eXtensible sImple Public Key Infrastructure consists of CA and OCSP responder.
Highly scalable and high-performance open source PKI (CA and OCSP responder), especially suitable for IoT, M2M and V2X.
- XiPKI Commercial License
- GNU AFFERO GENERAL PUBLIC LICENSE (AGPL) version 3
Lijun Liao (lijun.liao -A-T- gmail -D-O-T- com), LinkedIn
Just drop me an email.
- JRE / JDK 8
- OpenJDK/Oracle: JCE Unlimited Strength Jurisdiction Policy Files
-
Database
- DB2
- Oracle
- Oracle RAC
- PostgreSQL
- MySQL
- MariaDB
- H2
- HSQLDB
-
HSM
- Thales nCipher Solo (PCI Card)
- Thales nCipher Connect (network)
- Utimaco Se
- Softhsm v1 & v2
- Smartcard HSM EA+
-
JVM
- OpenJDK 8
-
OS
- CentOS
- Fedora
- Redhat
- SLES
- Ubuntu
- Windows
- Mac OS
- Raspbian (tested on Raspberry Pi 2 Model B)
Download the released binary package xipki-pki-<version>.tar.gz
from the URL https://github.com/xipki/xipki/releases
-
Get a copy of XiPKI code
git clone https://github.com/xipki/xipki
-
Build
-
Install the third party artifacts that are not availablle in maven repositories
In folder
xipki/ext
./install.sh
-
Compile and install the artifacts
In folder
xipki
mvn clean install
-
Assembly
In folder
xipki/dist/xipki-pki
mvn clean package
-
-
Copy the file
xipki-pki-<version>.tar.gz
to the destination folder -
Unpack the assembled file
In destination folder of the installation
tar xvf xipki-pki-<version>.tar.gz
The following steps use
$XIPKI_HOME
to point to the unpacked root folder -
Adapt the database configuration (access rights read & write of database are required)
In the folder
$XIPKI_HOME/xipki/ca-config
, copy the CA database configuration template fileexample/ca-db.properties-<type>
toca-db.properties
, and the OCSP database configuration fileexample/ocsp-db.properties-<type>
toocsp-db.properties
, and then adapt them. -
Add JDBC drivers (optional)
This step is only required if you want to use database other than H2.
-
Get the JDBC drivers
-
Oracle
- Driver:
ojdbc7.jar
- Download URL: http://www.oracle.com/technetwork/database/features/jdbc/jdbc-drivers-12c-download-1958347.html
- Driver:
-
DB2
- Driver:
db2jcc4.jar
- Driver:
-
MySQL
- Driver: mysql-connector-java.jar
- Download URL: https://dev.mysql.com/downloads/connector/j
- In debian, use the
mysql-connector-java.jar
from the packagelibmysql-java
(e.g. under /usr/share/java/mysql-connector-java.jar)
-
MariaDB
- Driver: mariadb-java-client-
<version>
.jar - Download URL: https://downloads.mariadb.org/connector-java/
- Driver: mariadb-java-client-
-
PostgreSQL
- Driver: postgresql-
<version>
.jar - Download URL: https://jdbc.postgresql.org/download.html
- Driver: postgresql-
-
HSQLDB
- Driver: hsqldb-
<version>
.jar - Download URL: hsqldb.org
- Driver: hsqldb-
-
-
Copy the jar file to the folder
lib/jdbc
. -
Append the bundle URL to the feature
xipki-jdbc
in the filelib/jdbc/features.xml
.<feature name="xipki-jdbc" description="JDBC drivers"> ... <bundle start-level="75">file:lib/jdbc/....jar</bundle> </feature>
Note that if the bundle is not an OSGi-bundle, the URL must be prepended by the prefix "wrap:". In general, a bundle contains the header Export-Package in the manifest file META-INF/MANIFEST.MF.
<feature name="xipki-jdbc" description="JDBC drivers"> ... <bundle start-level="75">wrap:file:..</bundle> </feature>
-
-
In case if the real PKCS#11 device instead of the emulator is used:
-
In file etc/org.xipki.security.pkcs11.cfg, change the pkcs11.confFile as follows:
pkcs11.confFile = xipki/security/pkcs11-conf-hsm.xml #pkcs11.confFile = xipki/security/pkcs11-conf-emulator.xml
-
In file xipki/security/pkcs11-conf-hsm.xml, change the PKCS#11 configuration.
-
-
If the CA is behind a reverse proxy apache httpd:
-
In file etc/org.xipki.ca.server.cfg, change the sslCertInHttpHeader as follows:
sslCertInHttpHeader = true
-
configure the proxy to forward the headers via mod_proxy with the following configuration
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s" RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
For more details please refer to
-
-
Delete folders
$XIPKI_HOME/data
and$XIPKI_HOME/output
-
Start XiPKI
In folder
$XIPKI_HOME
bin/karaf
HSM devices of Thales, e.g. nCipher, can use Thales preload to manage the PKCS#11 sessions. In this case, XiPKI should be started as follows
preload bin/karaf
If you get error like
Error occurred during initialization of VM Could not reserve enough space for 2097152KB object heap
please change the value of JAVA_MAX_MEM in the file
bin/setenv
orbin/setenv.bat
.If you have changed the content within folder
$XIPKI_HOME/etc
or$XIPKI_HOME/system
, please delete the folder$XIPKI_HOME/data
before starting XiPKI. -
Run the pre-configured OSGi-commands in OSGi console
In the OSGi console, call source file:./xipki/demo/demo.script
to demonstrate the whole life-cycle (key generation, database initialization, CA installation, certificate enrollment, OCSP server installation, OCSP status, etc.). The generated keys, certificates and CRLs are saved in the folder output
, and the log files are located in the folder data/log.
