{"id":13582742,"url":"https://github.com/xipki/xipki","last_synced_at":"2026-01-11T16:56:29.962Z","repository":{"id":15515573,"uuid":"18249859","full_name":"xipki/xipki","owner":"xipki","description":"XiPKI: Compact open source PKI (CA, OCSP responder, certificate protocols ACME, CMP, EST, SCEP).","archived":false,"fork":false,"pushed_at":"2025-02-27T22:29:57.000Z","size":119105,"stargazers_count":532,"open_issues_count":7,"forks_count":130,"subscribers_count":38,"default_branch":"master","last_synced_at":"2025-04-13T17:46:42.792Z","etag":null,"topics":["acme","ca","ca-browser-forum","certificate","certificate-authority","certificate-transparency","certification-authority","cmp","crl","est","hsm","ocsp","ocsp-responder","pkcs11","pki","rest-api","rfc2560","rfc5280","rfc6960"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/xipki.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":"audit-extra/pom.xml","citation":null,"codeowners":null,"security":"security/pom.xml","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":null,"patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":"paypal.me/lijunliao"}},"created_at":"2014-03-29T20:16:04.000Z","updated_at":"2025-04-01T09:52:35.000Z","dependencies_parsed_at":"2023-09-22T00:01:26.466Z","dependency_job_id":"4627ba39-5fd9-464b-8b57-60c6f26bfbdc","html_url":"https://github.com/xipki/xipki","commit_stats":{"total_commits":7069,"total_committers":10,"mean_commits":706.9,"dds":"0.0026877917668693962","last_synced_commit":"0e6bd48f94a27dbf90c5de08481598b6e812af6f"},"previous_names":["xipki/xipki"],"tags_count":38,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xipki%2Fxipki","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xipki%2Fxipki/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xipki%2Fxipki/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xipki%2Fxipki/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/xipki","download_url":"https://codeload.github.com/xipki/xipki/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254219374,"owners_count":22034397,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["acme","ca","ca-browser-forum","certificate","certificate-authority","certificate-transparency","certification-authority","cmp","crl","est","hsm","ocsp","ocsp-responder","pkcs11","pki","rest-api","rfc2560","rfc5280","rfc6960"],"created_at":"2024-08-01T15:02:59.123Z","updated_at":"2026-01-11T16:56:29.955Z","avatar_url":"https://github.com/xipki.png","language":"Java","funding_links":["paypal.me/lijunliao"],"categories":["Java","安全","Library"],"sub_categories":["Low Level"],"readme":"[![GitHub release](https://img.shields.io/github/release/xipki/xipki.svg)](https://github.com/xipki/xipki/releases)\n[![License](https://img.shields.io/badge/license-Apache%202-4EB1BA.svg)](https://www.apache.org/licenses/LICENSE-2.0.html)\n[![Github forks](https://img.shields.io/github/forks/xipki/xipki.svg)](https://github.com/xipki/xipki/network)\n[![Github stars](https://img.shields.io/github/stars/xipki/xipki.svg)](https://github.com/xipki/xipki/stargazers)\n\n\n# XiPKI\nXiPKI (e**X**tensible s**I**mple **P**ublic **K**ey **I**nfrastructure) is\na highly scalable and high-performance open source PKI (CA and OCSP responder).\n\n## License\n* The Apache Software License, Version 2.0\n\n## Support\nJust [create new issue](https://github.com/xipki/xipki/issues).\n\nFor bug-report please upload the test data and log files, describe the version of XiPKI, OS and\nJRE/JDK, and the steps to reproduce the bug.