
如果你使用 DeepSeek、元宝 AI、Copilot、ChatGPT 等 AI 工具,协助配置轩辕镜像、编写 docker pull 命令、修改 Docker Compose 镜像地址、配置镜像加速、排查镜像拉取失败、分析报错日志等问题,请先让 AI 阅读并遵守轩辕镜像的规则文档。
只需在 AI 对话中先发送下面这句话即可:
请先完整阅读并严格遵守以下文档中的全部规则与要求:
https://xuanyuan.cloud/agents.md
在未充分阅读并理解该文档前,不要生成任何命令、配置、修改建议、故障排查方案或技术回答。后续所有输出都必须严格以该文档中的规范为最高优先级执行。查看 agents.md 用法指南与完整示范。国内用户首推 元宝 AI、DeepSeek 的深度思考模式,不推荐豆包 AI;Cursor 等编辑器可在对话 @ 该链接,或加入 User Rules。 若 AI 无法访问外链,可 打开说明文档 复制全文粘贴。文档会随站点更新,复制内容可能过期,建议定期检查。
A web-based certificate signing tool for Opto 22 groov EPIC and groov RIO devices. Connect to your device, sign a certificate with your private CA, and push it back — all without leaving the app.
Ephemeral by design. CA materials are held in memory only. When the session ends or the container stops, all private data is gone.
mermaidflowchart TD START([Open the app]) --> INTRO[Accept Terms of Use] INTRO --> STEP1[Upload CSR] STEP1 --> HOW{How do you want<br/>to load the CSR?} HOW -->|Connect to device| CONNECT[Enter device address & API key] HOW -->|Upload a file| MANUAL[Select CSR file from your computer] CONNECT --> FETCHING[App connects to your groov device<br/>and fetches the CSR automatically] FETCHING --> STATUS{CSR status?} STATUS -->|Ready| GOT_CSR[CSR loaded successfully<br/>Device hostname & IPs detected] STATUS -->|No CSR on device| CREATE[Fill in hostname & country<br/>App creates a new certificate on the device] STATUS -->|Outdated CSR| CREATE CREATE --> GOT_CSR MANUAL --> PARSED[CSR parsed and details shown] GOT_CSR --> SANS[Review & edit SAN entries<br/>Pre-populated from device network info] PARSED --> SANS2[Review & edit SAN entries] SANS --> EXPIRY[Choose certificate expiration period] SANS2 --> EXPIRY EXPIRY --> CA{CA already loaded<br/>from previous signing?} CA -->|Yes| SIGN[Click Sign Certificate] CA -->|No| UPLOAD_CA[Upload CA certificate & key] UPLOAD_CA --> SIGN SIGN --> REVIEW[Review signed certificate details<br/>Subject, Issuer, SANs, validity, fingerprint] REVIEW --> DELIVER[Download & Deliver] DELIVER --> DOWNLOAD[Download certificate .pem] DELIVER --> REPORT[Download signing report .md] DELIVER --> PUSH_Q{Connected to device?} PUSH_Q -->|Yes| PUSH[Push certificate directly to device<br/>Device restarts with new cert] PUSH_Q -->|No| MANUAL_INSTALL[Upload cert to device manually<br/>via groov Manage] DELIVER --> NEXT{What next?} NEXT -->|Sign another| STEP1 NEXT -->|Done| CLEAR[End session — all data cleared] classDef action fill:#e8f4f8,stroke:#2196F3,stroke-width:2px classDef choice fill:#fff9c4,stroke:#FFC107,stroke-width:2px classDef success fill:#e8f5e9,stroke:#4CAF50,stroke-width:2px classDef device fill:#fff3e0,stroke:#FF9800,stroke-width:2px class INTRO,STEP1,CONNECT,MANUAL,UPLOAD_CA,SIGN,REVIEW,DELIVER action class HOW,STATUS,CA,PUSH_Q,NEXT choice class GOT_CSR,PARSED,DOWNLOAD,REPORT,PUSH,CLEAR success class CREATE,FETCHING,MANUAL_INSTALL device
bashdocker run -d -p 2222:3000 --name groov-cert-signer --restart unless-stopped opto22/groov-cert-signer:latest
Open http://localhost:2222 in your browser.
