README
¶
Intel DCAP Provisioning Certificate Caching Service (Go)
IMPORTANT NOTICE This is NOT official Intel software. This is an independent, community-developed implementation of a caching proxy for Intel's SGX Provisioning Certificate Service. It is not affiliated with, endorsed by, or supported by Intel Corporation.
Use at your own risk. For official Intel software, please visit the Intel SGX DCAP repository.
A lightweight, self-contained replacement for Intel's SGX DCAP PCCS (Provisioning Certificate Caching Service), written in Go.
This service acts as a caching proxy between SGX-enabled platforms and Intel's Provisioning Certificate Service, reducing network latency and dependency on external services during SGX quote generation and verification.
Why This Replacement?
The original Node.js-based PCCS (sgx-dcap-pccs) has become difficult to install due to:
- Deprecated npm packages that can no longer be installed
- Complex dependency chains
- Heavy runtime requirements (Node.js, native modules, etc.)
- apt install requires interactions
This Go implementation:
- Single binary - no dependencies, just run it
- In-memory TLS certificates - auto-generates self-signed certs if needed
- Minimal configuration - only requires an API key
- Lightweight - uses PebbleDB for caching instead of SQL
- Drop-in compatible - implements the same API as the original PCCS
Installation
Pre-built Binaries (Recommended)
Download the latest release from GitHub Releases:
Linux (x86_64):
wget https://github.com/KarpelesLab/intel-dcapd/releases/latest/download/intel-dcapd-linux-amd64.tar.gz
tar -xzf intel-dcapd-linux-amd64.tar.gz
cd intel-dcapd-linux-amd64-*/
sudo make install onboot INTEL_API_KEY=your-api-key-here
This will:
- Install binaries to
/usr/local/bin - Create a system user
dcapd(customizable withPCCS_USER=username) - Create cache directory
/var/cache/intel-dcapd - Install and start a systemd service
Manual installation (Linux):
# Just install binaries without systemd service
sudo make install
# Or copy manually
sudo cp intel-dcapd /usr/local/bin/
sudo cp pccsadmin /usr/local/bin/
Linux (i386):
wget https://github.com/KarpelesLab/intel-dcapd/releases/latest/download/intel-dcapd-linux-i386.tar.gz
tar -xzf intel-dcapd-linux-i386.tar.gz
cd intel-dcapd-linux-i386-*/
sudo make install onboot INTEL_API_KEY=your-api-key-here
Windows (x86_64):
# Download: https://github.com/KarpelesLab/intel-dcapd/releases/latest/download/intel-dcapd-windows-amd64.zip
# Extract the zip file
# Run intel-dcapd.exe and pccsadmin.exe from the extracted folder
Each release includes:
intel-dcapd- Main PCCS service binarypccsadmin- Administration CLI tool for managing PCCSMakefile- Installation helper (Linux only)intel-dcapd.service.in- Systemd service template (Linux only)README.md- Main documentationREADME.pccsadmin.md- Administration tool documentationLICENSE- License information
Build from Source
git clone https://github.com/KarpelesLab/intel-dcapd.git
cd intel-dcapd
go build -o intel-dcapd
Requirements: Go 1.23 or later
Quick Start
1. Get an Intel API Key
Subscribe to Intel's Provisioning Certificate Service: https://api.portal.trustedservices.intel.com/provisioning-certification
2. Run the Service
export INTEL_API_KEY=your-api-key-here
./intel-dcapd
That's it! The service will:
- Listen on
https://localhost:8081 - Auto-generate a self-signed TLS certificate (in-memory)
- Store cache in
~/.cache/intel-dcapd/(database atcachedbsubdirectory) - Start serving requests
3. Configure Your SGX Client
Edit /etc/sgx_default_qcnl.conf:
{
"pccs_url": "https://localhost:8081/sgx/certification/v4/",
"use_secure_cert": false
}
Configuration
All configuration is via environment variables:
Required
INTEL_API_KEY- Your Intel PCS API subscription key (required)
Optional
DCAPD_LISTEN- Listen address (default:localhost:8081)DCAPD_CACHE_DIR- Cache directory (default:~/.cache/intel-dcapd)DCAPD_CACHE_MODE- Caching mode:LAZY,REQ, orOFFLINE(default:LAZY)DCAPD_PCS_URL- Intel PCS URL (default:https://api.trustedservices.intel.com/sgx/certification/v4/)DCAPD_VERBOSE- Enable verbose logging:1ortrue(default: disabled)
TLS Certificate (Optional)
DCAPD_CERT_FILE- Path to TLS certificate (if not set, auto-generates in-memory)DCAPD_KEY_FILE- Path to TLS private key (if not set, auto-generates in-memory)
Authentication (Optional)
DCAPD_USER_TOKEN_SHA512- SHA-512 hash of user token for platform registrationDCAPD_ADMIN_TOKEN_SHA512- SHA-512 hash of admin token for admin endpoints
Caching Modes
LAZY Mode (Default)
Cache-on-demand: fetches from Intel PCS when data is not in cache.
