Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.certforge.xyz/llms.txt

Use this file to discover all available pages before exploring further.

Devices

In CertForge, a device (also called a client) is any endpoint — server, VM, container, IoT device, or application — that holds a certificate issued by CertForge and uses it to authenticate with services.

Device identity

Each device is identified by a client certificate. The certificate’s Subject and Subject Alternative Names establish its identity. When a device connects to the mTLS API, CertForge verifies its client certificate against the configured client CA before processing any request.

Enrolling a device

Via dashboard

  1. Go to Devices → Enroll New
  2. Fill in:
    • Device name — a human-readable label (e.g. web-server-prod-01)
    • Domains — the SANs the certificate should carry
    • Trust Profile — the DTP that governs issuance
    • Environmentproduction, staging, development
    • Justification — required if the DTP requires approval
  3. Submit — the request enters the approval queue or is issued immediately depending on DTP policy

Via mTLS API (automated)

Devices that already hold a valid client certificate can self-enroll via the API: 
curl -X POST https://certforge.example.com/v1/enroll \
  --cert /etc/ssl/device.crt \
  --key /etc/ssl/device.key \
  -H "Content-Type: application/json" \
  -d '{
    "common_name": "web-server-prod-01",
    "domains": ["web.internal.corp.com"],
    "environment": "production",
    "justification": "Initial certificate for new web server"
  }'
The first enrollment (bootstrapping) requires either a pre-issued client certificate or a one-time enrollment token generated by an admin.

Device certificate lifecycle

Enroll → [Approval] → Certificate issued → Certificate in use

                                        ┌───────────┴──────────────┐
                                        │                          │
                                  Renewal (auto)            Revocation
                                        │                          │
                                 New cert issued           CRL updated

Automatic renewal

The renewal scheduler checks certificates daily. When a certificate is within the renewal window (default: 30 days before expiry), a renewal request is submitted automatically. If the DTP requires approval, an approver must act before the certificate is re-issued. Configure the renewal window in Admin → Settings.

Manual renewal

In the dashboard, go to Devices, find the device, and click Renew. This submits a new enrollment request identical to the original.

Revocation

Revoking a device certificate immediately adds it to the CA’s Certificate Revocation List (CRL). Services that check the CRL will reject the certificate. To revoke: Devices → [device] → Revoke and provide a revocation reason. Revocation reasons (per RFC 5280):
  • key_compromise — private key may be exposed
  • ca_compromise — issuing CA is compromised
  • affiliation_changed — device no longer belongs to this org
  • superseded — replaced by a new certificate
  • cessation_of_operation — device decommissioned

ACME client devices

Devices running a standard ACME client (certbot, acme.sh, Caddy, Traefik) can point their ACME directory URL at CertForge’s built-in ACME server: 
ACME directory: https://certforge.example.com/acme/directory
CertForge intercepts the ACME order, applies DTP policy, routes through the approval queue if required, and fulfills the order from the configured CA. The ACME client receives a standard certificate — no changes required in the client.

Device list

Devices → All Devices shows:
ColumnDescription
NameDevice label
DomainsCertificate SANs
Trust ProfileDTP
Environmentprod / staging / dev
IssuedIssue date
ExpiresExpiry date
Days leftDays until expiry
StatusActive / Expiring soon / Expired / Revoked