Inca stands for INternal CA, and it's primary aim is self-explained: handling certificate-wise flows with regards to a local and private CA. On the flip side, its ambitious vocation is to eliminate all the complexity on maintaining a PKI within a company.
Alternatives to Inca that don't have all the required features:
- OpenXPKI
- EJBCA
- step-ca
- Locksmith
- Certbot - The recommended LetsEncrypt client
- Lego - Let's Encrypt client and ACME library written in Go
Given a CA keypair, Inca exposes a set of endpoints usable to interact with the aforementioned CA to issue, revoke, extend valid certificates.
If configured to do so, Inca can proxy the already mentioned requests to external providers (e.g. Let's Encrypt), providing a simple and common interface for certificates regardless of their origin.
Inca does not only issue certificates, it caches and stores them on a configurable storage (e.g. locally on filesystem, on S3), reusing them if asked to.
Through the webgui, Inca allows for certificates to be manually imported, if issued via a third-party flow.
Given it's minimal semantic, Inca is super easy to integrate into third-party tools, as obtaining a valid certificate is as easy as curl https://inca.domain.tld/whatever-cn.domain.tld
.
Either
go build
go install
inca --help
or
docker run -it -v --network host ${PWD}/inca.yml:/etc/inca:ro \
ghcr.io/immobiliare/inca:latest
If you're curl
-ninja enough:
alias curl='curl -H "Authorization:Bearer REDACTED"'
# fetch certificate
curl https://inca.domain.tld/domain.tld.farm -o whatever.domain.tld.pem
# fetch certificate with further params
curl https://inca.domain.tld/whatever-with-details.domain.tld?alt=whatever2.domain.tld&duration=2y
# fetch key
curl https://inca.domain.tld/whatever.domain.tld/key -o whatever.domain.tld.key
# remove certificate
curl -X DELETE https://inca.domain.tld/whatever.domain.tld
Otherwise, just open Inca on a browser.
inca gen -n domain.tld -o /etc/inca.d
cat >/etc/inca <<EOF
bind: :80
providers:
- type: local
crt: /etc/inca.d/crt.pem
key: /etc/inca.d/key.pem
storage:
type: fs
path: /etc/inca.d
acl:
REDACTED:
- ^nice.domain.tld$
- .*.notsonice.domain.tld$
EOF
inca server
curl -H "Authorization:Bearer REDACTED" http://localhost:80/crt.domain.tld -o crt.domain.tld.pem
curl -H "Authorization:Bearer REDACTED" http://localhost:80/crt.domain.tld/key -o crt.domain.tld.key
See changelog.
See contributing.
Inca was created by ImmobiliareLabs, the technology department of Immobiliare.it, the #1 real estate company in Italy.
If you are using Inca drop us a message.
Made with ❤️ by ImmobiliareLabs and all the contributors
If you have any question on how to use Inca, bugs and enhancement please feel free to reach us out by opening a GitHub Issue.