kipuka

EST enrollment server

A standards-compliant, post-quantum ready certificate enrollment server for private networks. Built in Rust.

Get Started View on Codeberg
kipuka (Hawaiian) — an area of older land surrounded by younger lava flows, an island of stability. Like a kipuka preserves established growth amid change, this server provides stable certificate enrollment amid evolving security requirements.

Built for Private Infrastructure

EST, CMP, CMS-EST, STAR, multi-CA failover, HSM key protection, and NIAP-compliant audit logging.

RFC 7030 EST

All six EST operations: cacerts (PKCS#7), simpleenroll, simplereenroll, fullcmc (RFC 5272 via synta-cmc), serverkeygen with KRA key escrow, and csrattrs. STAR auto-renewal (RFC 8739) with integrated renewal loop.

CMP Protocol

Certificate Management Protocol (RFC 4210/9810) at /.well-known/cmp. MAC-based (HMAC-SHA256) and signature-based protection. IR, CR, KUR, and RR request handling.

CMS-EST & STAR

CMS-wrapped EST (RFC 8295) with SignedData/EnvelopedData for air-gapped deployments. STAR short-lived certificates (RFC 8739) for the CA/B Forum 47-day validity mandate.

Multi-CA & HA

Active-passive, round-robin, weighted, and latency-based failover strategies with circuit breaker health tracking and automatic recovery.

HSM / PKCS#11

CA private keys loaded from HSMs via PKCS#11 (cryptoki 0.12). Entrust nShield, Utimaco, Thales Luna, and Kryoptic for dev/test. PQC keygen support planned.

Post-Quantum Ready

ML-DSA signing (FIPS 204) and ML-KEM key encapsulation (FIPS 203). Composite hybrid algorithms (ML-DSA + RSA/ECDSA/Ed25519) for migration. CNSA Suite 2.0 timeline tracking. Requires OpenSSL 3.5+.

Dogtag CA & KRA

REST API client for Red Hat Certificate System. Profile-based enrollment, Full CMC passthrough (RFC 5272), KRA server-side key generation with archival, and TPS smart card integration.

Authentication

OTP with timing-safe validation, mTLS with OCSP checking (RFC 6960) and CRL fallback, GSSAPI/Kerberos with libgssapi cryptographic verification or structural parsing, and CMS SignedData RA auth.

CoAP / DTLS

EST-over-CoAP (RFC 9483) for IoT and constrained devices. DTLS 1.2/1.3 transport, block-wise transfer (RFC 7959) for PQC certificates, compressed URI paths, and session resumption.

Multi-Database

SQLite for single-node, PostgreSQL or MariaDB for scale. One config line to switch. Automatic migrations via sqlx.

Up and Running in Minutes

Configure, start, and enroll your first certificate.

terminal
$ kipuka /etc/kipuka/kipuka.toml INFO kipuka: loading config from '/etc/kipuka/kipuka.toml' INFO kipuka: opening database 'sqlite:///var/lib/kipuka/kipuka.db' INFO kipuka::ca: loaded CA 'rsa-ca' (RSA 3072-bit, expires 2035-06-24) INFO kipuka::tls: TLS 1.2+ with client auth (optional) INFO kipuka: EST server listening on 0.0.0.0:9443 INFO kipuka::coap: CoAP/DTLS listener on 0.0.0.0:5684
Read the full quickstart guide →
19

RFCs and standards implemented

EST enrollment, CMP certificate management, CMS-EST, Full CMC, STAR renewal, EST-over-CoAP, OCSP revocation checking, post-quantum ML-DSA/ML-KEM with composite hybrids, and NIAP compliance.

View RFC Compliance →

Quick Start

Container

# No login required podman pull registry.kipuka.dev/kipuka:latest podman run --rm \ -v ./kipuka.toml:/etc/kipuka/kipuka.toml:ro \ -v ./certs:/etc/kipuka/certs:ro \ -p 9443:9443 \ registry.kipuka.dev/kipuka:latest

Build from source

git clone https://codeberg.org/czinda/kipuka cd kipuka cargo build --release cp kipuka.toml.example kipuka.toml cargo run --release -- --config kipuka.toml

Architecture

A Cargo workspace with six internal crates and zero external CA dependencies.

Clients / \ TLS + mTLS/OTP CoAP/DTLS | | +------+------+ kipuka-coap | kipuka-est | CoAP/DTLS | axum HTTP | (RFC 9483) +--+---+--+--+----------+ | | | | +---------+ | +-----------+ | | | | | kipuka-otp kipuka-hsm kipuka-util OTP lifecycle PKCS#11 shared types HSM ops & config | | | kipuka-dogtag | Dogtag PKI | REST client | +---+-----+ | sqlx | | sqlite | | postgres| | mariadb | +---------+