XiPKI (eXtensible sImple Public Key Infrastructure) is a highly scalable and high-performance open source PKI (CA and OCSP responder).
Lijun Liao, LinkedIn
Just create issues,
or via wechat (微信)xipki9.
Set the environment variable JAVA_HOME to point to root directory of the to
the JRE/JDK installation.
Download the binaries ca-war-<version>.zip, ocsp-war-<version>.zip and
xipki-cli-<version>.tar.gz from
releases.
Only if you want to use the development version, build it from source code as follows.
git clone https://github.com/xipki/xipkiBuild the project
In folder xipki
mvn clean install -DskipTestsThen you will find the following binaries:
assembles/ca-war/target/ca-war-<version>.zipassembles/ocsp-war/target/ocsp-war-<version>.zipassembles/xipki-cli/target/xipki-cli-<version>.tar.gzUnpack the binary ca-war-<version>.zip and install CA as described in the
unpacked README file.
Adapt the database configurations ${CONTAINER_ROOT}/xipki/etc/ca/database/ca-db.properties.
lib in tomcat, and lib/ext in jetty). Create new databases configured in Step 2.
Initialize the databases configured in Step 2.
ca-war-<version>/dbtool/bin/initdb.sh \
--db-conf xipki/etc/ca/database/ca-db.properties \
--db-schema xipki/sql/ca-init.xmlNote that CA and OCSP can be installed in the same servlet container.
Unpack the binary ocsp-war-<version>.zip and install OCSP responder as described in the
unpacked README file.
Adapt the database configuration ${CONTAINER_ROOT}/xipki/etc/ocsp/database/ca-db.properties.
lib in tomcat, and lib/ext in jetty). xipki-cli-<version>.tar.gzxipki/cmpclient/cmpclient.jsonThis step is only required if the real PKCS#11 device instead of the emulator is used.
xipki/security/example/pkcs11-hsm.json to xipki/security/pkcs11.json, and adapt the PKCS#11 configuration.This step is only required if the CA is behind a reverse proxy apache httpd.
Add the java property org.xipki.reverseproxy.mode
-Dorg.xipki.reverseproxy.mode=APACHEconfigure the proxy to forward the headers via mod_proxy with the following configuration
# Require SSL Client verification
SSLVerifyClient require
#initialize the special headers to a blank value to avoid http header forgeries
RequestHeader set SSL_CLIENT_VERIFY ""
RequestHeader set SSL_CLIENT_CERT ""
<Location / >
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
...
</Location>For more details please refer to
Start the servlet container
HSM devices of Thales, e.g. nCipher, can use Thales preload to manage the
PKCS#11 sessions. In this case, the servlet container should be started as follows
preload <start script>Setup CA in CLI
Start CLI.
bin/karaf
Setup CA
In case of using new keys and certificates, in CLI:
source xipki/ca-setup/cacert-none/setup-*.script
where * is place holder.
In case of using existing keys and certificates, in CLI:
source xipki/ca-setup/cacert-present/setup-*.script
where * is place holder.
Verify the installation, execute the command in CLI:
ca-info myca1
The following shell script demonstrates how to enroll and revoke certificates, and how to get the current CRL:
<CLI_ROOT>/xipki/client-script/rest.sh
Note that this script tells CA to generate real certificates. DO NOT use it in the production environment.
SCEP
Using any SCEP client. XiPKI provides also a SCEP client.
The binary xipki-cli-<version>.tar.gz contains an example script in the folder xipki/client-script.
It can be executed in the CLI as follows:
source xipki/client-script/scep-client.scriptXiPKI CLI XiPKI CLI provides both the full-featured client and the lite version to enroll and revoke certificates via CMP.
The binary xipki-cli-<version>.tar.gz contains an example script in the folder xipki/client-script.
It can be executed in the CLI as follows:
source xipki/client-script/cmp-client.scriptREST API
The shell script xipki/client-script/rest.sh of the xipki-cli demonstrates
the use of REST API.
The binary xipki-cli-<version>.tar.gz contains an example script in the folder xipki/client-script.
It can be executed in the CLI as follows:
source xipki/client-script/rest-client.scriptPlease refer to commands.md for more details.
