Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/xipki/xipki
XiPKI: Compact open source PKI (CA, OCSP responder, certificate protocols ACME, CMP, EST, SCEP).
https://github.com/xipki/xipki
acme ca ca-browser-forum certificate certificate-authority certificate-transparency certification-authority cmp crl est hsm ocsp ocsp-responder pkcs11 pki rest-api rfc2560 rfc5280 rfc6960
Last synced: 4 days ago
JSON representation
XiPKI: Compact open source PKI (CA, OCSP responder, certificate protocols ACME, CMP, EST, SCEP).
- Host: GitHub
- URL: https://github.com/xipki/xipki
- Owner: xipki
- License: apache-2.0
- Created: 2014-03-29T20:16:04.000Z (almost 11 years ago)
- Default Branch: master
- Last Pushed: 2025-01-05T13:48:08.000Z (16 days ago)
- Last Synced: 2025-01-10T02:04:01.328Z (11 days ago)
- Topics: acme, ca, ca-browser-forum, certificate, certificate-authority, certificate-transparency, certification-authority, cmp, crl, est, hsm, ocsp, ocsp-responder, pkcs11, pki, rest-api, rfc2560, rfc5280, rfc6960
- Language: Java
- Homepage:
- Size: 113 MB
- Stars: 521
- Watchers: 38
- Forks: 128
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
- Audit: audit-extra/pom.xml
- Security: security/pom.xml
Awesome Lists containing this project
README
[](https://github.com/xipki/xipki/releases)
[](https://www.apache.org/licenses/LICENSE-2.0.html)
[](https://github.com/xipki/xipki/network)
[](https://github.com/xipki/xipki/stargazers)
# XiPKI
XiPKI (e**X**tensible s**I**mple **P**ublic **K**ey **I**nfrastructure) is
a highly scalable and high-performance open source PKI (CA and OCSP responder).
## License
* The Apache Software License, Version 2.0
## Support
Just [create new issue](https://github.com/xipki/xipki/issues).
For bug-report please upload the test data and log files, describe the version of XiPKI, OS and
JRE/JDK, and the steps to reproduce the bug.
## Get Started
### Binaries
The binary `xipki-setup-.zip` can be retrieved using one of the following methods
- Download the binary from https://github.com/xipki/xipki/releases
- Download the binary from the maven repositories
- Directly via HTTP download
- Release version: https://repo.maven.apache.org/maven2/org/xipki/assembly/xipki-setup/
- SNASPSHOT version: https://oss.sonatype.org/content/repositories/snapshots/org/xipki/assembly/xipki-setup/
- Via the `maven-dependency-plugin`
```
org.xipki.assembly
xipki-setup
..version..
zip
```
- Build it from source code
- Get a copy of project code, e.g.
```sh
git clone https://github.com/xipki/xipki
```
- Build the project
In folder `xipki`
```sh
./install.sh
```
Then you will find the binary `assemblies/xipki-setup/target/xipki-setup-.zip`
### Install and Setup
Unpack `xipki-setup-.zip` and follow the `xipki-setup-/INSTALL.md`.
## Features
### Supported Platform
* OS
* Linux, Windows, MacOS
* JRE / JDK
* Java 11+.
* Database
* DB2, MariaDB, MySQL, Oracle, PostgreSQL, H2, HSQLDB
* Hardware
* Any available hardware (tested on Raspberry Pi 2 Model B with 900MHz quad-core ARM CPU and 1 GB Memory)
* Servlet Container
* Tomcat 8, 9, 10, 11
* HSM Devices
- [AWS CloudHSM](https://aws.amazon.com/cloudhsm)
- [Nitrokey HSM 2](https://www.nitrokey.com/#comparison) / [Smartcard HSM EA+](http://www.smartcard-hsm.com/features.html#usbstick)
- nCipher [Connect](https://www.ncipher.com/products/general-purpose-hsms/nshield-connect) / [Solo](https://www.ncipher.com/products/general-purpose-hsms/nshield-solo)
- [Sansec HSM](https://en.sansec.com.cn)
- [Softhsm v1 & v2](https://www.opendnssec.org/download/packages/)
- [TASS HSM](https://www.tass.com.cn/portal/list/index/id/15.html)
- Thales [LUNA](https://cpl.thalesgroup.com/encryption/hardware-security-modules/general-purpose-hsms) / [ProtectServer](https://cpl.thalesgroup.com/encryption/hardware-security-modules/protectserver-hsms)
- [Utimaco Se](https://hsm.utimaco.com/products-hardware-security-modules/general-purpose-hsm/)
- And shall also work on other HSMs with PKCS#11 support.
