Getting StartedUnderstanding PKICertificate AuthoritiesIssuing CertificatesCertificate LifecycleOCSPACME ProtocolAPI AccessMCP IntegrationWorkspaces

Issuing Certificates

Certman supports two modes for issuing certificates:

Managed Certificates

Certman generates the key pair and certificate for you. Provide:

  • Common Name — Primary domain or identifier
  • SANs — Additional DNS names or IP addresses the certificate covers
  • Algorithm — RSA-2048, RSA-4096, ECDSA-P256, or ECDSA-P384
  • Validity — Certificate lifetime in days (up to 825 days)

Bring Your Own Key (CSR)

Generate your private key locally and submit a Certificate Signing Request (CSR). Your private key never leaves your machine. Certman auto-detects the algorithm from the CSR.

Passphrase-Protected CAs

If the CA is protected with a passphrase, you'll need to enter it when issuing certificates. This ensures that only authorized users can issue certificates, even if they have access to the workspace. When using the API or MCP, include the caPassphrase parameter in your request.

Download Formats

Certificates can be downloaded in multiple formats:

  • PEM — Base64-encoded, widely used on Linux/Unix systems and web servers
  • PKCS#12 (.p12/.pfx) — Binary format bundling certificate and key, used on Windows and Java
  • DER — Binary-encoded certificate, used on some embedded systems