CA (Certification Authority)
X.509 Certificate v3 (RFC 5280)
X.509 CRL v2 (RFC 5280)
EdDSA Certificates (RFC 8410, RFC 8032)
Diffie-Hellman Proof-of-Possession Algorithms (RFC 6955)
SCEP (draft-gutmann-scep-00, draft-nourse-scep-23)
EN 319 411 (eIDAS)
EN 319 412 (eIDAS)
Supported databases: DB2, MariaDB, MySQL, Oracle, PostgreSQL, H2, HSQLDB
Direct and indirect CRL
FullCRL and DeltaCRL
Customized extension to embed certificates in CRL
CMP (RFC 4210 and RFC 4211)
API to specify customized certificate profiles
Support of JSON-based certificate profile
API to specify customized publisher, e.g. for LDAP and OCSP responder
Support of publisher for OCSP responder
Public key types of certificates
RSA
EC
DSA
Ed25519, Ed448
SM2
X25519, X448
Signature algorithms of certificates
Ed25519, Ed448
SHA3-withRSA: where is 224, 256, 384 and 512
SHA3-withRSAandMGF1: where is 224, 256, 384 and 512
SHA3-withECDSA: where is 224, 256, 384 and 512
SHA3-withDSA: where is 224, 256, 384 and 512
SHAwithRSA: where is 1, 224, 256, 384 and 512
SHAwithRSAandMGF1: where is 1, 224, 256, 384 and 512
SHAwithECDSA: where is 1, 224, 256, 384 and 512
SHAwithPlainECDSA: where is 1, 224, 256, 384 and 512
SHAwithDSA: where is 1, 224, 256, 384 and 512
SM3withSM2
Native support of X.509 extensions (other extensions can be supported by configuring it as blob)
AdditionalInformation (German national standard CommonPKI)
Admission (German national standard CommonPKI)
AuthorityInformationAccess (RFC 5280)
AuthorityKeyIdentifier (RFC 5280)
BasicConstraints (RFC 5280)
BiometricInfo (RFC 3739)
CertificatePolicies (RFC 5280)
CRLDistributionPoints (RFC 5280)
CT Precertificate SCTs (RFC 6962)
ExtendedKeyUsage (RFC 5280)
FreshestCRL (RFC 5280)
GM/T 0015 ICRegistrationNumber (企业工商注册号, Chinese Standard GM/T 0015-2012)
GM/T 0015 IdentityCode (个人身份标识码, Chinese Standard GM/T 0015-2012)
GM/T 0015 InsuranceNumber (个人社会保险号, Chinese Standard GM/T 0015-2012)
GM/T 0015 OrganizationCode (企业组织机构代码, Chinese Standard GM/T 0015-2012)
GM/T 0015 TaxationNumber (企业税号, Chinese Standard GM/T 0015-2012)
InhibitAnyPolicy (RFC 5280)
IssuerAltName (RFC 5280)
KeyUsage (RFC 5280)
NameConstraints (RFC 5280)
OcspNoCheck (RFC 6960)
PolicyConstrains (RFC 5280)
PolicyMappings (RFC 5280)
PrivateKeyUsagePeriod (RFC 5280)
QCStatements (RFC 3739, eIDAS standard EN 319 412)
Restriction (German national standard CommonPKI)
SMIMECapabilities (RFC 4262)
SubjectAltName (RFC 5280)
SubjectDirectoryAttributes (RFC 3739)
SubjectInfoAccess (RFC 5280)
SubjectKeyIdentifier (RFC 5280)
TLSFeature (RFC 7633)
ValidityModel (German national standard CommonPKI)
Management of multiple CAs in one software instance
Support of database cluster
Multiple software instances (all can be in active mode) for the same CA
Native support of management of CA via embedded OSGi commands
API to specify CA management, e.g. GUI
Database tool (export and import CA database) simplifies the switch of databases, upgrade of XiPKi and switch from other CA system to XiPKI CA
Client to enroll, revoke, unrevoke and remove certificates, to generate and download CRLs
All configuration of CA except those of databases is saved in database
OCSP Responder
SCEP
Toolkit (for both PKCS#12 and PKCS#11 tokens)
For both CA and OCSP Responder
For CA, OCSP Responder and Toolkit
ocsp-store-example: implementation of a customized OcspStore.ocsp-store-example-assembly: assembly the binaries.