Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.certforge.xyz/llms.txt

Use this file to discover all available pages before exploring further.

Quick-reference cheat sheet

CategoryMinimumRecommended
CPU1 vCPU2 vCPU
RAM256 MB512 MB
Disk500 MB2 GB
OSLinux 64-bitUbuntu 22.04 LTS / Debian 12
DatabaseNone (file-based)PostgreSQL 14+
InternetOutbound HTTPS
LicenseTrial or paid
CertForge ships as a single static binary with no runtime dependencies. If you can copy a file and open a port, you can run it.

Operating system

CertForge is tested on:
DistributionVersions
Ubuntu22.04 LTS, 24.04 LTS
Debian11, 12
RHEL / Rocky / AlmaLinux8, 9
Alpine Linux3.18+
macOS13 (Ventura)+
Windows Server2019, 2022
Architectures supported: amd64 (x86-64) and arm64 (Apple Silicon, AWS Graviton).

Hardware

CPU

1 vCPU is sufficient for low-volume issuance (< 100 certs/day). At high volume or with many concurrent ACME clients, 2+ vCPUs prevent request queuing.

Memory

ScenarioRAM needed
File-based mode (no DB)256 MB
PostgreSQL connected512 MB
High concurrency (> 50 ACME clients)1 GB

Disk

The binary is approximately 30 MB. All runtime data lives in the data directory (default: ./data).
ContentSize estimate
Binary~30 MB
Config file< 1 KB
Per certificate (JSON + PEM)~8 KB
Audit log (per event)~1 KB
Alert state file< 1 KB
Planning guide: 500 MB covers the binary plus ~58,000 certificate records. For most organizations, 2 GB is ample headroom for years of issuance history and log retention.
CertForge does not store private keys by default when issuing via ACME. The 8 KB per-certificate estimate covers only the metadata JSON and the public certificate chain. If you enable key storage or use the internal CA (which stores issued certs and keys), plan for ~12 KB per certificate.

Network

Inbound ports

PortProtocolPurpose
8080HTTPDashboard (configurable)
8443TLS/mTLSACME enrollment API (configurable)
80HTTPACME HTTP-01 challenge responder (optional)
443HTTPSDashboard with TLS termination (optional)
All ports are configurable in config.yaml. You do not need ports 80/443 open if you use DNS-01 validation or an internal CA only.

Outbound connections

DestinationPortPurposeRequired?
certforge.xyz443License validation (checked every 24 h)Yes
Your ACME CA (e.g. Let’s Encrypt, ZeroSSL)443Certificate issuanceOnly if using ACME
Your DNS provider API443DNS-01 challenge automationOnly if using DNS-01
Your SMTP server25/465/587Email notifications and alertsOnly if notifications enabled
License validation requires outbound HTTPS to certforge.xyz. If your environment is air-gapped, contact support for an offline license validation option.

Firewall rules (example — ufw)

# Dashboard
ufw allow 8080/tcp

# mTLS ACME API (restrict to your internal network)
ufw allow from 10.0.0.0/8 to any port 8443 proto tcp

# ACME HTTP-01 responder (only if using HTTP-01 validation)
ufw allow 80/tcp

Database

CertForge defaults to file-based storage — no database required. Settings, users, certificates, and audit logs are stored as JSON files in the data directory. PostgreSQL is required only when:
  • You need multi-organization (cloud/SaaS) mode
  • You want shared state across multiple instances (HA/load-balanced deployments)
  • You need database-level backup and recovery for your compliance posture
FeatureFile-basedPostgreSQL
Single-org usage
Multi-org (platform mode)
Restart-safe sessions
HA / load balancing
Point-in-time recoveryManual file backupNative pg_dump

PostgreSQL requirements (if used)

  • Version: 14 or later
  • Extensions: none required
  • Permissions: CREATE TABLE, CREATE INDEX on the target database
  • Minimum connection pool: 5 connections

License

A valid license.jwt file is required. Place it in your data directory before starting the server. The license file is a signed JWT. CertForge validates the signature locally on startup and phones home to certforge.xyz every 24 hours to check for tier changes or renewals. The binary will continue to operate during a network outage — the grace period is configurable (default: 14 days).

TLS for the dashboard

The dashboard can run in three modes:
ModeConfigUse case
Plain HTTPNo TLS configDevelopment / behind a reverse proxy
Internal CA TLSserver_tls.ca_idIntranet with internal CA
ACME TLSserver_tls.acme_ca_id + public_domainsInternet-facing with Let’s Encrypt/ZeroSSL
For production, put CertForge behind nginx or Caddy if you want Let’s Encrypt for the dashboard without exposing port 80.