### CA Protocol Gateway
- EST (RFC 7030)
- SCEP (RFC 8894)
- CMP (RFC 4210, 4211, 9045, 9480)
- ACME (RFC 8555, RFC 8737)
- Challenge types: dns-01, http-01, tls-apln-01
- RESTful API (XiPKI own API)
### CA (Certification Authority)
- X.509 Certificate v3 (RFC 5280)
- X.509 CRL v2 (RFC 5280)
- EdDSA Certificates (RFC 8410, RFC 8032)
- SHAKE Certificates (RFC 8692)
- Diffie-Hellman Proof-of-Possession Algorithms (RFC 6955)
- EN 319 411 and 319 412 (eIDAS)
- Direct and indirect CRL
- FullCRL and DeltaCRL
- API to specify customized certificate profiles
- Support of JSON-based certificate profile
- API to specify customized publisher, e.g. for LDAP and OCSP responder
- Support of publisher for OCSP responder
- Public key types of certificates: RSA, EC, DSA, Ed25519, Ed448, SM2, X25519, X448
- Signature algorithms of certificates
- DSA with hash algorithms: SHA-1, SHA-2, and SHA-3
- ECDSA with hash algorithms: SHA-1, SHA-2, SHA-3, and SHAKE
- Ed25519, Ed448
- Plain ECDSA with hash algorithms: SHA-1, and SHA-2
- RSA PKCS1v1.5 with hash algorithms: SHA-1, SHA-2, and SHA-3
- RSA PSS with hash algorithms: SHA-1, SHA-2, and SHA-3, and SHAKE
- SM3withSM2
- Native support of X.509 extensions (other extensions can be supported by configuring it as blob)
- RFC 3739
- BiometricInfo
- QCStatements (also in eIDAS standard EN 319 412)
- SubjectDirectoryAttributes
- RFC 4262
- SMIMECapabilities
- RFC 5280
- AuthorityInformationAccess, AuthorityKeyIdentifier
- BasicConstraints
- CertificatePolicies, CRLDistributionPoints
- ExtendedKeyUsage
- FreshestCRL
- InhibitAnyPolicy, IssuerAltName
- KeyUsage
- NameConstraints
- PolicyConstrains, PolicyMappings, PrivateKeyUsagePeriod
- SubjectAltName, SubjectInfoAccess, SubjectKeyIdentifier
- RFC 6960
- OcspNoCheck
- RFC 6962
- CT Precertificate SCTs
- RfC 7633
- TLSFeature
- Car Connectivity Consortium
- ExtensionSchema
- Common PKI (German national standard)
- AdditionalInformation, Admission
- Restriction
- ValidityModel
- GM/T 0015-2012 (Chinese national standard)
- ICRegistrationNumber, IdentityCode, InsuranceNumber
- OrganizationCode
- TaxationNumber
- Management of multiple CAs in one software instance
- Support of database cluster
- Multiple software instances (all can be in active mode) for the same CA
- Native support of management of CA via embedded OSGi commands
- API to manage CA. This allows one to implement proprietary CLI, e.g. Website, to manage CA.
- Database tool (export and import CA database) simplifies the switch of
databases, upgrade of XiPKi and switch from other CA system to XiPKI CA
- All configuration of CA except those of databases is saved in database
### OCSP Responder
- OCSP Responder (RFC 2560 and RFC 6960)
- Configurable Length of Nonce (RFC 8954)
- Support of Common PKI 2.0
- Management of multiple certificate status sources
- Support of certificate status sources
- Database of XiPKI CA
- OCSP database published by XiPKI CA
- CRL and DeltaCRL
- Database of EJBCA
- API to support proprietary certificate sources
- Support of both unsigned and signed OCSP requests
- Multiple software instances (all can be in active mode) for the same OCSP
signer and certificate status sources.
- Database tool (export and import OCSP database) simplifies the switch of
databases, upgrade of XiPKi and switch from other OCSP system to XiPKI OCSP.
- High performance
- Support of health check
### Mgmt CLI (Management Client)
- Configuring CA
- Generating keypairs of RSA, EC and DSA in token
- Deleting keypairs and certificates from token
- Updating certificates in token
- Generating CSR (PKCS#10 request)
- Exporting certificate from token
### CLI (CA/OCSP Client)
- Client to enroll, revoke, and unrevoke (unsuspend) certificates, to download CRLs
- Client to send OCSP request
- Updating certificates in token
- Generating CSR (PKCS#10 request)
- Exporting certificate from token
### HSM Proxy
- Provide the access to the HSM remotely.