EdgeCA is an ephemeral, in-memory CA providing service mesh machine identities

View the Project on GitHub edgesec-org/edgeca


EdgeCA is an ephemeral, in-memory CA providing service mesh machine identities.

This early release is meant for evaluation only.

To install the snap simply do

snap install edgeca

edgeca is the command line interface (CLI) application you will use to create CSRs and certificates

The client can generate CSR requests independently but to sign certificates it needs to have an instance of EdgeCA running in server mode as well either locally or remotely.

The snap package starts up an instance of the edgeca server as a background process by default and the server does therefore not need to be manually launched. It starts up in the default self-signed mode. To use TPP, set the following:

$ sudo snap set edgeca tpp.token="your token" 
$ sudo snap set edgeca tpp.zone="your zone"
$ sudo snap set edgeca tpp.url="your tpp url"

once those three have been set, the edgeca server will establish a TPP connection

To view the server logs do

snap logs -f edgeca.edgeca-server

The policy can likewise be set with

$ sudo snap set edgeca policy="policy filename" 

The client is run using


If you prefer not the default local edgeca server - for instance if you are running the server it on a different computer, then you can stop the local server by doing

sudo snap stop edgeca.edgeca-server

The edgeca client connects to the server in a secure way using gRPC over TLS. To be able to connect to the remote server you need to copy the gRPC TLS certificate generated by the remote server, as per the log when running the server:

Writing TLS Client certificate to /home/sidar/snap/edgeca/x1/.edgeca/certs/edgeca-client-cert.pem
Writing TLS Client key to /home/sidar/snap/edgeca/x1/.edgeca/certs/edgeca-client-key.pem

Copy this certificate from the server to your local system, and then point edgeca at your remote server by using the ā€œ-dā€ parameter to provide the location of the TLS certificate generated by the server to authenticate the client.

edgeca gencert -d "/my-tls-directory/" --cn ...