The OpenXPKI Project

OpenXPKI is an enterprise-grade PKI/Trustcenter software. It implements the necessary features to operate a PKI in professional environments. While primarily designed to run as an online RA/CA for managing X509v3 certificates, its flexibility allow for a wide range of possible use cases with regard to cryptographic key management.

OpenXPKI has a stable, mature code base and a growing user base. The developer team actively supports several professional installations some of which have been running continuously since 2009 and host several logical CAs with hundreds of thousands of active certificates.

Meet us at it-sa!

Meet the OpenXPKI core team at it-sa in Nuernberg from 9th to 11th of October - see our live demo and have a personal talk with our developers and support specialist. Check this Post for more details.

Project Status

Version 2.0 is available as of May 2018.

Packages for Debian Jessie are available on the package mirror, see the quickstart for installation details. The product is actively maintained, new packages are published several times a year and announced via the mailing lists.

Enterprise support and professional services are available from White Rabbit Security GmbH, Germany.

For an overview on OpenXPKI, we recommend to check the features overview page. More detailed information can be found in the slides from the 2018 OpenXPKI Workshop held in Munich and from the 2015 Workshop in Frankfurt

Also check out our demo installation.

Core Features

  • WebUI compatible with all major browsers
  • Ready-to-run example config included
  • Support for SCEP (Simple Certificate Enrollment Protocol) and EST (Enrollment over Secure Transport)
  • Native Microsoft Windows auto-enrollment supported via 3rd party software
  • Easy adjustment of workflows to custom needs
  • Run multiple separate CAs with a single installation, automated rollover of CA generations
  • Can use Hardware Security Modules (e. g. Thales HSMs) for crypto operations
  • Issue certificates with public trusted CAs (e. g. SwissSign, Comodo, VeriSign)
  • Based on OpenSSL and Perl, runs on most *nix platforms
  • Feature complete OpenSource community edition
  • Commercial support and training, professional services and advanced enterprise features are available
  • check out the roadmap for planned features

Resources