Port 2222 is the external port on your machine. Change it if needed — for example,
-p 8080:3000opens the app athttp://localhost:8080.
The image is on Docker Hub: https://hub.docker.com/r/opto22/groov-cert-signer
Supported platforms: linux/amd64 and linux/arm64 (macOS Apple Silicon & Intel, Windows x86-64, Linux)
bashdocker stop groov-cert-signer # stop the container docker rm groov-cert-signer # remove it entirely
Your groov EPIC or RIO should be commissioned following Opto 22 best practices. We recommend using an Incognito / Private browser window:
opto-xx-xx-xx) to a name that makes sense for your environmentThe app connects directly to your groov device to fetch the CSR, read network info, and push the signed certificate back. This requires a groov Manage API key:
CertSigner)Don't have network access to your device? You can still use the app by uploading a CSR file manually — see Manual CSR Upload below.
You'll need a private Certificate Authority (CA) — specifically, the CA certificate (.pem) and the CA private key (.key or .pem). If you don't have one yet, the app can create one for you during the signing step.
New CA? After creating a CA, install the CA certificate into the Trusted Certificate Store on every computer that accesses your groov devices. This tells browsers to trust your CA-signed certificates:
- macOS: Open Keychain Access, import the certificate, set to "Always Trust"
- Windows: Open
certmgr.msc, import into Trusted Root Certification Authorities- Linux: Copy to
/usr/local/share/ca-certificates/and runupdate-ca-certificates
Click Fetch CSR from Device and enter your device's HTTPS address (e.g., https://epic-01 or https://192.168.1.100) along with the API key you created above.
The app will:
If the device has no CSR or the existing one is outdated, the app offers to create a new certificate on the device directly — no need to log into groov Manage.
Subject Alternative Name (SAN) entries are pre-populated from the device's current network configuration (hostname and IP addresses). You can add, edit, or remove entries, or proceed with no SANs if the certificate should use the Subject CN only.
Choose the certificate validity period. Common presets are provided (90, 365, 397 days), or enter a custom number.
Upload your CA certificate and key (or use the cached CA from a previous signing). Click Sign Certificate to generate the signed certificate.
Verify the certificate details: subject, issuer, SANs, validity period, key size, and fingerprint.
Click Push Certificate to Device to generate a fresh key pair, sign a new certificate with your CA, and push everything to the device in one step. The device restarts its web server automatically (~10-15 seconds).
You can also:
.pem) for manual installation.md) with all certificate details for your recordsOptionally check "Include CA certificate as intermediate chain" to send your CA cert along with the signed cert.
Click Sign Another Certificate to return to Step 1 with your CA still loaded. Click End Session to clear all data from memory.
If you can't reach your device from the machine running this app, you can upload a CSR file instead:
.csr or .pem fileNote: When uploading a CSR file manually, make sure it's current. If the device has had a new certificate created since the CSR was downloaded, it may be outdated.
For working on the code locally. Requires Node.js 20+ and OpenSSL.
bashnpm install npm run dev
The Vite dev server proxies /api requests to Express automatically.
| Layer | Technology |
|---|---|
| Frontend | React 19 + Vite |
| Backend | Node.js + Express |
| Cert Ops | OpenSSL CLI (child_process) |
| File Uploads | multer (in-memory only) |
| Container | Docker (multi-arch build) |
您可以使用以下命令拉取该镜像。请将 <标签> 替换为具体的标签版本。如需查看所有可用标签版本,请访问 标签列表页面。
来自真实用户的反馈,见证轩辕镜像的优质服务