PKI & mTLS

Intermediate CA management lives in the admin portal.

1. Create an intermediate CSR in /admin/pki/.
2. Sign the CSR with your offline root.
3. Upload the signed cert to activate the intermediate.

Public endpoints:

• Intermediate cert: /ca
• CRL: /crl

mTLS enforcement

• Admin UI requires mTLS by default.
• API mTLS is controlled by API_MTLS_REQUIRED_PATHS.
• Ensure proxy headers are trusted only from your edge IPs.