- Requires internet access at runtime
- Best for development and testing
- Automatic cache population
- Fully supported
REQ Mode
Pre-caches platform data during registration.
- Fetches all collaterals when platform is registered via POST /platforms
- Runtime uses cache only (no Intel PCS access needed)
- Good for production with initial internet access
- Fully supported
OFFLINE Mode
No internet access required at runtime.
- Fully supported
- Platform registration via POST /platforms works (fetches and caches if internet available)
- Manual collateral upload via PUT /platformcollateral is FULLY IMPLEMENTED
- Supports bulk upload of platforms, certificates, TCB info, CRLs, and identities
- True air-gapped deployment ready
Feature Status
| Feature | Status | Notes |
|---|---|---|
| PCK Certificate caching | Fully supported | GET /pckcert |
| TCB Info (SGX & TDX) | Fully supported | Both v3 and v4 APIs |
| Enclave identities | Fully supported | QE, QVE, TDQE |
| CRL caching | Fully supported | PCK, Root CA, generic |
| Platform registration | Fully supported | POST /platforms |
| Platform listing | Fully supported | GET /platforms |
| Manual cache refresh | Fully supported | GET/POST /refresh |
| Appraisal policies | Fully supported | PUT/GET /appraisalpolicy |
| Platform collateral upload | Fully supported | PUT /platformcollateral (OFFLINE mode) |
| Background cache refresh | Fully supported | Automatic daily refresh |
| v3 API compatibility | Fully supported | All endpoints support v3 |
| v4 API | Fully supported | Primary API version |
API Endpoints
The service implements the Intel PCCS API with full v3 and v4 support:
Certificate Endpoints (Public)
GET /sgx/certification/v4/pckcert # Get PCK certificate
GET /sgx/certification/v4/tcb # Get SGX TCB info
GET /sgx/certification/v4/qe/identity # Get QE identity
GET /sgx/certification/v4/qve/identity # Get QVE identity
GET /sgx/certification/v4/pckcrl # Get PCK CRL
GET /sgx/certification/v4/rootcacrl # Get root CA CRL
GET /sgx/certification/v4/crl # Get CRL from URL
GET /sgx/certification/v4/appraisalpolicy # Get appraisal policy
Platform Management (Authenticated)
POST /sgx/certification/v4/platforms # Register platforms (user auth)
GET /sgx/certification/v4/platforms # List platforms (admin auth)
Admin Endpoints (Authenticated)
GET /sgx/certification/v4/refresh # Trigger cache refresh
POST /sgx/certification/v4/refresh # Trigger cache refresh
PUT /sgx/certification/v4/appraisalpolicy # Upload appraisal policy
PUT /sgx/certification/v4/platformcollateral # Bulk upload collateral (OFFLINE mode)
TDX Endpoints (Public)
GET /tdx/certification/v4/tcb # Get TDX TCB info
GET /tdx/certification/v4/qe/identity # Get TD QE identity
Note: All endpoints above are also available with /v3/ for backward compatibility.
Differences from Intel's Node.js PCCS
This Go implementation achieves API compatibility with Intel's reference PCCS but differs in some areas:
Implementation Differences
-
Database: Uses PebbleDB (embedded key-value store) instead of SQLite/MySQL
- No schema migrations needed
- Simpler deployment
- Cannot migrate existing PCCS database (cache repopulates automatically)
-
Platform Registration: POST /platforms in LAZY/REQ modes fetches certificates immediately
- Simpler than Intel's queuing mechanism
- No separate platform registration states ("NEW", "NOT_AVAILABLE")
- Platforms are either cached or not cached
-
Certificate Selection: Pure Go implementation of PCK certificate selection algorithm
- Based on Intel's reference but independently implemented
- Matches PCK cert to platform TCB level
Fully Compatible
- All certificate retrieval endpoints (GET /pckcert, /tcb, /qe/identity, etc.)
