LocalCA is a complete solution for managing a private Certificate Authority within a local network. The project provides a comprehensive RESTful API for generating, managing, and deploying SSL/TLS certificates for internal services and clients.
- β CA Management: Create and manage your own Certificate Authority
- β Server Certificates: Generate SSL/TLS certificates for web servers
- β Client Certificates: Create certificates for client authentication
- β Certificate Revocation: Revoke compromised certificates with CRL support
- β Certificate Renewal: Renew certificates before expiration
- β PKCS#12 Export: Export client certificates with private keys
- β Multi-Backend Storage: File, PostgreSQL, and S3/MinIO support
- β Caching Layer: Redis/KeyDB caching for improved performance
- β Audit Logging: Comprehensive audit trail for compliance
- β Backup Support: Automated backup and recovery capabilities
- β Data Encryption: Encrypted sensitive data storage
- β Complete REST API: Full HTTP API for all certificate operations
- β OpenAPI/Swagger: Comprehensive API documentation
- β JSON Responses: Standard JSON response format
- β HTTP Standards: Proper status codes and content negotiation
- β Client Libraries: Compatible with any HTTP client
- β ACME Support: Standard ACME protocol endpoints
- β JWT Authentication: Token-based API authentication
- β API Security: Rate limiting and security middleware
- β Password Protection: CA private key protection with secure storage
- β Input Validation: Comprehensive request validation
- β Security Headers: Comprehensive security headers and middleware
- β ACME Protocol: Automated certificate issuance (experimental)
- β Email Notifications: Certificate expiration alerts
- β JSON Logging: Structured logging for monitoring and alerting
- β Health Checks: Service health monitoring and status endpoints
- Docker & Docker Compose (recommended)
- Go 1.23+ (for local development)
- HTTP Client (curl, Postman, or any REST client)
- Clone the repository:
git clone https://github.com/Lazarev-Cloud/localca-go.git
cd localca-go- Start with Docker Compose:
# For production with enhanced storage
docker-compose up -d
# For development
docker-compose -f docker-compose.dev.yml up -d- Access the application:
- API Server: http://localhost:8080
- API Documentation: http://localhost:8080/api/docs
- Health Check: http://localhost:8080/api/health
- MinIO Console: http://localhost:9001 (admin/password123)
- Build the API server:
go build -o localca-go- Run the application:
./localca-go- Access the API:
- API Server: http://localhost:8080
- API Documentation: http://localhost:8080/api/docs
localca-go/
βββ pkg/ # Go backend packages
β βββ acme/ # ACME protocol implementation
β βββ cache/ # Redis/KeyDB caching layer
β βββ certificates/ # Certificate operations
β βββ config/ # Configuration management
β βββ database/ # PostgreSQL integration
β βββ email/ # Email notifications
β βββ handlers/ # HTTP handlers and routing
β βββ logging/ # Structured logging
β βββ s3storage/ # S3/MinIO object storage
β βββ security/ # Security utilities
β βββ storage/ # Storage backends and interfaces
βββ docs/ # Documentation
β βββ deployment/ # Deployment guides
β βββ development/ # Development documentation
β βββ security/ # Security documentation
βββ .cursor/ # Cursor AI rules and configuration
β βββ rules/ # Comprehensive project rules
βββ tools/ # Utility scripts and tools
βββ docker-compose.yml # Production Docker setup
βββ Dockerfile # API server container
βββ main.go # Application entry point
The application is configured through environment variables:
| Variable | Description | Default | Status |
|---|---|---|---|
| Core Configuration | |||
CA_NAME |
Certificate Authority name | "LocalCA" | β Working |
CA_KEY_PASSWORD |
CA private key password | required | β Working |
ORGANIZATION |
Organization name | "LocalCA Organization" | β Working |
COUNTRY |
Country code | "US" | β Working |
DATA_DIR |
Data storage directory | "./data" | β Working |
LISTEN_ADDR |
HTTP server address | ":8080" | β Working |
| Security Configuration | |||
TLS_ENABLED |
