OpenXPKI Logo

PKI Made in Germany

OpenXPKI is an enterprise-grade PKI/Trustcenter software for customizable and scaleable management of X.509v3 certificates, known for its flexibility, web-based management interface, workflow support, and active Open Source community.

Established in 2009, it has grown and improved over the years, with installations serving several hundreds of thousands of certificates below dozens of issuing CAs on a single installation.

While running the core functionality as an Open Source project, the team behind the project offers consulting, setup and operational support as well as several add-on modules for integrating certificate management into existing ITSM infrastructures.

Certificate Lifecycle

Utilize customizable workflows that seamlessly guide your users through the certificate request, renewal, and revocation processes.


Enable full automation of certificate distribution with industry-standard interfaces and a flexible custom API.


Stay informed about the status of your certificates at all times through our comprehensive reporting and alerting framework.

OpenXPKI at a Glance

Modern WebUI

The Ember.js based web frontend runs in all major browsers and provides easy access to the system for users, operators and administrators.


In addition to the standard enrollment protocols SCEP, EST, SimpleCMC and ACME, a powerful REST-like API with OpenAPI support is also included.


Full system configuration is held in YAML files. An overlay mechanism allows easy management of environment-specific differences.

Flexible Crypto Layer

Crypto operations are based on the renowned OpenSSL toolkit and can utilize almost any compatible Hardware Security Module (HSM).

Multiple Backends

Operate your CA signing keys on a remote system or even delegate certificate issuance to an external CA like Digicert, Sectigo or SwissSign.

SubCAs and Rollover

Run multiple separate CAs within a single installation and enjoy a fully-automated rollover of CA generations as a standard operational task.


A generic API allows for easy integration with existing CMDB and ITSM systems to automate request validation, approvals and notifications.

User Management

Seamlessly integrate your existing identity and access management using SAML, OAuth, LDAP or webserver-based SSO solutions.

Workflow Driven

Processes are driven by workflows defined as part of the customer configuration, allowing for easy adaptation to project-specific needs.

Easy Deployment

Deployment is as easy as installing the software using your distribution's package manager, copying and adjusting the sample configuration, loading your key material and you're ready to go!

Free Open Source

The fully-functional software with an extensive example configuration is provided under the Apache License with friendly support via mailing list.

Enterprise Ready

Consulting, configuration, packaging and operational support with SLA are available directly from the core developers via White Rabbit Security GmbH.

OpenXPKI Mission: Empowering continuous PKI operation.

OpenXPKI is an enterprise grade PKI and Trustcenter software which focuses strongly on Registration Authority (RA) functionality and supporting truly continuous PKI operation in professional PKI environments of any scale and complexity. Maintained by a seasoned team of PKI experts, it offers unmatched flexibility and configurability. Rooted in a vision outlined in the original architecture whitepaper, the project constantly evolves to meet modern PKI needs. Unique approaches tackle common challenges faced in professional environments, emphasizing technical abstraction over local customizations. While the OpenXPKI Community Edition is true Open Source, the Enterprise Edition provides additional features, commercial support and consulting services offered by White Rabbit Security GmbH.

OpenXPKI Status Screen

Enterprise Ready: Mature, standard compliant, and future-proof.

OpenXPKI is built upon a highly stable and mature code base, continuously maintained and upgraded by the OpenXPKI development team at White Rabbit Security GmbH. The project prioritizes adherence to open standards for seamless integration with other infrastructure components.

The OpenXPKI team is committed to making OpenXPKI the optimal choice for a future-proof PKI. The project remains aligned with current trends in PKI and cryptography, following up on the latest developments in the ongoing standardization of Post Quantum Cryptography. OpenXPKI is poised to provide robust support for Post Quantum Cryptography algorithms and protocols, ensuring its relevance and security for the next decades of cryptographic advancements.

Lattice-Based Cryptography

Certificate Lifecycle Management: Getting back into power.

OpenXPKI provides robust features for managing the lifecycle of certificates, equipping PKI Registration Officers with a comprehensive toolkit for their tasks. The capabilities span from powerful GUI functions for information retrieval and metadata management to overseeing the certificate request processes.

This extends to automation and policy enforcement features for enrollment interfaces (SCEP, EST, ACME and OpenXPKIRPC). Custom metadata, alongside standard information like contact email addresses, can be defined and managed through the GUI, providing flexibility in grouping or querying certificates. Fully automatic end entity certificate renewal is supported across all enrollment interfaces, contingent on support by the end entities.

For distributed certificate management, White Rabbit Security offers CertNanny Enterprise Edition, a commercial multi-platform client-side agent that integrates seamlessly with OpenXPKI.

