XiPKI 介绍
XiPKI (e X tensible s I mple P ublic K ey I nfrastructure)
是一个高度可伸缩和高性能的开源 PKI 实现(CA and OCSP responder).
要求:
- OS: Linux, Windows, MacOS
- JRE / JDK 8 (build 162+), 9, 10, 11, 12, 13
- Database: DB2, MariaDB, MySQL, Oracle, PostgreSQL, H2, HSQLDB
特性:
-
CA (Certification Authority)
- X.509 Certificate v3 (RFC 5280)
- X.509 CRL v2 (RFC 5280)
- EdDSA Certificates (RFC 8410, RFC 8032)
- Diffie-Hellman Proof-of-Possession Algorithms (RFC 6955)
- SCEP (draft-gutmann-scep-00, draft-nourse-scep-23)
- EN 319 411 (eIDAS)
- EN 319 412 (eIDAS)
- Supported databases: DB2, MariaDB, MySQL, Oracle, PostgreSQL, H2, HSQLDB
- Direct and indirect CRL
- FullCRL and DeltaCRL
- Customized extension to embed certificates in CRL
- CMP (RFC 4210 and RFC 4211)
- API to specify customized certificate profiles
- Support of JSON-based certificate profile
- API to specify customized publisher, e.g. for LDAP and OCSP responder
- Support of publisher for OCSP responder
- Public key types of certificates
- RSA
- EC
- DSA
- Ed25519, Ed448
- X25519, X448
- SM2
- Signature algorithms of certificates
- Ed25519, Ed448
- SM3withSM2
- SHA3-*withRSA: where * is 224, 256, 384 and 512
- SHA3-*withRSAandMGF1: where * is 224, 256, 384 and 512
- SHA3-*withECDSA: where * is 224, 256, 384 and 512
- SHA3-*withDSA: where * is 224, 256, 384 and 512
- SHA*withRSA: where * is 1, 224, 256, 384 and 512
- SHA*withRSAandMGF1: where * is 1, 224, 256, 384 and 512
- SHA*withECDSA: where * is 1, 224, 256, 384 and 512
- SHA*withPlainECDSA: where * is 1, 224, 256, 384 and 512
- SHA*withDSA: where * is 1, 224, 256, 384 and 512
-
Native support of X.509 extensions (other extensions can be supported by configuring it as blob)
-
AdditionalInformation (German national standard CommonPKI)
- Admission (German national standard CommonPKI)
- AuthorityInformationAccess (RFC 5280)
- AuthorityKeyIdentifier (RFC 5280)
- BasicConstraints (RFC 5280)
- BiometricInfo (RFC 3739)
- CertificatePolicies (RFC 5280)
- CRLDistributionPoints (RFC 5280)
- CT Precertificate SCTs (RFC 6962)
- ExtendedKeyUsage (RFC 5280)
- FreshestCRL (RFC 5280)
- InhibitAnyPolicy (RFC 5280)
- IssuerAltName (RFC 5280)
- KeyUsage (RFC 5280)
- NameConstraints (RFC 5280)
- OcspNoCheck (RFC 6960)
- PolicyConstrains (RFC 5280)
- PolicyMappings (RFC 5280)
- PrivateKeyUsagePeriod (RFC 5280)
- QCStatements (RFC 3739, eIDAS standard EN 319 412)
- Restriction (German national standard CommonPKI)
- SMIMECapabilities (RFC 4262)
- SubjectAltName (RFC 5280)
- SubjectDirectoryAttributes (RFC 3739)
- SubjectInfoAccess (RFC 5280)
- SubjectKeyIdentifier (RFC 5280)
- TLSFeature (RFC 7633)
- ValidityModel (German national standard CommonPKI)
- GM/T 0015 IdentityCode (个人身份标识码, Chinese Standard GM/T 0015-2012)
- GM/T 0015 InsuranceNumber (个人社会保险号, Chinese Standard GM/T 0015-2012)
- GM/T 0015 ICRegistrationNumber (企业工商注册号, Chinese Standard GM/T 0015-2012)
- GM/T 0015 OrganizationCode (企业组织机构代码, Chinese Standard GM/T 0015-2012)
- GM/T 0015 TaxationNumber (企业税号, Chinese Standard GM/T 0015-2012)
- Management of multiple CAs in one software instance
-
Support of database cluster
-
Multiple software instances (all can be in active mode) for the same CA
-
Native support of management of CA via embedded OSGi commands
-
API to specify CA management, e.g. GUI
-
Database tool (export and import CA database) simplifies the switch of databases, upgrade of XiPKi and switch from other CA system to XiPKI CA
-
Client to enroll, revoke, unrevoke and remove certificates, to generate and download CRLs
-
All configuration of CA except those of databases is saved in database
-
OCSP Responder
- OCSP Responder (RFC 2560 and RFC 6960)
- Support of Common PKI 2.0
- Management of multiple certificate status sources
- Support of certificate status source based on the database of XiPKI CA
- Support of certificate status source based on the OCSP database published by XiPKI CA
- Support of certificate status source CRL and DeltaCRL
- Support of certificate status source published by EJBCA
- API to support proprietary certificate sources
- Support of both unsigned and signed OCSP requests
- Multiple software instances (all can be in active mode) for the same OCSP signer and certificate status sources.
- Supported databases: DB2, MariaDB, MySQL, Oracle, PostgreSQL, H2, HSQLDB
- Database tool (export and import OCSP database) simplifies the switch of databases, upgrade of XiPKi and switch from other OCSP system to XiPKI OCSP.
- Client to send OCSP request
-
SCEP
-
Supported SCEP versions
- draft-gutmann-scep-00
- draft-nourse-scep-23
-
Toolkit (for both PKCS#12 and PKCS#11 tokens)
-
Generating keypairs of RSA, EC and DSA in token
- Deleting keypairs and certificates from token
- Updating certificates in token
- Generating CSR (PKCS#10 request)
- Exporting certificate from token
-
For both CA and OCSP Responder
-
Support of PKCS#12 and JKS keystore
- Support of PKCS#11 devices, e.g. HSM
- API to use customized key types, e.g. smartcard
- High performance
- Support of health check
- Audit with syslog and slf4j
-
For CA, OCSP Responder and Toolkit
-
API to resolve password
- Support of PBE (password based encryption) password resolver
- All passwords can be encrypted by the master password
- Support of OBF (as in jetty) password resolver
XiPKI 官网
https://github.com/xipki/xipki
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。