Your own
Certificate Authority
on your own server.
AD-PKI is a complete, self-hosted PKI for automated certificate management. Full ACME compatibility, RFC 3161 timestamping, team access control — and zero cloud dependency.
Everything a modern PKI needs
Built for real infrastructure teams who need reliability, compliance, and control — without the cloud subscription.
ACME Protocol (RFC 8555)
Drop-in compatible with Certbot, acme.sh, and win-acme. Fully automated certificate issuance and renewal — no manual steps.
Automated Certificate Lifecycle
Issue, renew, and revoke certificates automatically. Schedule-based rotation with configurable lead time before expiry.
RFC 3161 Timestamping (TSA)
Built-in Timestamp Authority for trusted, verifiable timestamps on documents and artifacts. Fully RFC 3161 compliant.
Team-Based Access Control
Three-tier permission model: Admins, Managers, and Users. Granular control over who can issue, revoke, or configure.
Revocation & Validation
CRL distribution points and OCSP responder included out of the box. Real-time certificate status checks for all relying parties.
Flexible Security Policies
Configure key types (RSA/ECDSA), sizes, validity periods, wildcard rules, SAN requirements, and email constraints per CA.
Self-Hosted & Open Source
Deploy on your own infrastructure. Full data sovereignty, no vendor lock-in, no telemetry. MIT licensed.
Multi-CA Hierarchy
Create Root CAs and Intermediate CAs with independent policies. Supports air-gapped offline root CA workflows.
How it all fits together
A clean, layered architecture where every component has a single responsibility.
Clients
Core Services
Data & Infra
Request Flow
Works with your existing tools
Point any ACME client at your AD-PKI directory URL. No code changes, no plugins — just swap the server URL.
# Issue a certificate via ACME (RFC 8555)
certbot certonly \
--server https://your-adpki.example.com/acme/directory \
--email admin@example.com \
--agree-tos \
--standalone \
-d api.example.com \
-d www.example.com
# Renew all certificates automatically
certbot renew --quietUp and running in minutes
From zero to issuing certificates — six steps, Docker required.
Clone the repository
Grab the source code from GitLab.
git clone https://gitlab.com/YOUR_NAMESPACE/ad-pki.git
cd ad-pkiConfigure environment
Copy the example env file and fill in your settings.
cp .env.example .env
# Edit your config
nano .env
# Key settings:
# APP_URL=https://pki.example.com
# DB_CONNECTION=pgsql
# DB_DATABASE=adpki
# DB_USERNAME=adpki
# DB_PASSWORD=secretStart with Docker Compose
Spin up all services with a single command.
docker compose up -d
# Services started:
# ✔ postgres (database)
# ✔ laravel (API + queue worker)
# ✔ go-ca (certificate authority)
# ✔ nginx (reverse proxy)Initialize the database
Run migrations and create your admin user.
docker compose exec laravel php artisan migrate --seed
# Create your admin account
docker compose exec laravel php artisan pki:create-admin \
--email admin@example.com \
--password secretGenerate your Root CA
Open the dashboard and create your Certificate Authority hierarchy.
# Open in your browser
open https://pki.example.com
# Or via CLI
curl -X POST https://pki.example.com/api/ca/root \
-H "Authorization: Bearer <token>" \
-d '{"name":"My Root CA","key_type":"rsa","key_size":4096}'Issue your first certificate
Use any ACME client or the API directly.
# Via Certbot (ACME)
certbot certonly \
--server https://pki.example.com/acme/directory \
-d api.example.com
# Certificate issued at:
# /etc/letsencrypt/live/api.example.com/fullchain.pemBuilt on battle-tested technology
No experimental dependencies. Every component chosen for reliability, performance, and long-term maintainability.
CA Service · ACME · OCSP · TSA
REST API · Auth · Business Logic
Admin Dashboard · SPA · Islands
Primary Datastore · Full ACID
Container Orchestration · Deploy
Crypto Operations · Key Gen · CA