Enable HTTPS | "false" | β Working |
SESSION_SECRET |
Session encryption key | auto-generated | β Working |
| Enhanced Storage | |||
DATABASE_ENABLED |
Enable PostgreSQL storage | "false" | β Working |
DATABASE_URL |
PostgreSQL connection string | optional | β Working |
S3_ENABLED |
Enable S3/MinIO storage | "false" | β Working |
S3_ENDPOINT |
S3 endpoint URL | optional | β Working |
CACHE_ENABLED |
Enable Redis/KeyDB caching | "false" | β Working |
REDIS_URL |
Redis connection URL | optional | β Working |
| Notifications | |||
EMAIL_NOTIFY |
Enable email notifications | "false" | β Working |
SMTP_HOST |
SMTP server hostname | optional | β Working |
SMTP_PORT |
SMTP server port | "587" | β Working |
| Logging | |||
LOG_FORMAT |
Logging format (json/text) | "text" | β Working |
LOG_LEVEL |
Logging level | "info" | β Working |
| Frontend | |||
NEXT_PUBLIC_API_URL |
Frontend API URL | "http://localhost:8080" | β Working |
For Docker deployments, copy .env.example to .env and modify as needed:
cp .env.example .env
# Edit .env with your preferred settingsExample .env configuration:
# Core Configuration
CA_NAME=MyLocalCA
CA_KEY_PASSWORD=secure-ca-password
ORGANIZATION=My Organization
COUNTRY=US
# Enhanced Storage
DATABASE_ENABLED=true
DATABASE_URL=postgres://localca:localca_password@postgres:5432/localca
S3_ENABLED=true
S3_ENDPOINT=http://minio:9000
S3_ACCESS_KEY=minioadmin
S3_SECRET_KEY=minioadmin
CACHE_ENABLED=true
REDIS_URL=redis://keydb:6379
# Email Notifications
EMAIL_NOTIFY=true
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USERNAME=your-email@gmail.com
SMTP_PASSWORD=your-app-password- CA Creation: Automatic CA certificate generation with secure key storage
- Server Certificates: SSL/TLS certificates for web servers with SAN support
- Client Certificates: Client authentication certificates with PKCS#12 export
- Certificate Revocation: CRL generation and certificate revocation
- Certificate Renewal: Automated and manual certificate renewal
- Certificate Validation: X.509 certificate chain validation
- Multi-Backend Storage: File, PostgreSQL, and S3/MinIO storage backends
- Caching Layer: Redis/KeyDB caching for improved performance
- Audit Logging: Comprehensive audit trail for compliance
- Backup & Recovery: Automated backup and disaster recovery
- Health Monitoring: Storage backend health checks and monitoring
- Complete REST API: Full HTTP API for all certificate operations
- OpenAPI Documentation: Comprehensive API documentation and examples
- JSON Responses: Standard JSON response format with proper HTTP codes
- Content Negotiation: Support for JSON and XML content types
- Client Libraries: Compatible with any HTTP client or library
- REST API: Complete RESTful API for all operations
- ACME Protocol: Standard ACME endpoints for automated certificate issuance
- Authentication: JWT-based API authentication
- Rate Limiting: Built-in rate limiting for security
- API Versioning: Versioned API endpoints for backward compatibility
- JWT Authentication: Token-based API authentication
- Security Headers: Comprehensive HTTP security headers
- Input Validation: Server-side input validation and sanitization
- TLS Configuration: Modern TLS 1.2/1.3 configuration
- Audit Logging: Complete audit trail for all operations
- Structured Logging: JSON and text logging formats
- Performance Metrics: System and application performance monitoring
- Health Checks: Service health and readiness endpoints
- Error Tracking: Comprehensive error logging and alerting
- Basic ACME Server: ACME protocol implementation for automated certificate issuance
- HTTP-01 Challenge: Web-based domain validation
- Account Management: ACME account creation and management
- Order Processing: Certificate order lifecycle management
Note: ACME implementation is experimental and may require additional testing with real ACME clients.
- SMTP Integration: Email notifications for certificate expiration
- Template System: HTML and text email templates
- Batch Processing: Efficient batch email processing
Note: Email system is functional but templates and scheduling may need enhancement.