The karaf feature can be installed via the command feature:install -r <feature name>
(the flag -r disables the refreshing of already installed bundles) and uninstalled in the OSGi console via the command feature:uninstall <feature name>
. The possible feature can be auto-completed by typing the TAB
key.
A list of all available XiPKI features can be retrieved via the command
feature:list | grep xipki
in OSGi console.
For details of karaf features please refer to Karaf Manuel Provisioning
Please refer to commands.md for more details.
-
CA (Certification Authority)
- X.509 Certificate v3 (RFC 5280)
- X.509 CRL v2 (RFC 5280)
- SCEP (draft-gutmann-scep-00, draft-nourse-scep-23)
- EN 319 411 (eIDAS)
- EN 319 412 (eIDAS)
- Supported databases
- Oracle
- DB2
- PostgreSQL
- MySQL
- MariaDB
- H2
- HSQLDB
- Direct and indirect CRL
- FullCRL and DeltaCRL
- Customized extension to embed certificates in CRL
- CMP (RFC 4210 and RFC 4211)
- API to specify customized certificate profiles
- Support of XML-based certificate profile
- API to specify customized publisher, e.g. for LDAP and OCSP responder
- Support of publisher for OCSP responder
- Signature algorithms of certificates
- SHA3-*withRSA: where * is 224, 256, 384 and 512
- SHA3-*withRSAandMGF1: where * is 224, 256, 384 and 512
- SHA3-*withECDSA: where * is 224, 256, 384 and 512
- SHA3-*withDSA: where * is 224, 256, 384 and 512
- SHA*withRSA: where * is 1, 224, 256, 384 and 512
- SHA*withRSAandMGF1: where * is 1, 224, 256, 384 and 512
- SHA*withECDSA: where * is 1, 224, 256, 384 and 512
- SHA*withPlainECDSA: where * is 1, 224, 256, 384 and 512
- SHA*withDSA: where * is 1, 224, 256, 384 and 512
-
Native support of X.509 extensions (other extensions can be supported by configuring it as blob)
- AdditionalInformation (German national standard CommonPKI)
- Admission (German national standard CommonPKI)
- AuthorityInformationAccess (RFC 5280)
- AuthorityKeyIdentifier (RFC 5280)
- BasicConstraints (RFC 5280)
- BiometricInfo (RFC 3739)
- CertificatePolicies (RFC 5280)
- CRLDistributionPoints (RFC 5280)
- ExtendedKeyUsage (RFC 5280)
- FreshestCRL (RFC 5280)
- InhibitAnyPolicy (RFC 5280)
- IssuerAltName (RFC 5280)
- KeyUsage (RFC 5280)
- NameConstraints (RFC 5280)
- OcspNoCheck (RFC 6960)
- PolicyConstrains (RFC 5280)
- PolicyMappings (RFC 5280)
- PrivateKeyUsagePeriod (RFC 5280)
- QCStatements (RFC 3739, eIDAS standard EN 319 412)
- Restriction (German national standard CommonPKI)
- SMIMECapabilities (RFC 4262)
- SubjectAltName (RFC 5280)
- SubjectDirectoryAttributes (RFC 3739)
- SubjectInfoAccess (RFC 5280)
- SubjectKeyIdentifier (RFC 5280)
- TLSFeature (RFC 7633)
- ValidityModel (German national standard CommonPKI)
-
Management of multiple CAs in one software instance
-
Support of database cluster
-
Multiple software instances (all can be in active mode) for the same CA
-
Native support of management of CA via embedded OSGi commands
-
API to specify CA management, e.g. GUI
-
Database tool (export and import CA database) simplifies the switch of databases, upgrade of XiPKi and switch from other CA system to XiPKI CA
-
Client to enroll, revoke, unrevoke and remove certificates, to generate and download CRLs
-
All configuration of CA except those of databases is saved in database
-
OCSP Responder
- OCSP Responder (RFC 2560 and RFC 6960)
- Support of Common PKI 2.0
- Management of multiple certificate status sources
- Support of certificate status source published by XiPKI CA
- Support of certificate status source CRL and DeltaCRL
- API to support proprietary certificate sources
- Support of both unsigned and signed OCSP requests
- Multiple software instances (all can be in active mode) for the same OCSP signer and certificate status sources.
- Supported databases
- Oracle
- DB2
- PostgreSQL
- MySQL
- MariaDB
- H2
- HSQLDB
- Database tool (export and import OCSP database) simplifies the switch of databases, upgrade of XiPKi and switch from other OCSP system to XiPKI OCSP.
- Client to send OCSP request
-
Key Tool (for both PKCS#12 and PKCS#11 tokens)
- Generating keypairs of RSA, EC and DSA in token
- Deleting keypairs and certificates from token
- Updating certificates in token
- Generating CSR (PKCS#10 request)
- Exporting certificate from token
-
For both CA and OCSP Responder
- Support of PKCS#12 and JKS keystore
- Support of PKCS#11 devices, e.g. HSM
- API to use customized key types, e.g. smartcard
- High performance
- OSGi-based (java), OS independent
- Support of health check
- Audit with syslog and slf4j
-
For CA, OCSP Responder and Key Tool
- API to resolve password
- Support of PBE (password based encryption) password resolver
- All passwords can be encrypted by the master password
- Support of OBF (as in jetty) password resolver