
View RFC Compliance →Container
# No login required
podman pull registry.kipuka.dev/kipuka:latest
podman run --rm \
-v ./kipuka.toml:/etc/kipuka/kipuka.toml:ro \
-v ./certs:/etc/kipuka/certs:ro \
-p 9443:9443 \
registry.kipuka.dev/kipuka:latest
Build from source
git clone https://codeberg.org/czinda/kipuka
cd kipuka
cargo build --release
cp kipuka.toml.example kipuka.toml
cargo run --release -- --config kipuka.toml
A Cargo workspace with six internal crates and zero external CA dependencies.