同步操作将从 Gitee 极速下载/XiPKI 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
XiPKI (eXtensible sImple Public Key Infrastructure) is a highly scalable and high-performance open source PKI (CA and OCSP responder).
Just create issue or new discussion.
For bug-report please upload the testdata and log files, describe the version of XiPKI, OS and JRE/JDK, and the steps to reproduce the bug.
Key type | Key size / Curve | Certificates per second |
---|---|---|
RSA | 2048 | 630 |
3072 | 300 | |
4096 | 150 | |
DSA | 2048 | 580 |
3072 | 330 | |
EC | NIST P-256 | 880 |
NIST P-384 | 700 | |
NIST P-521 | 530 | |
Brainpool P256R1 | 560 | |
Brainpool P384R1 | 350 | |
Brainpool P512R1 | 210 | |
SM2 | SM2P256V1 | 800 |
EdDSA | Ed25519 | 1,200 |
Ed448 | 900 |
Key type | Key size / Curve | Responses per second |
---|---|---|
RSA | 2048 | 880 |
3072 | 350 | |
4096 | 160 | |
DSA | 2048 | 2,000 |
3072 | 1,000 | |
EC | NIST P-256 | 3,600 |
NIST P-384 | 2,400 | |
NIST P-521 | 1,400 | |
Brainpool P256R1 | 1,500 | |
Brainpool P384R1 | 850 | |
Brainpool P512R1 | 500 | |
SM2 | SM2P256V1 | 4,000 |
EdDSA | Ed25519 | 5,000 |
Ed448 | 3,300 |
Set the environment variable JAVA_HOME
to point to root directory of the to
the JRE/JDK installation.
Download the binaries xipki-ca-<version>.zip
, xipki-ocsp-<version>.zip
and
xipki-cli-<version>.tar.gz
(or xipki-cli-jdk8-<version>.tar.gz
for JDK 8) from
releases.
Only if you want to use the development version, build it from source code as follows.
Get a copy of project code
git clone https://github.com/xipki/xipki
Build the project
In folder xipki
mvn clean install -DskipTests
Then you will find the following binaries:
assemblies/xipki-dbtool/target/xipki-dbtool-<version>.zip
assemblies/xipki-ca/target/xipki-ca-<version>.zip
assemblies/xipki-ocsp/target/xipki-ocsp-<version>.zip
assemblies/xipki-cli/target/xipki-cli-<version>.tar.gz
(or xipki-cli-jdk8-<version>.tar.gz
for JDK 8)xipki-dbtool-<version>.zip
.lib/jdbc
.xipki-ca-<version>.zip
and install CA as described in the
unpacked README file.Note that CA and OCSP can be installed in the same servlet container.
xipki-ocsp-<version>.zip
and install OCSP responder as described in the
unpacked README file.xipki-cli-<version>.tar.gz
(or xipki-cli-jdk8-<version>.tar.gz
for JDK 8)xipki/cmpclient/cmpclient.json
lib/boot
.This step is only required if the real PKCS#11 device instead of the emulator is used. Note that this step should be applied to both tomcat and xipki-cli.
xipki/security/example/pkcs11-hsm.json
to xipki/security/pkcs11.json
, and adapt the PKCS#11 configuration.This step is only required if the CA is behind a reverse proxy apache httpd.
Add the java property org.xipki.reverseproxy.mode
-Dorg.xipki.reverseproxy.mode=APACHE
configure the proxy to forward the headers via mod_proxy with the following configuration
# Require SSL Client verification
SSLVerifyClient require
#initialize the special headers to a blank value to avoid http header forgeries
RequestHeader set SSL_CLIENT_VERIFY ""
RequestHeader set SSL_CLIENT_CERT ""
<Location / >
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
...
</Location>
For more details please refer to * Jetty/Howto/Configure mod proxy * Jetty: Tricks to do client certificate authentications behind a reverse proxy * Apache Module mod_ssl
preload <start script>
(If error like "Identity or Certificate with label=mylabel already exists" occurs,
you need to comment the line which generate the key (e.g. dsa-p11 ec-p11, rsa-p11, sm2-p12)
or delete the existing key using command delete-key-p11
).
Start CLI.
bin/karaf
HSM devices of Thales, e.g. nCipher, can use Thales preload to manage the PKCS#11 sessions. In this case, the cli should be started as follows
preload bin/karaf
Setup CA (choose p11 if the key is saved in PKCS#11 device, p12 in PKCS#12 device.
In case of using new keys and certificates, in CLI:
source xipki/ca-setup/cacert-none/setup-*-*.script
where * is place holder.
In case of using existing keys and certificates, in CLI:
source xipki/ca-setup/cacert-present/setup-*-*.script
where * is place holder.
If you wish to generate the siging key and certificate for the OCSP responder, in CLI:
source xipki/ca-setup/setup-ocsp-*.script
.
If you wish to add the SCEP support, in CLI:
source xipki/ca-setup/setup-scep.script
.
Verify the installation, execute the command in CLI:
ca-info myca1
The following shell script demonstrates how to enroll and revoke certificates, and how to get
the current CRL:
<CLI_ROOT>/xipki/client-script/rest.sh
(use argument 'help' to print the usage)
Note that this script tells CA to generate real certificates. DO NOT use it in the production environment.
SCEP
Using any SCEP client. XiPKI provides also a SCEP client.
The binary xipki-cli-<version>
.tar.gz (or xipki-cli-jdk8-<version>.tar.gz
for JDK 8) contains an example script in the folder xipki/client-script.
It can be executed in the CLI as follows:
source xipki/client-script/scep-client.script
XiPKI CLI XiPKI CLI provides commands to enroll and revoke certificates via CMP.
The binary xipki-cli-<version>
.tar.gz (or xipki-cli-jdk8-<version>.tar.gz
for JDK 8) contains an example script in the folder xipki/client-script.
It can be executed in the CLI as follows:
source xipki/client-script/cmp-client.script
(use argument 'help' to print the usage)REST API
The shell script xipki/client-script/rest.sh
of the xipki-cli
demonstrates
the use of REST API.
The binary xipki-cli-<version>
.tar.gz (or xipki-cli-jdk8-<version>.tar.gz
for JDK 8) contains an example script in the folder xipki/client-script.
It can be executed in the CLI as follows:
source xipki/client-script/rest-client.script
(use argument 'help' to print the usage)Please refer to commands.md for more details.
See discussion in discussion #205.
CA (Certification Authority)
Native support of X.509 extensions (other extensions can be supported by configuring it as blob)
Management of multiple CAs in one software instance
Support of database cluster
Multiple software instances (all can be in active mode) for the same CA
Native support of management of CA via embedded OSGi commands
API to manage CA. This allows one to implement proprietary CLI, e.g. Website, to manage CA.
Database tool (export and import CA database) simplifies the switch of databases, upgrade of XiPKi and switch from other CA system to XiPKI CA
All configuration of CA except those of databases is saved in database
OCSP Responder
SCEP
CLI
For CA, OCSP Responder, and CLI
ocsp-store-example
: implementation of a customized OcspStore.ocsp-store-example-assembly
: assembly the binaries.此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。