Auth & RBAC
Four roles, two scopes, two identities โ local password + TOTP, and LDAP/AD federation. Browser sessions are JWT in httpOnly cookies with double-submit CSRF and refresh-token reuse detection.
Policies & approvals
Two governance gates: a project-scoped certificate policy that constrains every issue / renew (key types, allowed issuers, SAN globs, naming regex, auto-renew requirement), and a request / approve / reject workflow that interposes a human review on sensitive operations.
Audit & SIEM
HMAC-chained audit log, RFC 5424 syslog forwarding, 30-day retention with SIEM export, and a replay-and-verify CLI.
Programmatic access
Scripts, CI/CD, and service accounts call the API as a regular user: log in for a short-lived JWT access token, send it as Authorization: Bearer, and refresh with the refresh token. Header auth bypasses CSRF. There are no separate API keys โ scope automation by giving a dedicated user the minimal role.
LDAP / Active Directory
Federate logins against LDAP v3 or Active Directory โ service-account search-then-bind, LDAPS/STARTTLS, auto-provisioning on first login, and in-form connection and filter test tools. Enterprise feature.
OTP policy (2FA enforcement)
RFC 6238 TOTP with an org-wide enforcement policy (Optional or Required), forced enrollment at login, 8 one-shot recovery codes, envelope-encrypted seeds, and progressive login lockout.
Approval workflow
Four-eyes gate for certificate operations โ five org-wide toggles (issue, reissue, renew, revoke, download), a request โ approve โ execute lifecycle with a 7-day TTL, one-time download tokens, and the My Requests review surface.
Syslog forwarding
Forward audit events to a SIEM as RFC 5424 syslog over UDP, TCP, or TCP+TLS (with optional mTLS) โ MongoDB-queued, retried with exponential backoff, safe across replicas. Enterprise feature.