Authorities

The Authorities page lets you create and manage certificate authorities (CAs) for your Private SSL infrastructure. Each CA can sign certificates and maintain its own certificate revocation list (CRL).

Authorities list

Navigate to OperationPrivate SSLAuthorities to view all certificate authorities.

The list shows:

  • Name: CA name with status badge (Active, Initializing, Error, Inactive)
  • Organization: Organization name
  • Domain: Root certificate domain
  • Server: Server running the CA plugin
  • Root valid for: Root certificate validity period
  • Child valid for: Default and maximum validity for signed certificates (e.g., “365 days (default) / 730 days (max)”)
  • Signed at / Expires at: Certificate timestamps
  • Owner: CA owner
  • Connected: Whether the CA server is currently connected

Creating a certificate authority

  1. Click New certificate authority
  2. Configure the CA settings:
FieldDescription
NameCommon name for the CA (e.g., “My Company Root CA”)
OrganizationYour organization name
DomainDomain name for the root certificate
Root valid daysRoot certificate validity (default: 3650 days / 10 years)
Default valid daysDefault validity for child certificates (default: 365 days)
Maximum valid daysMaximum allowed validity for child certificates (default: 730 days)
Key algorithmRSA or ECDSA
Key size2048 or 4096 bits (RSA) / 256 or 384 bits (ECDSA)
ServerServer to run the CA plugin
OwnerCA owner (administrator)
Automatic installationAutomatically install the CA plugin on the selected server
  1. Click Create

The CA will be initialized on the selected server. This may take a few moments.

Authority detail page

Click on a CA name to view its details:

Information displayed:

  • Organization, Domain, Server
  • Connectivity status
  • Owner and Status
  • Validity information (root and child certificates)
  • Key algorithm details
  • Error message (if the CA encountered an error)

Available actions:

  • Download .crt: Download the root certificate
  • Download .crl: Download the certificate revocation list
  • Restart plugin: Restart the CA plugin on the server
  • Upgrade plugin: Upgrade the CA plugin to the latest version
  • Edit: Modify CA settings
  • Delete: Remove the CA and all associated certificates

Tabs:

  • Certificates: View all certificates signed by this CA
  • Expiring soon: View certificates that will expire soon

Downloading certificates and CRLs

Root certificate (.crt)

Clients need the root certificate to verify certificates issued by your CA.

From the web interface:

  1. Go to Authorities → select a CA
  2. Click Download .crt

From the CLI:

alpacon authority download-crt AUTHORITY_ID -o ca-cert.pem

Certificate revocation list (.crl)

The CRL contains revoked certificates. Distribute this to clients for revocation checking.

From the web interface:

  1. Go to Authorities → select a CA
  2. Click Download .crl

From the CLI:

alpacon authority download-crl AUTHORITY_ID -o crl.pem

CA statuses

StatusDescription
ActiveCA is running and can sign certificates
InitializingCA is being set up on the server
ErrorCA encountered an error (check plugin logs)
InactiveCA is stopped or disabled

Managing authorities

Editing a CA

  1. Go to the CA detail page
  2. Click Edit
  3. Modify settings and save

Deleting a CA

  1. Go to the CA detail page
  2. Click Delete
  3. Confirm deletion

Deleting a CA invalidates all certificates it has issued. Ensure no services depend on these certificates before deleting.

CLI commands

CommandDescription
alpacon authority lsList all certificate authorities
alpacon authority describe AUTHORITY_IDView CA details
alpacon authority createCreate a new CA
alpacon authority update AUTHORITY_IDUpdate CA settings
alpacon authority delete AUTHORITY_IDDelete a CA
alpacon authority download-crt AUTHORITY_IDDownload root certificate
alpacon authority download-crl AUTHORITY_IDDownload CRL