kipuka

EST enrollment server

A standards-compliant certificate enrollment server for private networks. Built in Rust.

Get Started View on Codeberg
kipuka (Hawaiian) — an area of older land surrounded by younger lava flows, an island of stability. Like a kipuka preserves established growth amid change, this server provides stable certificate enrollment amid evolving security requirements.

Built for Private Infrastructure

Core enrollment, multi-CA failover, HSM key protection, and NIAP audit logging. Active development.

RFC 7030 EST

Core EST operations: cacerts, simpleenroll, simplereenroll, and fullcmc. Server keygen and csrattrs are in progress. STAR auto-renewal (RFC 8739) state machine implemented.

Multi-CA & HA

Active-passive, round-robin, weighted, and latency-based failover strategies across multiple certificate authorities.

HSM / PKCS#11

CA private keys loaded from HSMs via PKCS#11. Entrust nShield, Utimaco, Thales Luna, and Kryoptic for dev/test.

Dogtag PKI

REST API client for Red Hat Certificate System. Enrollment via profiles, CMC passthrough, and KRA key recovery.

Multi-Database

SQLite for single-node, PostgreSQL or MariaDB for scale. One config line to switch. Automatic migrations.

OTP & mTLS Auth

One-time passwords with timing-safe validation and rate limiting. mTLS client certificate authentication for re-enrollment. GSSAPI/Kerberos planned.

Up and Running in Minutes

Configure, start, and enroll your first certificate.

terminal
$ kipuka /etc/kipuka/kipuka.toml INFO kipuka: loading config from '/etc/kipuka/kipuka.toml' INFO kipuka: opening database 'sqlite:///var/lib/kipuka/kipuka.db' INFO kipuka::ca: loaded CA 'rsa-ca' (RSA 3072-bit, expires 2035-06-24) INFO kipuka::tls: TLS 1.2+ with client auth (optional) INFO kipuka: EST server listening on 0.0.0.0:9443
Read the full quickstart guide →
6

standards implemented — and counting

Core EST enrollment (RFC 7030), Full CMC (RFC 5272), STAR renewal, and NIAP CA Protection Profile compliance. More in progress.

Planned: RFC 7252 CoAP · FIPS 140-3 · ML-DSA (FIPS 204) · ML-KEM (FIPS 203)

View RFC Compliance →

Quick Start

Container

# No login required podman pull registry.kipuka.dev/kipuka:latest podman run --rm \ -v ./kipuka.toml:/etc/kipuka/kipuka.toml:ro \ -v ./certs:/etc/kipuka/certs:ro \ -p 9443:9443 \ registry.kipuka.dev/kipuka:latest

Build from source

git clone https://codeberg.org/czinda/kipuka cd kipuka cargo build --release cp kipuka.toml.example kipuka.toml cargo run --release -- --config kipuka.toml

Architecture

A Cargo workspace with six internal crates and zero external CA dependencies.

Clients | TLS + mTLS/OTP | +-------+-------+ | kipuka-est | axum routes, EST protocol +---+---+---+---+ | | | +---------+ | +---------+ | | | kipuka-otp kipuka-hsm kipuka-util OTP lifecycle PKCS#11 shared types HSM ops & config | | | kipuka-dogtag | Dogtag PKI | REST client | +----+----+ kipuka-coap | sqlx | CoAP transport | sqlite | (RFC 7252) | postgres| | mariadb | +---------+