Control Lever

PKI Realms: Run multiple logical CAs in one OpenXPKI instance.

OpenXPKI supports hosting multiple PKI Realms in a single instance. Each PKI Realm manages a distinct namespace of end-entity certificates and may include zero, one, or many Issuing CAs for certificate issuance within that namespace. A PKI Realm defines profiles, workflows and policies for certificate management, ensuring complete separation from other PKI Realms.

The actual certificate issuance can be done directly on the local system using either software keys or utilizing an HSM. It is also possible to set up OpenXPKI with the RA and CA operating on separate systems or even delegate the issuance process to an external CA. The OpenXPKI Enterprise Edition offers extensions that seamlessly integrate with DigiCert, Sectigo, and SwissSign. This enables you to efficiently manage both your browser-trusted certificates and internal certificates on a unified platform, complete with comprehensive reporting and automation capabilities.


Seamless Issuing CA Rollover: Effortless Certificate Authority rotation.

CA Rollovers should be easy. In fact, why even restart your PKI for that? In a PKI Realm, multiple Issuing CAs can be configured to issue certificates. OpenXPKI's core automatically selects the appropriate Issuing CA certificate for issuance based on criteria such as the highest NotBefore date. Older Issuing CA certificates are retained in passive mode and used for issuing CRLs post-rollover. This ensures seamless CA rollovers without system downtime or administrative intervention. While the mechanism defaults to automatic rollovers, administrators can also set specific dates or execute rollovers manually. As an Issuing CA's certificate nears expiration, the system automatically issues a final long-lived CRL for a smooth retirement process.

CA Rollover

Workflow Engine: Efficiently model and execute key management processes.

OpenXPKI's core system offers a toolbox of simple, stateless cryptographic functions. Complex or stateful operations are modeled as workflows, ranging from one-shot reporting tasks to long-lived processes requiring manual interactions. Workflow instances can be interrupted and reinstantiated. The system includes common workflows for tasks like manual certificate requests, revocation requests, automatic enrollment, CRL issuance, and reporting. These can be modified or extended to meet specific project needs, or entirely new workflows can be modeled for non-standard requirements.


Generic Web Frontend: Intuitive interface for workflow management.

OpenXPKI boasts a robust and versatile web frontend which empowers users and administrators to interact seamlessly with the system. Access the workflow catalog, instantiate new workflows, and manage existing instances. The frontend dynamically renders the workflow's properties and current state based on its workflow definition and internal status. Defining a workflow in OpenXPKI's configuration automatically provides a suitable web-based frontend.

Web Frontend

Infrastructure Key Protection: Enhanced security with Hardware Security Modules.

OpenXPKI supports Hardware Security Modules (HSMs) for robust infrastructure key protection through the PKCS#11 interface. Leveraging HSMs enhances the overall security posture of the system by providing a dedicated hardware-based solution for cryptographic key management.

Hardware Security Module

Reporting: Efficiently collect and provide statistical data.

OpenXPKI features customizable reporting functions, implemented as one-shot workflows. These functions collect statistical data and provide meaningful Key Performance Indicators for the managed PKI Realms and generate downloadable CSV files containing the gathered information. This capability streamlines the process of obtaining and analyzing key statistical insights from the PKI environment.


Flexible Configuration: Manage system state auditably and verifiably.

OpenXPKI's is configured through a hierarchy of YAML-format configuration files. As the entire configuration is strictly file-based, the use of a revision control system like Git for a PKI instance configuration facilitates easy management, enabling an auditable and verifiable representation of the complete system state. This approach allows test and development systems to share exactly the same configuration as the production system, with any necessary differences isolated in a single local overlay file.

File-based configuration

Automation: Highly configurable certificate enrollment interfaces.

OpenXPKI's enrollment interfaces are highly flexible and configurable. They support automatic renewal based on the previous certificate's existing key and seamlessly integrate external authentication and authorization sources via the Connector interface.

Following OpenXPKI's "zero, one, or many" paradigm, you can define an arbitrary number of enrollment interfaces of any type within a PKI Realm. This allows the support of individual enrollment modes for different client groups. Standard enrollment interfaces, such as SCEP, EST, and ACME, are fully supported, providing a comprehensive solution for various enrollment scenarios.

In conjunction with client-side tools such as CertNanny Enterprise Edition, organizations can automate request and renewal of certificates.

Enrollment Interface

Connectors: Accessing external data resources.

OpenXPKI introduces the powerful concept of a Connector, implementing an abstract key/value tuple interface. Configurable anywhere in the OpenXPKI configuration tree, a Connector specifies its implementation class and potential static parameters. The system, based on the provided key, resolves the implementation class, executes the query at runtime, and returns the result.