\n\n## Get Started\n\n### Binaries\nThe binary `xipki-setup-\u003cversion\u003e.zip` can be retrieved using one of the following methods\n - Download the binary from https://github.com/xipki/xipki/releases\n - Download the binary from the maven repositories\n   - Directly via HTTP download\n     - Release version: https://repo.maven.apache.org/maven2/org/xipki/assembly/xipki-setup/ \n     - SNASPSHOT version: https://oss.sonatype.org/content/repositories/snapshots/org/xipki/assembly/xipki-setup/\n   - Via the `maven-dependency-plugin`\n     ```\n     \u003cartifactItem\u003e\n       \u003cgroupId\u003eorg.xipki.assembly\u003c/groupId\u003e\n       \u003cartifactId\u003exipki-setup\u003c/artifactId\u003e\n       \u003cversion\u003e..version..\u003c/version\u003e\n       \u003ctype\u003ezip\u003c/type\u003e\n     \u003c/artifactItem\u003e\n     ```\n  - Build it from source code\n    - Get a copy of project code, e.g.\n      ```sh\n      git clone https://github.com/xipki/xipki\n      ```\n    - Build the project\n\n      In folder `xipki`\n      ```sh\n      ./install.sh\n      ```\n \n      Then you will find the binary `assemblies/xipki-setup/target/xipki-setup-\u003cversion\u003e.zip`\n\n### Install and Setup\n\nUnpack `xipki-setup-\u003cversion\u003e.zip` and follow the `xipki-setup-\u003cversion\u003e/INSTALL.md`.\n\n## Features\n\n### Supported Platform\n* OS\n  * Linux, Windows, MacOS\n* JRE / JDK\n  * Java 11+.\n* Database\n  * DB2, MariaDB, MySQL, Oracle, PostgreSQL, H2, HSQLDB\n* Hardware\n  * Any available hardware (tested on Raspberry Pi 2 Model B with 900MHz quad-core ARM CPU and 1 GB Memory)\n* Servlet Container\n  * Tomcat 8, 9, 10, 11\n* HSM Devices\n  - [AWS CloudHSM](https://aws.amazon.com/cloudhsm)\n  - [Nitrokey HSM 2](https://www.nitrokey.com/#comparison) / [Smartcard HSM EA+](http://www.smartcard-hsm.com/features.html#usbstick)\n  - nCipher [Connect](https://www.ncipher.com/products/general-purpose-hsms/nshield-connect) / [Solo](https://www.ncipher.com/products/general-purpose-hsms/nshield-solo)\n  - [Sansec HSM](https://en.sansec.com.cn)\n  - [Softhsm v1 \u0026 v2](https://www.opendnssec.org/download/packages/)\n  - [TASS HSM](https://www.tass.com.cn/portal/list/index/id/15.html)\n  - Thales [LUNA](https://cpl.thalesgroup.com/encryption/hardware-security-modules/general-purpose-hsms) / [ProtectServer](https://cpl.thalesgroup.com/encryption/hardware-security-modules/protectserver-hsms)\n  - [Utimaco Se](https://hsm.utimaco.com/products-hardware-security-modules/general-purpose-hsm/)\n  - And shall also work on other HSMs with PKCS#11 support.\n\n### CA Protocol Gateway\n  - EST (RFC 7030)\n  - SCEP (RFC 8894)\n  - CMP (RFC 4210, 4211, 9045, 9480)\n  - ACME (RFC 8555, RFC 8737)\n    - Challenge types: dns-01, http-01, tls-apln-01\n  - RESTful API (XiPKI own API)\n\n### CA (Certification Authority)\n  - X.509 Certificate v3 (RFC 5280)\n  - X.509 CRL v2 (RFC 5280)\n  - EdDSA Certificates (RFC 8410, RFC 8032)\n  - SHAKE Certificates (RFC 8692)\n  - Diffie-Hellman Proof-of-Possession Algorithms (RFC 6955)\n  - EN 319 411 and 319 412 (eIDAS)\n  - Direct and indirect CRL\n  - FullCRL and DeltaCRL\n  - API to specify customized certificate profiles\n  - Support of JSON-based certificate profile\n  - API to specify customized publisher, e.g. for LDAP and OCSP responder\n  - Support of publisher for OCSP responder\n  - Public key types of certificates: RSA, EC, DSA, Ed25519, Ed448, SM2, X25519, X448\n  - Signature algorithms of certificates\n    - DSA with hash algorithms: SHA-1, SHA-2, and SHA-3\n    - ECDSA with hash algorithms: SHA-1, SHA-2, SHA-3, and SHAKE\n    - Ed25519, Ed448\n    - Plain ECDSA with hash algorithms: SHA-1, and SHA-2\n    - RSA PKCS1v1.5 with hash algorithms: SHA-1, SHA-2, and SHA-3\n    - RSA PSS with hash algorithms: SHA-1, SHA-2, and SHA-3, and SHAKE\n    - SM3withSM2\n  - Native support of X.509 extensions (other extensions can be supported by configuring it as blob)\n    - RFC 3739\n      - BiometricInfo\n      - QCStatements (also in eIDAS standard EN 319 412)\n      - SubjectDirectoryAttributes\n    - RFC 4262\n      - SMIMECapabilities\n    - RFC 5280\n      - AuthorityInformationAccess, AuthorityKeyIdentifier\n      - BasicConstraints\n      - CertificatePolicies, CRLDistributionPoints\n      - ExtendedKeyUsage\n      - FreshestCRL\n      - InhibitAnyPolicy, IssuerAltName\n      - KeyUsage\n      - NameConstraints\n      - PolicyConstrains, PolicyMappings, PrivateKeyUsagePeriod\n      - SubjectAltName, SubjectInfoAccess, SubjectKeyIdentifier\n    - RFC 6960\n      - OcspNoCheck\n    - RFC 6962\n      - CT Precertificate SCTs\n    - RfC 7633\n      - TLSFeature\n    - Car Connectivity Consortium\n      - ExtensionSchema\n    - Common PKI (German national standard)\n      - AdditionalInformation, Admission\n      - Restriction\n      - ValidityModel\n    - GM/T 0015-2012 (Chinese national standard)\n      - ICRegistrationNumber, IdentityCode, InsuranceNumber\n      - OrganizationCode\n      - TaxationNumber\n  - Management of multiple CAs in one software instance\n    - Support of database cluster\n    - Multiple software instances (all can be in active mode) for the same CA\n    - Native support of management of CA via embedded OSGi commands\n    - API to manage CA. This allows one to implement proprietary CLI, e.g. Website, to manage CA.\n    - Database tool (export and import CA database) simplifies the switch of\n      databases, upgrade of XiPKi and switch from other CA system to XiPKI CA\n    - All configuration of CA except those of databases is saved in database\n\n### OCSP Responder\n  - OCSP Responder (RFC 2560 and RFC 6960)\n  - Configurable Length of Nonce (RFC 8954)\n  - Support of Common PKI 2.0\n  - Management of multiple certificate status sources\n  - Support of certificate status sources\n    - Database of XiPKI CA\n    - OCSP database published by XiPKI CA\n    - CRL and DeltaCRL\n    - Database of EJBCA\n  - API to support proprietary certificate sources\n  - Support of both unsigned and signed OCSP requests\n  - Multiple software instances (all can be in active mode) for the same OCSP\n    signer and certificate status sources.\n  - Database tool (export and import OCSP database) simplifies the switch of\n    databases, upgrade of XiPKi and switch from other OCSP system to XiPKI OCSP.\n  - High performance\n  - Support of health check\n\n### Mgmt CLI (Management Client)\n  - Configuring CA\n  - Generating keypairs of RSA, EC and DSA in token\n  - Deleting keypairs and certificates from token\n  - Updating certificates in token\n  - Generating CSR (PKCS#10 request)\n  - Exporting certificate from token\n\n### CLI (CA/OCSP Client)\n  - Client to enroll, revoke, and unrevoke (unsuspend) certificates, to download CRLs\n  - Client to send OCSP request\n  - Updating certificates in token\n  - Generating CSR (PKCS#10 request)\n  - Exporting certificate from token\n\n### HSM Proxy\n  - Provide the access to the HSM remotely.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxipki%2Fxipki","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxipki%2Fxipki","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxipki%2Fxipki/lists"}