Build Status GitHub release License Github forks Github stars SourceSpy Dashboard

XiPKI

XiPKI (eXtensible sImple Public Key Infrastructure) is a highly scalable and high-performance open source PKI (CA and OCSP responder).

License

Owner

Lijun Liao, LinkedIn

Support

Just create issues, or via wechat (微信)xipki9.

Prerequisite

Tested PKCS#11 Devices

Get Started

JAVA_HOME

Set the environment variable JAVA_HOME to point to root directory of the to the JRE/JDK installation.

CA Server and OCSP Responder

Download the binaries ca-war-<version>.zip, ocsp-war-<version>.zip and xipki-cli-<version>.tar.gz from releases.

Only if you want to use the development version, build it from source code as follows.

Install CA Server

  1. Unpack the binary ca-war-<version>.zip and install CA as described in the unpacked README file.

  2. Adapt the database configurations ${CONTAINER_ROOT}/xipki/etc/ca/database/ca-db.properties.

    • If you use database other than MariaDB and MySQL, you need to overwrite the configuration templates from the sub folder.
    • If you use database other than MariaDB, MySQL and PostgreSQL, you need to get the JDBC driver and copy it to the container directory for external jars (e.g. lib in tomcat, and lib/ext in jetty).
  3. Create new databases configured in Step 2.

  4. Initialize the databases configured in Step 2.

 ca-war-<version>/dbtool/bin/initdb.sh \
   --db-conf xipki/etc/ca/database/ca-db.properties \
   --db-schema xipki/sql/ca-init.xml

Install OCSP Responder

Note that CA and OCSP can be installed in the same servlet container.

  1. Unpack the binary ocsp-war-<version>.zip and install OCSP responder as described in the unpacked README file.

  2. Adapt the database configuration ${CONTAINER_ROOT}/xipki/etc/ocsp/database/ca-db.properties.

    • If you use database other than MariaDB and MySQL, you need to overwrite the configuration templates from the sub folder.
    • If you use database other than MariaDB, MySQL and PostgreSQL, you need to get the JDBC drivers and copy it to the container directory for external jars (e.g. lib in tomcat, and lib/ext in jetty).

Install Command Line Interface

  1. Unpack the binary xipki-cli-<version>.tar.gz
  2. Adapt the CMP client configuration xipki/cmpclient/cmpclient.json

Configure PKCS#11 device (optional)

This step is only required if the real PKCS#11 device instead of the emulator is used.

Configure how to handle SSL client certificate (optional)

This step is only required if the CA is behind a reverse proxy apache httpd.

Setup CA Server and OCSP Responder

  1. Start the servlet container
    HSM devices of Thales, e.g. nCipher, can use Thales preload to manage the PKCS#11 sessions. In this case, the servlet container should be started as follows

    preload <start script>
  2. Setup CA in CLI

    • Start CLI. bin/karaf

    • Setup CA

      • In case of using new keys and certificates, in CLI:
        source xipki/ca-setup/cacert-none/setup-*.script where * is place holder.

      • In case of using existing keys and certificates, in CLI:
        source xipki/ca-setup/cacert-present/setup-*.script where * is place holder.

    • Verify the installation, execute the command in CLI:
      ca-info myca1

Enroll/Revoke Certificate and Get CRL via Shell (optional)

Enroll/Revoke Certificate

CLI Commands

Please refer to commands.md for more details.

Features

Use OCSP with customized Certificate Status Source (OcspStore)