Quick-reference cheat sheet
CertForge ships as a single static binary with no runtime dependencies. If you can copy a file and open a port, you can run it.
Operating system
CertForge is tested on:
Architectures supported:
amd64 (x86-64) and arm64 (Apple Silicon, AWS Graviton).
Hardware
CPU
1 vCPU is sufficient for low-volume issuance (< 100 certs/day). At high volume or with many concurrent ACME clients, 2+ vCPUs prevent request queuing.Memory
Disk
The binary is approximately 30 MB. All runtime data lives in the data directory (default:./data).
Planning guide: 500 MB covers the binary plus ~58,000 certificate records. For most organizations, 2 GB is ample headroom for years of issuance history and log retention.
CertForge does not store private keys by default when issuing via ACME. The 8 KB per-certificate estimate covers only the metadata JSON and the public certificate chain. If you enable key storage or use the internal CA (which stores issued certs and keys), plan for ~12 KB per certificate.
Network
Inbound ports
All ports are configurable in
config.yaml. You do not need ports 80/443 open if you use DNS-01 validation or an internal CA only.
Outbound connections
Firewall rules (example — ufw)
Database
CertForge defaults to file-based storage — no database required. Settings, users, certificates, and audit logs are stored as JSON files in the data directory. PostgreSQL is required only when:- You need multi-organization (cloud/SaaS) mode
- You want shared state across multiple instances (HA/load-balanced deployments)
- You need database-level backup and recovery for your compliance posture
PostgreSQL requirements (if used)
- Version: 14 or later
- Extensions: none required
- Permissions:
CREATE TABLE,CREATE INDEXon the target database - Minimum connection pool: 5 connections
License
A validlicense.jwt file is required. Place it in your data directory before starting the server.
- Trial: 30-day trial license available at certforge.xyz/download
- Starter / Pro / Enterprise: Purchased licenses from certforge.xyz
certforge.xyz every 24 hours to check for tier changes or renewals. The binary will continue to operate during a network outage — the grace period is configurable (default: 14 days).
TLS for the dashboard
The dashboard can run in three modes:
For production, put CertForge behind nginx or Caddy if you want Let’s Encrypt for the dashboard without exposing port 80.