org.xipki.gateway:scep-client

XiPKI Parent


Keywords
acme, ca, ca-browser-forum, certificate, certificate-authority, certificate-transparency, certification-authority, cmp, crl, est, hsm, ocsp, ocsp-responder, pkcs11, pki, rest-api, rfc2560, rfc5280, rfc6960
License
Apache-2.0

Documentation

GitHub release License Github forks Github stars

XiPKI

XiPKI (eXtensible sImple Public Key Infrastructure) is a highly scalable and high-performance open source PKI (CA and OCSP responder).

License

  • The Apache Software License, Version 2.0

Support

Just create new issue.

For bug-report please upload the test data and log files, describe the version of XiPKI, OS and JRE/JDK, and the steps to reproduce the bug.

Get Started

Binaries

The binary xipki-setup-<version>.zip can be retrieved using one of the following methods

Install and Setup

Unpack xipki-setup-<version>.zip and follow the xipki-setup-<version>/INSTALL.md.

Features

Supported Platform

CA Protocol Gateway

  • EST (RFC 7030)
  • SCEP (RFC 8894)
  • CMP (RFC 4210, 4211, 9045, 9480)
  • ACME (RFC 8555, RFC 8737)
    • Challenge types: dns-01, http-01, tls-apln-01
  • RESTful API (XiPKI own API)

CA (Certification Authority)

  • X.509 Certificate v3 (RFC 5280)
  • X.509 CRL v2 (RFC 5280)
  • EdDSA Certificates (RFC 8410, RFC 8032)
  • SHAKE Certificates (RFC 8692)
  • Diffie-Hellman Proof-of-Possession Algorithms (RFC 6955)
  • EN 319 411 and 319 412 (eIDAS)
  • Direct and indirect CRL
  • FullCRL and DeltaCRL
  • API to specify customized certificate profiles
  • Support of JSON-based certificate profile
  • API to specify customized publisher, e.g. for LDAP and OCSP responder
  • Support of publisher for OCSP responder
  • Public key types of certificates: RSA, EC, DSA, Ed25519, Ed448, SM2, X25519, X448
  • Signature algorithms of certificates
    • DSA with hash algorithms: SHA-1, SHA-2, and SHA-3
    • ECDSA with hash algorithms: SHA-1, SHA-2, SHA-3, and SHAKE
    • Ed25519, Ed448
    • Plain ECDSA with hash algorithms: SHA-1, and SHA-2
    • RSA PKCS1v1.5 with hash algorithms: SHA-1, SHA-2, and SHA-3
    • RSA PSS with hash algorithms: SHA-1, SHA-2, and SHA-3, and SHAKE
    • SM3withSM2
  • Native support of X.509 extensions (other extensions can be supported by configuring it as blob)
    • RFC 3739
      • BiometricInfo
      • QCStatements (also in eIDAS standard EN 319 412)
      • SubjectDirectoryAttributes
    • RFC 4262
      • SMIMECapabilities
    • RFC 5280
      • AuthorityInformationAccess, AuthorityKeyIdentifier
      • BasicConstraints
      • CertificatePolicies, CRLDistributionPoints
      • ExtendedKeyUsage
      • FreshestCRL
      • InhibitAnyPolicy, IssuerAltName
      • KeyUsage
      • NameConstraints
      • PolicyConstrains, PolicyMappings, PrivateKeyUsagePeriod
      • SubjectAltName, SubjectInfoAccess, SubjectKeyIdentifier
    • RFC 6960
      • OcspNoCheck
    • RFC 6962
      • CT Precertificate SCTs
    • RfC 7633
      • TLSFeature
    • Car Connectivity Consortium
      • ExtensionSchema
    • Common PKI (German national standard)
      • AdditionalInformation, Admission
      • Restriction
      • ValidityModel
  • Management of multiple CAs in one software instance
    • Support of database cluster
    • Multiple software instances (all can be in active mode) for the same CA
    • Native support of management of CA via embedded OSGi commands
    • API to manage CA. This allows one to implement proprietary CLI, e.g. Website, to manage CA.
    • Database tool (export and import CA database) simplifies the switch of databases, upgrade of XiPKi and switch from other CA system to XiPKI CA
    • All configuration of CA except those of databases is saved in database

OCSP Responder

  • OCSP Responder (RFC 2560 and RFC 6960)
  • Configurable Length of Nonce (RFC 8954)
  • Support of Common PKI 2.0
  • Management of multiple certificate status sources
  • Support of certificate status sources
    • Database of XiPKI CA
    • OCSP database published by XiPKI CA
    • CRL and DeltaCRL
    • Database of EJBCA
  • API to support proprietary certificate sources
  • Support of both unsigned and signed OCSP requests
  • Multiple software instances (all can be in active mode) for the same OCSP signer and certificate status sources.
  • Database tool (export and import OCSP database) simplifies the switch of databases, upgrade of XiPKi and switch from other OCSP system to XiPKI OCSP.
  • High performance
  • Support of health check

Mgmt CLI (Management Client)

  • Configuring CA
  • Generating keypairs of RSA, EC and DSA in token
  • Deleting keypairs and certificates from token
  • Updating certificates in token
  • Generating CSR (PKCS#10 request)
  • Exporting certificate from token

CLI (CA/OCSP Client)

  • Client to enroll, revoke, and unrevoke (unsuspend) certificates, to download CRLs
  • Client to send OCSP request
  • Updating certificates in token
  • Generating CSR (PKCS#10 request)
  • Exporting certificate from token

HSM Proxy

  • Provide the access to the HSM remotely.