Skip to content
/ xipki Public

XiPKI: Compact open source PKI (CA, OCSP responder, certificate protocols ACME, CMP, EST).

License

Notifications You must be signed in to change notification settings

xipki/xipki

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

GitHub release License Github forks Github stars

XiPKI

XiPKI (eXtensible sImple Public Key Infrastructure) is a highly scalable and high-performance open source PKI (CA and OCSP responder).

License

  • The Apache Software License, Version 2.0

Support

Just create new issue.

For bug-report please upload the test data and log files, describe the version of XiPKI, OS and JRE/JDK, and the steps to reproduce the bug.

Get Started

Binaries

The binary xipki-setup-<version>.zip can be retrieved using one of the following methods

Install and Setup

Unpack xipki-setup-<version>.zip and follow the xipki-setup-<version>/INSTALL.md.

Features

Supported Platform

CA Protocol Gateway

  • EST (RFC 7030)
  • SCEP (RFC 8894)
  • CMP (RFC 4210, 4211, 9045, 9480)
  • ACME (RFC 8555, RFC 8737)
    • Challenge types: dns-01, http-01, tls-apln-01
  • RESTful API (XiPKI own API)

CA (Certification Authority)

  • X.509 Certificate v3 (RFC 5280)
  • X.509 CRL v2 (RFC 5280)
  • EdDSA Certificates (RFC 8410, RFC 8032)
  • SHAKE Certificates (RFC 8692)
  • Diffie-Hellman Proof-of-Possession Algorithms (RFC 6955)
  • EN 319 411 and 319 412 (eIDAS)
  • Direct and indirect CRL
  • FullCRL and DeltaCRL
  • API to specify customized certificate profiles
  • Support of JSON-based certificate profile
  • API to specify customized publisher, e.g. for LDAP and OCSP responder
  • Support of publisher for OCSP responder
  • Public key types of certificates: RSA, EC, DSA, Ed25519, Ed448, SM2, X25519, X448
  • Signature algorithms of certificates
    • DSA with hash algorithms: SHA-1, SHA-2, and SHA-3
    • ECDSA with hash algorithms: SHA-1, SHA-2, SHA-3, and SHAKE
    • Ed25519, Ed448
    • Plain ECDSA with hash algorithms: SHA-1, and SHA-2
    • RSA PKCS1v1.5 with hash algorithms: SHA-1, SHA-2, and SHA-3
    • RSA PSS with hash algorithms: SHA-1, SHA-2, and SHA-3, and SHAKE
    • SM3withSM2
  • Native support of X.509 extensions (other extensions can be supported by configuring it as blob)
    • RFC 3739
      • BiometricInfo
      • QCStatements (also in eIDAS standard EN 319 412)
      • SubjectDirectoryAttributes
    • RFC 4262
      • SMIMECapabilities
    • RFC 5280
      • AuthorityInformationAccess, AuthorityKeyIdentifier
      • BasicConstraints
      • CertificatePolicies, CRLDistributionPoints
      • ExtendedKeyUsage
      • FreshestCRL
      • InhibitAnyPolicy, IssuerAltName
      • KeyUsage
      • NameConstraints
      • PolicyConstrains, PolicyMappings, PrivateKeyUsagePeriod
      • SubjectAltName, SubjectInfoAccess, SubjectKeyIdentifier
    • RFC 6960
      • OcspNoCheck
    • RFC 6962
      • CT Precertificate SCTs
    • RfC 7633
      • TLSFeature
    • Car Connectivity Consortium
      • ExtensionSchema
    • Common PKI (German national standard)
      • AdditionalInformation, Admission
      • Restriction
      • ValidityModel
    • GM/T 0015-2012 (Chinese national standard)
      • ICRegistrationNumber, IdentityCode, InsuranceNumber
      • OrganizationCode
      • TaxationNumber
  • Management of multiple CAs in one software instance
    • Support of database cluster
    • Multiple software instances (all can be in active mode) for the same CA
    • Native support of management of CA via embedded OSGi commands
    • API to manage CA. This allows one to implement proprietary CLI, e.g. Website, to manage CA.
    • Database tool (export and import CA database) simplifies the switch of databases, upgrade of XiPKi and switch from other CA system to XiPKI CA
    • All configuration of CA except those of databases is saved in database

OCSP Responder

  • OCSP Responder (RFC 2560 and RFC 6960)
  • Configurable Length of Nonce (RFC 8954)
  • Support of Common PKI 2.0
  • Management of multiple certificate status sources
  • Support of certificate status sources
    • Database of XiPKI CA
    • OCSP database published by XiPKI CA
    • CRL and DeltaCRL
    • Database of EJBCA
  • API to support proprietary certificate sources
  • Support of both unsigned and signed OCSP requests
  • Multiple software instances (all can be in active mode) for the same OCSP signer and certificate status sources.
  • Database tool (export and import OCSP database) simplifies the switch of databases, upgrade of XiPKi and switch from other OCSP system to XiPKI OCSP.
  • High performance
  • Support of health check

Mgmt CLI (Management Client)

  • Configuring CA
  • Generating keypairs of RSA, EC and DSA in token
  • Deleting keypairs and certificates from token
  • Updating certificates in token
  • Generating CSR (PKCS#10 request)
  • Exporting certificate from token

CLI (CA/OCSP Client)

  • Client to enroll, revoke, and unrevoke (unsuspend) certificates, to download CRLs
  • Client to send OCSP request
  • Updating certificates in token
  • Generating CSR (PKCS#10 request)
  • Exporting certificate from token

HSM Proxy

  • Provide the access to the HSM remotely.