Skip to main content

Quick-reference cheat sheet

CertForge ships as a single static binary with no runtime dependencies. If you can copy a file and open a port, you can run it.

Operating system

CertForge is tested on: Architectures supported: amd64 (x86-64) and arm64 (Apple Silicon, AWS Graviton).

Hardware

CPU

1 vCPU is sufficient for low-volume issuance (< 100 certs/day). At high volume or with many concurrent ACME clients, 2+ vCPUs prevent request queuing.

Memory

Disk

The binary is approximately 30 MB. All runtime data lives in the data directory (default: ./data). Planning guide: 500 MB covers the binary plus ~58,000 certificate records. For most organizations, 2 GB is ample headroom for years of issuance history and log retention.
CertForge does not store private keys by default when issuing via ACME. The 8 KB per-certificate estimate covers only the metadata JSON and the public certificate chain. If you enable key storage or use the internal CA (which stores issued certs and keys), plan for ~12 KB per certificate.

Network

Inbound ports

All ports are configurable in config.yaml. You do not need ports 80/443 open if you use DNS-01 validation or an internal CA only.

Outbound connections

License validation requires outbound HTTPS to certforge.xyz. If your environment is air-gapped, contact support for an offline license validation option.

Firewall rules (example — ufw)


Database

CertForge defaults to file-based storage — no database required. Settings, users, certificates, and audit logs are stored as JSON files in the data directory. PostgreSQL is required only when:
  • You need multi-organization (cloud/SaaS) mode
  • You want shared state across multiple instances (HA/load-balanced deployments)
  • You need database-level backup and recovery for your compliance posture

PostgreSQL requirements (if used)

  • Version: 14 or later
  • Extensions: none required
  • Permissions: CREATE TABLE, CREATE INDEX on the target database
  • Minimum connection pool: 5 connections

License

A valid license.jwt file is required. Place it in your data directory before starting the server. The license file is a signed JWT. CertForge validates the signature locally on startup and phones home to certforge.xyz every 24 hours to check for tier changes or renewals. The binary will continue to operate during a network outage — the grace period is configurable (default: 14 days).

TLS for the dashboard

The dashboard can run in three modes: For production, put CertForge behind nginx or Caddy if you want Let’s Encrypt for the dashboard without exposing port 80.