English German

The trust anchor for mechanical engineering and the manufacturing industry

Trustpoint supports you in the management of digital certificates in industrial environments.

All the tools you need to manage digital identities in industrial environments.

Trustpoint helps you to implement certificate-based security mechanisms in your environment. As a web-based application with standardized interfaces and high user-friendliness.

For industrial users

Different security levels

Comprehensive Certificate Lifecycle Management (CLM)

Support for short-lived certificates

Standardized interfaces (CMP, EST, REST)

Low hardware requirements

Available as a Docker container

Python Django web application

Trustpoint is continuously improved and further developed.

Trustpoint’s ease of use stands above all technical possibilities for us. Our goal is to make PKI and digital identities as easy to use as possible.

Beta Release v0.1.0
11/2024

Trustpoint Stack as a web-based application – introduced the foundational Trustpoint platform accessible via web interface.
User-Driven Onboarding – implemented guided onboarding workflows for users to register and enroll devices or credentials.
Trustpoint Client – added client-side tooling for certificate enrollment and management.
Browser-Based Onboarding – enabled users to perform onboarding directly through a web browser.
Local Issuing CA – provided built-in certificate authority functionality for issuing and managing local certificates.
Trust Store Management – introduced management of trusted root and issuing certificates.
Certificate Management Protocol (CMP) Endpoint – implemented CMP endpoint for standard-based certificate enrollment.
Published under MIT License – made the project open source under the MIT license.

Beta Release V0.2.0
3/2025

Setup wizard & improved onboarding – introduced an initial setup assistant and streamlined onboarding workflows for easier first-time configuration.
Remote credential download (browser onboarding) – enabled users to securely download credentials directly via the browser onboarding process.
Credential revocation (CRL) & security fixes – added certificate revocation list generation and multiple security-related improvements.
Major code & onboarding refactor – significant restructuring of onboarding logic and core components for stability and maintainability.
Docker & startup improvements; moved to uv – optimized container startup, reduced image complexity, and transitioned to the uv runtime for better performance.
Enhanced testing & demo data – expanded test coverage, added demo datasets, PostgreSQL support, and new signature suites for testing.
Key dependency updates – upgraded to Django 5.1.5, cryptography v44, and other critical libraries for compatibility and security.
Enrollment over Secure Transport (EST) endpoint – introduced EST support as an additional enrollment method.

Beta Release V0.3.0
9/2025

Stabilisation and code quality improvements – addressing linting, typing (Ruff, MyPy), imports, documentation and overall maintainability.
Docker/Deployment/CI improvements – ensuring smoother container orchestration, compose actions, manual builds and versioning.
Backup and restore support for Docker environments enables reliable configuration migration and updates.
Feature enhancements/bug fixes, including OPC UA GDS support, certificate model updates, UI fixes and domain relation improvements.
CycloneDX and SPDX SBOMs: Trustpoint now provides a software bill of materials for improved transparency and compliance.
Notifications have been refactored to provide more structured notifications, enhanced help/support views and UI fixes in management, settings and logging.
Zero-touch onboarding with AOKI: added support for EST and CMP to enable automated onboarding.
Granular protocol enabling per device allows finer control of enabled protocols.
Auto-generation of local root CA and issuing CA simplifies setup and testing.
Docker and GitHub Actions/workflows have been improved to enhance build, tagging and manual compose processes.
Improved help pages for certificate lifecycle management – clearer guidance and documentation for issuing and renewing certificates.

Beta Release v0.4.0
12/2025

Workflow engine with approvals, webhooks, and notifications – introduced structured workflows to support controlled and auditable trust processes
REST API based on Django REST Framework – added programmatic access for automation and external integrations.
PKCS#11 support with SoftHSM integration – introduced experimental HSM-based cryptographic operations using the PKCS#11 interface.
Signing application and hash-based signing – enabled signing workflows for external data using hash-and-sign mechanisms.
Configurable certificate profiles – introduced standardized and customizable certificate profile definitions (initial implementation).
Certificate profile integration into request workflows – integrated certificate profiles into certificate request processing (work in progress).
Extended signer creation – enabled signer creation during domain and device onboarding.
Help pages refactor – improved structure and clarity of in-application help content.
Certificate lifecycle management UX optimization – refined workflows for issuing, renewing, and managing certificates.
Certificate detail access improvements – detailed issuing CA information is now accessible from domain tables.
Management App TLS certificate generation and selection – improved handling and configuration of TLS certificates.
Dashboard updates – visual and functional improvements to dashboard views.
Improved request pipelines for CMP and EST – more robust and consistent certificate request handling.
UI layout improvements – multiple layout and consistency improvements across the user interface.
Documentation updates – improvements to README and general documentation.
Code quality and security improvements – continued alignment with Ruff, MyPy, unit testing, and OpenSSF best practices.
71% unit test coverage – 2,425 test cases implemented, with ongoing efforts to increase coverage.

v0.5.0 – Development Roadmap

Registration Authority (RA) mode – introduction of a dedicated RA mode to support separated RA and CA roles in larger trust infrastructures.
Improved IDevID support – enhanced device identity handling, including clearer lifecycle management and stronger alignment with device identity standards.
Extended workflow automation – further automation of trust and certificate workflows building on the workflow engine introduced in v0.4.0.
Physical HSM support – planned support for physical hardware security modules in addition to existing software-based HSM integrations.
Protocol improvements – enhancements to CMP, EST, and AOKI request and processing flows.
Policy and process hardening – continued refinement of approval processes, validations, and operational safeguards for production-scale environments.

The Trustpoint research project has been funded by the German Federal Ministry of Research, Technology and Space since September 2023. The aim of the project is to develop an open source solution that ensures the secure provision of digital certificates in industrial networks and their management throughout their entire life cycle. Trustpoint helps companies to verify chains of trust. This makes it easier and better to secure machines and their components in factories.

On our YouTube channel you will find a variety of videos about digital identities as well as clear explanations of Trustpoint’s functions.

The Trustpoint development team consists of medium-sized companies (achelos, asvin, Keyfactor) with expertise in the field of security as well as research institutes and universities (Campus Schwarzwald, Hamm-Lippstadt University of Applied Sciences).

The practical relevance to the user is ensured by the close exchange with our associated partners ARBURG, Belden Inc, HOMAG, Phoenix Contact, Schmalz, Siemens and Diebold Nixdorf.

Try Trustpoint!

Trustpoint is based on Python Django and can be up and running in just a few minutes. To make the installation even easier, we provide you with a Docker container.

Onboarding and CLM

Trustpoint maps the complete lifecycle of a component in your infrastructure. Options are available for user-driven onboarding and zero-touch onboarding, which help to initially integrate a component into a network. After successful onboarding, application certificates (e.g. for OPC UA or MQTT) can be issued to devices and managed.

Protocols and PKI

With Trustpoint you can either operate an Issuing CA locally in Trustpoint or in a Remote Issuing CA (so-called Registration Authority – RA). Standardized protocols such as Certificate Management Protocol (CMP) or Enrollment over Secure Transport (EST) are available for both the Remote Issuing CA and the component.