OpenXPKI

The OpenXPKI project aims at creating an enterprise-grade open-source PKI software. Flexibility and modularity are the project's key design objectives.

OpenXPKI
Developer(s)The OpenXPKI Foundation
Written inPerl
Operating systemUnix-like operating systems
TypePublic key infrastructure
LicenseApache License V 2.0
Websitehttp://www.openxpki.org/

Design

OpenXPKI is mostly written in Perl. The software is separated into a server process and several client implementations which communicate with the server via Unix Domain Sockets.

One of these client implementations is a web frontend that allows users to access the OpenXPKI system using a web browser. A different client implements a SCEP server.

The OpenXPKI server mainly consists of a toolbox that provides the core cryptographic functions and a workflow engine that allows to define workflows implementing the PKI processes.

Key features

Multiple CA instances

OpenXPKI supports the configuration of multiple independent logical PKIs (aka "PKI Realms") in one single application instance. This allows for configuration e. g. of a Root CA and one or more subordinate CAs within one single installation.

Fully automatic CA rollover

Within a logical PKI (PKI Realm) OpenXPKI provides the possibility to configure multiple Issuing CAs with overlapping validity. Once a new Issuing CA becomes valid it automatically takes over for issuing new certificates. This feature allows for a fully automatic CA rollover where administrators do not have to take down and reconfigure the whole PKI installation once a CA certificate is about to expire.

Workflow engine

OpenXPKI utilizes a workflow engine that allows to modify and extend the basic operation of the PKI (e. g. certificate request and approval). Customizing the behaviour of the system is often accomplished by modifying the workflow description in XML format.

In addition the workflow engine makes it possible to extend the system with customized workflows. OpenXPKI includes some standard workflows e. g. for requesting X.509 Digital Certificates and issuing Certificate Revocation Lists that can easily be customized to model the actual PKI processes. By adding new workflow definitions it is possible to extend the PKI system.[1]

Infrastructure key protection

To protect the private keys of the certificate authority and its subsystems, OpenXPKI natively supports secret sharing via Shamir's Secret Sharing algorithm.

An even higher security level can be achieved by protecting the private keys with a hardware security module. OpenXPKI currently supports nCipher's nShield hardware security module.

Ticketing system integration

OpenXPKI provides built-in integration with the RT Request Tracker. It can automatically create and link tickets in the ticketing system for incoming certificate requests and thus allows Registration Officers to keep track of their workload.

Internationalization

OpenXPKI fully supports Internationalization and localization of its interfaces.

Alternative cryptography

It is possible to extend the cryptographic backend for non-western cryptography. Support for Russian national algorithms (GOST) as an example of foreign cryptography is already included.

System requirements

OpenXPKI runs on most Unix-like operating systems (verified on FreeBSD, Linux, Solaris/OpenSolaris and Mac OS X). Database backends exist for MySQL, PostgreSQL, the Oracle Database and IBM DB2.

gollark: Oh, Lua libraries.
gollark: There are good libraries available, so that doesn't sound very problematic.
gollark: It is not as if everything has to be a full node in a distributed one.
gollark: <@114827439070248961> You could just use multiple out of game servers.
gollark: Given that it is not decentralised and just stores a transaction log on a central server I'd hesitate to call krist a cryptocurrency.

References

  1. An interesting example for this is the possibility to personalize SmartCards via a self service web frontend. The workflow definition for this feature used to be a customization for a particular installation of OpenXPKI and was later added to the core product.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.