Connectors can replace literal configuration values throughout the entire OpenXPKI configuration, allowing for unmatched flexibility when accessing external resources. Connectors are available for various data sources such as flat files, LDAP directories, SQL databases, and web services. OpenXPKI leverages Connectors extensively, allowing attachment of external data sources for authentication, authorization, or publishing CRLs and certificates. This flexibility enables customization and seamless integration with surrounding infrastructure at a level unmatched by many competitors.


Credential Protection: Avoiding sensitive data in configuration files.

OpenXPKI allows exclusion of sensitive information, like database passwords, from (usually version-controlled) configuration files. This is achieved by either using local overlay files, or, even better, by leveraging the companion tool KeyNanny. The native integration of KeyNanny, facilitated through a KeyNanny Connector, ensures secure handling of sensitive data, enhancing the overall security posture of the OpenXPKI configuration.

KeyNanny Integration

Expose Any Workflow: Generic RPC interface.

The RPC interface in OpenXPKI enables the exposure of any workflow via an RPC endpoint. Within each PKI Realm, you can define an arbitrary number of RPC API endpoints accessible through HTTP/HTTPS GET/POST requests, depending on the web server configuration. Each RPC interface can be linked to a distinct workflow for efficient RPC call processing. This allows controlled exposure of business logic implemented the Workflow Engine of OpenXPKI to consumers while leveraging the powerful key management features provided by the OpenXPKI core.

RPC Interface

Command Line Driven Operating: Auditable, reproducible runtime administration.

OpenXPKI's operational tasks are executed via the command line using a set of provided command line tools. Administrators can perform PKI tasks in a textual form, enabling the exact description of administrative actions in change task descriptions or scripts.

For instance, the import of a new Issuing CA certificate can be seamlessly conducted online without interrupting the OpenXPKI system. When configured properly, the system can automatically determine the correct private key for a specific CA certificate, even referencing the correct HSM-protected key when applicable. This capability facilitates performing Issuing CA rollovers without downtime and without altering the configuration, allowing the description or scripting of PKI operational tasks for ITIL-compliant change processes.

CLI Tools

OpenXPKI Resources


Documentation for OpenXPKI Community Edition is available online via Read the Docs. For first steps see the quickstart manual. You should also check the comments in the configuration and the man pages of the application for more details.

OpenXPKI Enterprise Edition comes with extensive documentation in PDF format, covering all aspects of the software in detail.


Debian packages for the Community Edition are available from our Debian 12 "Bookworm" package repository. A FreeBSD Port of OpenXPKI exists which is not maintained by the OpenXPKI core development team, but by an independent maintainer.

OpenXPKI Enterprise Edition is available packaged for RedHat Enterprise Linux (RHEL), SuSE Linux Enterprise Server (SLES) and Ubuntu Server LTS.

Source Code

The complete source code is hosted on Github. Github Issues may be used to notify us of bugs. Please do not use Github Issues for support queries, use the OpenXPKI Users Mailing List instead. We accept useful pull requests via Github.

You can also find a fully working example configuration there.


Sharing problems and solutions with OpenXPKI Community Edition fosters the Open Source idea, and the OpenXPKI core team is committed to assist users with problems or questions that may arise with OpenXPKI Community Edition.

For general support questions please use the OpenXPKI Users Mailing List hosted by Please do not create issues on the Github Issue Tracker for support questions.

Test Drive

To get a hands-on impression of how OpenXPKI works, visit the public demo or run the example configuration using docker.

Professional Services

The OpenXPKI team consists of cryptographic key management experts with vast experience designing and implementing numerous different PKIs of all scale.

Feel free to reach out to the core developers at White Rabbit Security for more information on OpenXPKI Enterprise Edition, professional services, and our various commercial support options.

OpenXPKI Editions, Support and Service Options Overview

OpenXPKI Community Edition

  • Comprehensive, fully functional code base
  • Debian packages
  • Example configuration
  • Online documentation
  • Support via mailing list
  • 100% free

OpenXPKI Enterprise Edition

  • RHEL/SLES/Ubuntu packages
  • Custom-built configuration
  • Powerful extension modules available (e.g., multi-tenancy, adapters to external/public CAs, full ITSM integration , GDPR compliant data retention)
  • Extensive product documentation in PDF format
  • Individual support with SLAs

OpenXPKI as a Service

  • Health monitoring
  • Logging and reporting
  • Level-2 helpdesk
  • Full operation support
  • Cloud or OnPremise
  • Flexible licensing
  • HSM management
  • SLAs available