Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Introduction

Akāmu is a self-hosted certificate authority that speaks the ACME protocol defined in RFC 8555. It is written in Rust and is designed to be operated inside a private network or behind a reverse proxy, issuing X.509 certificates to ACME clients such as certbot, acme.sh, or any RFC 8555-compliant library. The project is organized as a Cargo workspace. In addition to the server binary, it ships standalone client libraries — see Client Libraries.

For a detailed breakdown of RFC and draft coverage — including which sections are implemented, which are intentionally omitted, and post-quantum support — see the RFC Support Reference.

What it does

  • Implements the full RFC 8555 ACME server protocol: directory, nonces, accounts, orders, authorizations, challenges, certificate issuance, and revocation.
  • Validates domain ownership using http-01, dns-01, tls-alpn-01, and dns-persist-01 challenge types (RFC 8555 §8, RFC 8737, and the Let’s Encrypt dns-persist-01 specification).
  • Issues end-entity certificates signed by a built-in Certificate Authority whose key and self-signed root are generated automatically on first run, or loaded from existing PEM files.
  • Maintains a SQLite database for all ACME objects (accounts, orders, authorizations, challenges, certificates, nonces).
  • Generates and serves CRLs (Certificate Revocation Lists).
  • Exposes OCSP responder URLs in issued certificates when configured.
  • Implements the ACME Renewal Information extension (RFC 9773) so ACME clients know when to renew.
  • Optionally appends issued certificates to a Merkle Tree Certificate transparency log using the synta-mtc library.
  • When external_account_required = true, performs full HMAC verification of the externalAccountBinding JWS (HS256/HS384/HS512), confirms the payload is the account key, and atomically consumes the EAB key on account creation. Keys are provisioned in the TOML config under [server.eab_keys].
  • Optionally terminates TLS directly using rustls, with an auto-generated certificate on first run. Supports mutual TLS (mTLS) client certificate authentication with configurable CA trust anchors, chain depth, RSA modulus enforcement, and post-quantum client certificate acceptance.

What it does not do

  • It does not serve the CRL or OCSP responses over HTTP itself; those endpoints must be provided separately if you enable crl_url or ocsp_url.
  • It does not support wildcard certificates via http-01 or tls-alpn-01 (only dns-01 and dns-persist-01 can authorize wildcard identifiers per RFC 8555 §7.1.3).

Technology stack

ComponentLibrary
Async runtimetokio
HTTP frameworkaxum 0.8
Databaserusqlite (system SQLite) + tokio-rusqlite
Schema migrationsrusqlite_migration
X.509 / PKCS#10 / CRLsynta-certificate
MTC transparency logsynta-mtc
DNS resolutionhickory-resolver
TLS serveraxum-server + rustls
TLS clientrustls + tokio-rustls
HTTP clienthyper 1
ConfigurationTOML
JWK/JWS primitivesakamu-jose (workspace crate)
ACME client libraryakamu-client (workspace crate)
CLIakamu-cli (workspace crate)

Standards implemented

Quick navigation

New to Akāmu? Start with the Quick Start guide. If you want to understand every configuration key, see the Configuration Reference. Developers should read the Architecture chapter first — it includes a full system architecture diagram covering all subsystems and their interactions.