PKI Manager

A modern, web-based Public Key Infrastructure management application for securely generating, issuing, managing, and revoking X.509 digital certificates.

Overview

PKI Manager provides complete control over your Private Key Infrastructure without relying on external certificate authorities. Perfect for enterprises, home labs, and development environments that demand full control over their security infrastructure.

Key Highlights

• Self-Hosted PKI: Create and manage your own root Certificate Authorities
• Multi-Type Certificates: Server (TLS/SSL), Client Auth, S/MIME Email, Code Signing
• Secure Key Management: Integration with Cosmian KMS for secure key storage
• Bulk Operations: CSV-based bulk certificate creation and batch operations
• Modern UI: React 19 with light/dark theme support and responsive design
• Type-Safe: End-to-end TypeScript with tRPC for API type safety

Screenshots

Dashboard

Monitor your PKI at a glance with real-time statistics and expiration tracking.

Certificate Authority Management

Create and manage self-signed root CAs with flexible configuration options.

Certificate Management

Issue, manage, and revoke certificates with comprehensive control.

Bulk Operations

Efficient batch certificate creation and management.

Features

Certificate Authority Management

• ✅ Create self-signed root Certificate Authorities
• ✅ Configurable subject fields (CN, O, OU, C, ST, L)
• ✅ Key algorithm selection (RSA-2048, RSA-4096)
• ✅ Flexible validity periods (1-30 years)
• ✅ CA revocation with reason tracking
• ✅ Export in multiple formats (PEM, CRT, DER, CER)

Certificate Issuance & Management

• ✅ Server Certificates - HTTPS/TLS for web servers and APIs
• ✅ Client Certificates - Client authentication and mTLS
• ✅ Email (S/MIME) - Email encryption and signing
• ✅ Code Signing - Software and code signing
• ✅ Subject Alternative Names (DNS, IP Address, Email)
• ✅ Advanced key algorithms (RSA-2048/4096, ECDSA-P256/P384)
• ✅ Certificate renewal with same parameters
• ✅ Revocation with standard reasons (keyCompromise, superseded, etc.)
• ✅ Comprehensive certificate details view

Export & Download

• ✅ Multiple formats: PEM, CRT, DER, CER
• ✅ Certificate chains (PEM Chain)
• ✅ PKCS#7 (P7B)
• ✅ PKCS#12 with private key (PFX, P12) - password protected
• ✅ Java KeyStore (JKS)
• ✅ Batch download (all formats as ZIP)
• ✅ Security warnings for private key exports

Bulk Operations

• ✅ CSV-based bulk certificate creation
• ✅ Flexible field mapping with optional parameters
• ✅ SAN auto-detection (email, IP, DNS)
• ✅ Batch download multiple certificates
• ✅ Bulk renewal for expiring certificates
• ✅ Batch revocation with reason
• ✅ Multi-select deletion

Monitoring & Alerts

• ✅ Real-time dashboard with PKI statistics
• ✅ Expiration tracking with visual indicators
• ✅ "Expiring Soon" widget (configurable threshold)
• ✅ Color-coded status badges (active, revoked, expired)
• ✅ Automatic status updates based on validity periods

Search & Filtering

• ✅ Search by Common Name or SAN
• ✅ Filter by issuing CA (with persistence)
• ✅ Filter by status (active/revoked/expired)
• ✅ Filter by certificate type
• ✅ Sortable tables with instant results

Security

• ✅ Cosmian KMS integration for secure key storage
• ✅ Private keys never stored unencrypted locally
• ✅ Password-protected private key exports
• ✅ Audit logging for all operations
• ✅ Revocation tracking with detailed reasons
• ✅ Secure key pair generation (RSA, ECDSA)

User Experience

• ✅ Modern, responsive UI with card-based layout
• ✅ Light/Dark theme with system detection
• ✅ Sample data generators for quick testing
• ✅ Form validation with helpful error messages
• ✅ Contextual action buttons
• ✅ Real-time status updates

Architecture

This is a monorepo project with two main packages:

pki-manager/
├── backend/          # Node.js/Fastify API server
├── frontend/         # React 19 SPA
├── assets/           # Screenshots and images
└── tests/            # E2E screenshot tests

Technology Stack

Backend

• Framework: Fastify 5.2 (high-performance HTTP server)
• API Layer: tRPC v11 (end-to-end type safety)
• Database: SQLite with better-sqlite3 (embedded, portable)
• ORM: Drizzle ORM 0.36 (type-safe SQL)
• Validation: Zod 3.24 (schema validation)
• KMS: Cosmian KMS (secure key management)
• Testing: Vitest 2.1
• Runtime: Node.js 20+

Frontend

• Framework: React 19.2
• Routing: TanStack Router 1.133 (file-based, type-safe)
• State Management: TanStack Query 5.90 (server state)
• API Client: tRPC 11.0 (type-safe RPC)
• Styling: Tailwind CSS 4.1 (utility-first)
• UI Components: shadcn/ui (Radix UI primitives)
• Icons: Lucide React, FontAwesome
• Build Tool: Vite 7.1

Testing

• E2E: Playwright 1.56 (screenshot automation)

Prerequisites

• Node.js >= 20.0.0
• pnpm >= 9.0.0
• Cosmian KMS instance (for secure key storage)

Getting Started

1. Installation

# Install dependencies
pnpm install

2. Environment Configuration

# Copy backend environment template
cp backend/.env.example backend/.env

# Edit backend/.env with your configuration:
# - Database path
# - Cosmian KMS endpoint and authentication
# - Server port (default: 3000)

3. Database Setup

# Run migrations
cd backend
pnpm db:migrate

4. Start Development Servers

# Start both backend and frontend (from root)
pnpm dev

This will start:

• Backend API at http://localhost:3000
• Frontend at http://localhost:5173

5. Build for Production

# Build both packages
pnpm build

# Start production servers
cd backend && pnpm start    # Backend
cd frontend && pnpm preview # Frontend preview

Available Scripts

Root (Workspace)

pnpm dev              # Start both backend and frontend in dev mode
pnpm build            # Build both packages for production
pnpm test             # Run tests in all packages
pnpm typecheck        # Type check all packages
pnpm lint             # Lint all packages
pnpm clean            # Clean all build artifacts and node_modules
pnpm test:screenshots # Run Playwright screenshot tests

Backend

pnpm dev              # Start dev server with hot reload
pnpm build            # Build for production
pnpm start            # Start production server
pnpm test             # Run Vitest tests
pnpm db:generate      # Generate Drizzle migrations
pnpm db:migrate       # Run database migrations
pnpm db:studio        # Open Drizzle Studio (DB GUI)

Frontend

pnpm dev              # Start Vite dev server
pnpm build            # Build for production
pnpm preview          # Preview production build
pnpm lint             # Run ESLint

Project Structure

pki-manager/
├── backend/
│   ├── src/
│   │   ├── server.ts               # Fastify server entry point
│   │   ├── trpc/
│   │   │   ├── router.ts           # Main tRPC router
│   │   │   ├── schemas.ts          # Zod validation schemas
│   │   │   └── procedures/         # API endpoints by domain
│   │   │       ├── ca.ts           # CA management
│   │   │       ├── certificate.ts  # Certificate operations
│   │   │       ├── dashboard.ts    # Dashboard stats
│   │   │       └── crl.ts          # CRL management
│   │   ├── db/
│   │   │   ├── schema.ts           # Drizzle ORM schema
│   │   │   ├── index.ts            # Database