kipuka

EST enrollment server

A standards-compliant certificate enrollment server for private networks. Built in Rust.

Get Started View on Codeberg
kipuka (Hawaiian) — an area of older land surrounded by younger lava flows, an island of stability. Like a kipuka preserves established growth amid change, this server provides stable certificate enrollment amid evolving security requirements.

Built for Private Infrastructure

All six EST operations, multi-CA failover, HSM key protection, OCSP, and NIAP-compliant audit logging.

RFC 7030 EST

All six EST operations: cacerts (PKCS#7), simpleenroll, simplereenroll, fullcmc (RFC 5272), serverkeygen, and csrattrs. STAR auto-renewal (RFC 8739) with integrated renewal loop.

Multi-CA & HA

Active-passive, round-robin, weighted, and latency-based failover strategies across multiple certificate authorities with circuit breaker health tracking.

HSM / PKCS#11

CA private keys loaded from HSMs via PKCS#11. Entrust nShield, Utimaco, Thales Luna, and Kryoptic for dev/test.

Dogtag PKI

REST API client for Red Hat Certificate System. Enrollment via profiles, CMC passthrough, and KRA server-side key generation.

Multi-Database

SQLite for single-node, PostgreSQL or MariaDB for scale. One config line to switch. Automatic migrations.

Authentication & OCSP

OTP with timing-safe validation, mTLS with OCSP revocation checking, and Kerberos/GSSAPI principal extraction. Full OCSP client with signature verification and caching.

Up and Running in Minutes

Configure, start, and enroll your first certificate.

terminal
$ kipuka /etc/kipuka/kipuka.toml INFO kipuka: loading config from '/etc/kipuka/kipuka.toml' INFO kipuka: opening database 'sqlite:///var/lib/kipuka/kipuka.db' INFO kipuka::ca: loaded CA 'rsa-ca' (RSA 3072-bit, expires 2035-06-24) INFO kipuka::tls: TLS 1.2+ with client auth (optional) INFO kipuka: EST server listening on 0.0.0.0:9443
Read the full quickstart guide →
8

IETF RFCs and standards implemented

All six EST operations (RFC 7030), Full CMC (RFC 5272), STAR renewal (RFC 8739), OCSP revocation checking (RFC 6960), and NIAP CA Protection Profile compliance.

Planned: RFC 7252 CoAP · ML-DSA (FIPS 204) · ML-KEM (FIPS 203)

View RFC Compliance →

Quick Start

Container

# No login required podman pull registry.kipuka.dev/kipuka:latest podman run --rm \ -v ./kipuka.toml:/etc/kipuka/kipuka.toml:ro \ -v ./certs:/etc/kipuka/certs:ro \ -p 9443:9443 \ registry.kipuka.dev/kipuka:latest

Build from source

git clone https://codeberg.org/czinda/kipuka cd kipuka cargo build --release cp kipuka.toml.example kipuka.toml cargo run --release -- --config kipuka.toml

Architecture

A Cargo workspace with six internal crates and zero external CA dependencies.

Clients | TLS + mTLS/OTP | +-------+-------+ | kipuka-est | axum routes, EST protocol +---+---+---+---+ | | | +---------+ | +---------+ | | | kipuka-otp kipuka-hsm kipuka-util OTP lifecycle PKCS#11 shared types HSM ops & config | | | kipuka-dogtag | Dogtag PKI | REST client | +----+----+ kipuka-coap | sqlx | CoAP transport | sqlite | (RFC 7252) | postgres| | mariadb | +---------+