软件简介

XiPKI (e X tensible s I mple P ublic K ey I nfrastructure)
是一个高度可伸缩和高性能的开源 PKI 实现(CA and OCSP responder).

要求：

• OS: Linux, Windows, MacOS
• JRE / JDK 8 (build 162+), 9, 10, 11, 12, 13
• Database: DB2, MariaDB, MySQL, Oracle, PostgreSQL, H2, HSQLDB

特性:

• CA (Certification Authority)

  • X.509 Certificate v3 (RFC 5280)
  • X.509 CRL v2 (RFC 5280)
  • EdDSA Certificates (RFC 8410, RFC 8032)
  • Diffie-Hellman Proof-of-Possession Algorithms (RFC 6955)
  • SCEP (draft-gutmann-scep-00, draft-nourse-scep-23)
  • EN 319 411 (eIDAS)
  • EN 319 412 (eIDAS)
  • Supported databases: DB2, MariaDB, MySQL, Oracle, PostgreSQL, H2, HSQLDB
  • Direct and indirect CRL
  • FullCRL and DeltaCRL
  • Customized extension to embed certificates in CRL
  • CMP (RFC 4210 and RFC 4211)
  • API to specify customized certificate profiles
  • Support of JSON-based certificate profile
  • API to specify customized publisher, e.g. for LDAP and OCSP responder
  • Support of publisher for OCSP responder
  • Public key types of certificates
  • RSA
  • EC
  • DSA
  • Ed25519, Ed448
  • X25519, X448
  • SM2
  • Signature algorithms of certificates
  • Ed25519, Ed448
  • SM3withSM2
  • SHA3-*withRSA: where * is 224, 256, 384 and 512
  • SHA3-*withRSAandMGF1: where * is 224, 256, 384 and 512
  • SHA3-*withECDSA: where * is 224, 256, 384 and 512
  • SHA3-*withDSA: where * is 224, 256, 384 and 512
  • SHA*withRSA: where * is 1, 224, 256, 384 and 512
  • SHA*withRSAandMGF1: where * is 1, 224, 256, 384 and 512
  • SHA*withECDSA: where * is 1, 224, 256, 384 and 512
  • SHA*withPlainECDSA: where * is 1, 224, 256, 384 and 512
  • SHA*withDSA: where * is 1, 224, 256, 384 and 512

  • Native support of X.509 extensions (other extensions can be supported by configuring it as blob)

  • AdditionalInformation (German national standard CommonPKI)

  • Admission (German national standard CommonPKI)
  • AuthorityInformationAccess (RFC 5280)
  • AuthorityKeyIdentifier (RFC 5280)
  • BasicConstraints (RFC 5280)
  • BiometricInfo (RFC 3739)
  • CertificatePolicies (RFC 5280)
  • CRLDistributionPoints (RFC 5280)
  • CT Precertificate SCTs (RFC 6962)
  • ExtendedKeyUsage (RFC 5280)
  • FreshestCRL (RFC 5280)
  • InhibitAnyPolicy (RFC 5280)
  • IssuerAltName (RFC 5280)
  • KeyUsage (RFC 5280)
  • NameConstraints (RFC 5280)
  • OcspNoCheck (RFC 6960)
  • PolicyConstrains (RFC 5280)
  • PolicyMappings (RFC 5280)
  • PrivateKeyUsagePeriod (RFC 5280)
  • QCStatements (RFC 3739, eIDAS standard EN 319 412)
  • Restriction (German national standard CommonPKI)
  • SMIMECapabilities (RFC 4262)
  • SubjectAltName (RFC 5280)
  • SubjectDirectoryAttributes (RFC 3739)
  • SubjectInfoAccess (RFC 5280)
  • SubjectKeyIdentifier (RFC 5280)
  • TLSFeature (RFC 7633)
  • ValidityModel (German national standard CommonPKI)
  • GM/T 0015 IdentityCode (个人身份标识码, Chinese Standard GM/T 0015-2012)
  • GM/T 0015 InsuranceNumber (个人社会保险号, Chinese Standard GM/T 0015-2012)
  • GM/T 0015 ICRegistrationNumber (企业工商注册号, Chinese Standard GM/T 0015-2012)
  • GM/T 0015 OrganizationCode (企业组织机构代码, Chinese Standard GM/T 0015-2012)
  • GM/T 0015 TaxationNumber (企业税号, Chinese Standard GM/T 0015-2012)
  • Management of multiple CAs in one software instance

• Support of database cluster

• Multiple software instances (all can be in active mode) for the same CA

• Native support of management of CA via embedded OSGi commands

• API to specify CA management, e.g. GUI

• Database tool (export and import CA database) simplifies the switch of databases, upgrade of XiPKi and switch from other CA system to XiPKI CA

• Client to enroll, revoke, unrevoke and remove certificates, to generate and download CRLs

• All configuration of CA except those of databases is saved in database

• OCSP Responder

  • OCSP Responder (RFC 2560 and RFC 6960)
  • Support of Common PKI 2.0
  • Management of multiple certificate status sources
  • Support of certificate status source based on the database of XiPKI CA
  • Support of certificate status source based on the OCSP database published by XiPKI CA
  • Support of certificate status source CRL and DeltaCRL
  • Support of certificate status source published by EJBCA
  • API to support proprietary certificate sources
  • Support of both unsigned and signed OCSP requests
  • Multiple software instances (all can be in active mode) for the same OCSP signer and certificate status sources.
  • Supported databases: DB2, MariaDB, MySQL, Oracle, PostgreSQL, H2, HSQLDB
  • Database tool (export and import OCSP database) simplifies the switch of databases, upgrade of XiPKi and switch from other OCSP system to XiPKI OCSP.
  • Client to send OCSP request

  • SCEP

  • Supported SCEP versions

  • draft-gutmann-scep-00
  • draft-nourse-scep-23

  • Toolkit (for both PKCS#12 and PKCS#11 tokens)

  • Generating keypairs of RSA, EC and DSA in token

  • Deleting keypairs and certificates from token
  • Updating certificates in token
  • Generating CSR (PKCS#10 request)
  • Exporting certificate from token

  • For both CA and OCSP Responder

  • Support of PKCS#12 and JKS keystore

  • Support of PKCS#11 devices, e.g. HSM
  • API to use customized key types, e.g. smartcard
  • High performance
  • Support of health check
  • Audit with syslog and slf4j

  • For CA, OCSP Responder and Toolkit

  • API to resolve password

  • Support of PBE (password based encryption) password resolver
  • All passwords can be encrypted by the master password
  • Support of OBF (as in jetty) password resolver