The OpenXPKI Project

OpenXPKI is an enterprise-grade PKI/Trustcenter software. It implements the necessary features to operate a PKI in professional environments. While primarily designed to run as an online RA/CA for managing X509v3 certificates, its flexibility allow for a wide range of possible use cases with regard to cryptographic key management.

OpenXPKI has a stable, mature code base and a growing user base. The developer team actively supports several professional installations some of which have been running continuously since 2009 and host several logical CAs with hundreds of thousands of active certificates.

Project Status

Version 3.24 is available as of February 2023. The product is actively maintained, new packages are published several times a year and announced via the mailing lists.

Packages are currently provided for Debian Buster via the projects package mirror, see the quickstart for installation details. A docker container based on the debian packages is also available.

Packages for FreeBSD are maintained by Sergei Vyshenski and available via the FreeBSD ports network.

Enterprise support and professional services, including native packages for Ubuntu, SLES and RHEL, are available from White Rabbit Security GmbH, Germany.

For an overview on OpenXPKI, we recommend to check the features overview page. More detailed information can be found in the slides from the 2018 OpenXPKI Workshop held in Munich and from the 2015 Workshop in Frankfurt

Also check out our demo installation.

Core Features

  • WebUI compatible with all major browsers
  • Ready-to-run example config included
  • Support for SCEP (Simple Certificate Enrollment Protocol) and EST (Enrollment over Secure Transport)
  • Native Microsoft Windows auto-enrollment supported via 3rd party software
  • Easy adjustment of workflows to custom needs
  • Run multiple separate CAs with a single installation, automated rollover of CA generations
  • Can use Hardware Security Modules (e. g. Thales HSMs) for crypto operations
  • Issue certificates with public trusted CAs (e. g. SwissSign, Comodo, VeriSign)
  • Based on OpenSSL and Perl, runs on most *nix platforms
  • Feature complete OpenSource community edition
  • Commercial support and training, professional services and advanced enterprise features are available
  • check out the roadmap for planned features


New Website upcoming

We are currently working on a relaunch of the OpenXPKI Website with a more modern look and feel, better structure and more information on the project. Stay tuned...