- Multi-Backend Support: Added PostgreSQL and S3/MinIO storage backends
- Caching Integration: Implemented Redis/KeyDB caching layer
- Performance Optimization: Improved storage operation performance
- Backup Capabilities: Added automated backup and recovery features
- Enhanced Endpoints: Comprehensive API endpoints for all operations
- OpenAPI Documentation: Complete API documentation with examples
- Performance: Optimized API response times and data handling
- Error Handling: Standardized error responses and status codes
- JWT Authentication: Token-based API authentication system
- API Security: Enhanced API security and rate limiting
- Input Validation: Comprehensive input validation and sanitization
- Security Headers: Added comprehensive security headers
# API tests
go test ./...
# Integration tests
go test -tags=integration ./...
# Docker-based testing
docker-compose -f docker-compose.test.yml up --abort-on-container-exit# Test enhanced storage features
./tools/test-enhanced-storage.sh
# Comprehensive system validation
./tools/comprehensive-enhanced-test.sh# Basic functionality tests
./tools/test_application.sh
# ACME protocol tests
./tools/test-acme.sh# Check deployment status
./tools/deployment-status.sh
# Check service health
curl http://localhost:8080/api/health
curl http://localhost:3000/api/healthThe application provides comprehensive performance metrics:
- System Statistics: Real-time system metrics via
/api/statistics - Cache Performance: Cache hit rates and performance metrics
- Storage Metrics: Storage usage and performance monitoring
- Certificate Statistics: Certificate counts and status overview
Structured logging is available in multiple formats:
# View backend logs
docker-compose logs backend
# View frontend logs
docker-compose logs frontend
# View all service logs
docker-compose logs -f- Authentication: JWT-based API authentication
- API Security: Rate limiting and security middleware
- Security Headers: Comprehensive HTTP security headers
- Input Validation: Server-side input validation and sanitization
- Rate Limiting: Built-in rate limiting for API endpoints
- Audit Logging: Complete audit trail for all operations
- Change default passwords before production use
- Enable HTTPS for production deployments using
TLS_ENABLED=true - Use strong CA key passwords with
CA_KEY_PASSWORD - Regular certificate rotation and monitoring
- Monitor audit logs for security events
- Keep software updated with latest security patches
# Enable TLS for production
TLS_ENABLED=true
TLS_CERT_FILE=/path/to/cert.pem
TLS_KEY_FILE=/path/to/key.pem
# Configure JWT authentication
JWT_SECRET=your-secure-jwt-secret
JWT_EXPIRY=3600
# Enable audit logging
AUDIT_ENABLED=true
AUDIT_LOG_FILE=/var/log/localca/audit.log-
Project Overview: Complete project overview and architecture
-
Backend Architecture: Go backend implementation details
-
Enhanced Storage: Multi-backend storage and caching
-
API Integration: API endpoints and integration patterns
- Deployment Guide: Enhanced storage setup and deployment
- Development Guide: Caching and performance optimization
- Docker Setup: Docker deployment and configuration
- Security Guide: Security best practices and guidelines
- Security Review: Comprehensive security assessment
- Best Practices: Operational best practices
- Development Guide: Development standards and workflow
- Troubleshooting: Common issues and solutions
- Changelog: Version history and changes
- Fork the repository
- Create a feature branch:
git checkout -b feature/amazing-feature - Make your changes following the development guidelines
- Add tests if applicable
- Commit your changes:
git commit -m 'Add amazing feature' - Push to the branch:
git push origin feature/amazing-feature - Submit a pull request
- Follow the coding standards in Development Guide
- Write tests for new features
- Update documentation as needed
- Ensure all tests pass before submitting PR
This project is licensed under the MIT License - see the LICENSE file for details.
- Issues: GitHub Issues
- Documentation: docs/ and .cursor/rules/
- Security: See SECURITY.md for security policy
- Built with Go and Gin
- RESTful API with comprehensive documentation
- Enhanced storage with PostgreSQL and MinIO
- Caching with KeyDB
- Containerization with Docker
LocalCA - Self-hosted Certificate Authority for modern applications π
Secure, scalable, and easy to deploy certificate management solution.