OpenXPKI features and requirements
OpenXPKI makes a few assumptions about its operating environment. You will need some infrastructure components to make it work properly.
Supported operating systems
OpenXPKI runs on most Unix-like operating systems that use the Unix process model and provide a POSIX environment. It has been successfully tested on
- Linux (tested on Debian GNU/Linux and SuSE SLES)
- Mac OS X (tested on 10.4 and 10.5)
- Sun Solaris and OpenSolaris (tested on version 10 of both)
OpenXPKI requires a relational database for operation. Drivers are included for
OpenXPKI provides built-in integration with the RT Request Tracker. It can automatically create and link tickets in the RT system for incoming certificate requests and thus allows Registration Officers to keep track of their workload.
Multiple CA instances
OpenXPKI supports the configuration of multiple independent logical PKIs ("PKI Realms") in one single application instance. This allows for configuration e. g. of a Root CA and one or more subordinate CAs within one single installation.
Fully automatic CA rollover
Within a logical PKI (PKI Realm) OpenXPKI provides the possibility to configure multiple Issuing CAs with overlapping validity. Once a new Issuing CA becomes valid it takes over for issuing new certificates. This unique feature allows for a fully automatic CA rollover where administrators do not have to take down and reconfigure the whole PKI installation once a CA certificate is about to expire.
Instead of hard-wiring the interface and the PKI operations in a monolithic application, OpenXPKI utilizes a workflow engine that allows to easily modify and extend the basic operation of the PKI (e. g. certificate request and approval). Customizing the behaviour of the system is often accomplished by simply modifying the workflow description in XML format.
In addition the workflow engine makes it possible to extend the system with customized workflows.
Hardware Security Module support
Critical cryptographic operations such as Digital Signatures can be performed via a Hardware Security Module. Currently OpenXPKI supports nCipher nShield modules.