- Platform collateral bulk upload (PUT /platformcollateral)
- Both v3 and v4 API versions
- Authentication model (user/admin tokens)
- Cache refresh mechanism
- Appraisal policy storage and retrieval
- OFFLINE mode for air-gapped deployments
Deployment
Systemd Service
Automated installation (from release tarball):
The Linux release tarballs include a Makefile that handles installation:
# Install binaries and setup systemd service
sudo make install onboot INTEL_API_KEY=your-api-key-here
# Optional: customize user and cache location
sudo make install onboot INTEL_API_KEY=your-api-key-here PCCS_USER=pccs CACHE_DIR=/opt/pccs-cache
# Check status
systemctl status intel-dcapd
# View logs
journalctl -u intel-dcapd -f
The Makefile automatically:
- Creates a system user (default:
dcapd) - Sets up cache directory with proper permissions (default:
/var/cache/intel-dcapd) - Installs and enables the systemd service
Manual installation:
Create a system user and cache directory:
PCCS_USER=dcapd
CACHE_DIR=/var/cache/intel-dcapd
sudo useradd --system --no-create-home --shell /bin/false $PCCS_USER
sudo mkdir -p $CACHE_DIR
sudo chown $PCCS_USER:$PCCS_USER $CACHE_DIR
Create /etc/systemd/system/intel-dcapd.service:
[Unit]
Description=Intel DCAP Provisioning Certificate Caching Service
After=network.target
[Service]
Type=simple
User=dcapd
Group=dcapd
Environment="INTEL_API_KEY=your-key-here"
Environment="DCAPD_CACHE_DIR=/var/cache/intel-dcapd"
ExecStart=/usr/local/bin/intel-dcapd
Restart=on-failure
# Security hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/cache/intel-dcapd
[Install]
WantedBy=multi-user.target
Note: Adjust User, Group, DCAPD_CACHE_DIR, and ReadWritePaths in the service file if using different values.
Enable and start:
sudo systemctl daemon-reload
sudo systemctl enable --now intel-dcapd
Docker
FROM golang:1.23-alpine AS builder
WORKDIR /build
COPY . .
RUN go build -o intel-dcapd
FROM alpine:latest
RUN apk --no-cache add ca-certificates
COPY --from=builder /build/intel-dcapd /usr/local/bin/
ENTRYPOINT ["/usr/local/bin/intel-dcapd"]
Run:
docker build -t intel-dcapd .
docker run -d -p 8081:8081 -e INTEL_API_KEY=your-key intel-dcapd
Production Use
For production deployments:
-
Use proper TLS certificates:
export DCAPD_CERT_FILE=/path/to/cert.pem export DCAPD_KEY_FILE=/path/to/key.pem -
Enable authentication:
# Generate token hash (example with openssl) echo -n "my-secret-token" | openssl dgst -sha512 | awk '{print $2}' export DCAPD_USER_TOKEN_SHA512=<hash> export DCAPD_ADMIN_TOKEN_SHA512=<hash> -
Listen on all interfaces (if needed):
export DCAPD_LISTEN=0.0.0.0:8081
Migrating from Node.js PCCS
The Go implementation uses PebbleDB instead of SQLite/MySQL, so you cannot directly migrate the database. However, the cache will be automatically repopulated on-demand as platforms request certificates.
Steps:
- Stop the old PCCS service
- Start the Go version with the same API key
- Test with a few platforms
- Monitor logs for any issues
Logging
Logs go to standard output. Key events logged:
- Server startup and configuration
- TLS certificate generation
- Cache hits/misses
- Intel PCS requests (with Request-ID for debugging)
- Errors and warnings
Troubleshooting
Enable Verbose Logging
For detailed debugging information:
export DCAPD_VERBOSE=1
./intel-dcapd
Verbose mode logs:
- All request parameters
- Cache hits and misses
- Certificate selection process
- Intel PCS request/response details
- Certificate and issuer chain lengths
- Response headers being sent
"INTEL_API_KEY environment variable is required"
You need to set the API key. Get one from: https://api.portal.trustedservices.intel.com/
Certificate errors from SGX clients
Set "use_secure_cert": false in /etc/sgx_default_qcnl.conf if using auto-generated certificates.
Platform not found
- Check that the API key is valid
- Verify internet connectivity to Intel PCS
- Check logs for Intel PCS errors
- Ensure the platform has been properly registered
- Enable verbose logging to see detailed request flow
"No certificate data for this platform"
This can indicate certificate encoding issues:
- Enable verbose logging:
export DCAPD_VERBOSE=1 - Clear the cache:
rm -rf ~/.cache/intel-dcapd/ - Restart the service
- Check verbose logs for certificate lengths and encoding
- Verify AESM is using the correct PCCS URL in
/etc/sgx_default_qcnl.conf
License and Disclaimer
This is an independent, community-developed implementation and is NOT official Intel software.
Disclaimer: This software is provided "as-is" without warranty of any kind. Intel Corporation does not endorse, support, or maintain this implementation. The authors and contributors are not responsible for any issues arising from the use of this software.
For official Intel software and licensing information regarding Intel SGX technologies, please refer to:
This implementation is intended to interface with Intel's Provisioning Certificate Service API, which requires a valid API key from Intel. Users must comply with Intel's terms of service when using their PCS API.
Contributing
This is a pragmatic, minimal implementation. Contributions should focus on:
- Bug fixes
- Security improvements
- Performance optimizations
- Better error handling
Keep it simple!
Documentation
¶
There is no documentation for this package.
Source Files
Directories