Welcome to the Handshake PKI Server
A simple, secure Public Key Infrastructure (PKI) for your devices
This service provides a simple, secure Public Key Infrastructure (PKI) for your devices. It allows you to create unique Certificate Authorities (CAs) for each of your registered "devices," which can then issue short-lived TLS certificates to clients / peers.
How It Works
The workflow is designed to be secure and user-centric, putting you in control of which clients are granted certificates.
1. Log In & Create a Device
First, you log in using your secure credentials. You can then create a "device" in the web interface. This action automatically generates a unique, private Certificate Authority (CA) that is securely stored on the server and associated with that device.
2. Client Connects
A client that needs a TLS certificate (like a new server or IoT device) establishes a secure WebSocket connection to this service. It sends a Certificate Signing Request (CSR) along with the unique ID of the device it wants a certificate from.
3. Approve the Request
The client's request appears in your web interface as "pending." The client's connection is held open while it waits for your decision.
4. Certificate Issued
When you click "Approve," the server uses the device's private CA to sign the client's CSR. The newly signed certificate is sent directly back to the waiting client through the open WebSocket connection. If you click "Deny," a rejection notice is sent instead.
This process ensures that no certificate is ever issued without your explicit approval.