Openxpki - Manage Keys and Certificate

  •        76

The OpenXPKI project has the vision to publish a software stack that provides all necessary components to manage keys and certificates primarily based on the X509v3 cryptography standard.

  • WebUI compatible with all major browsers
  • Ready-to-run example config included
  • Support for SCEP (Simple Certificate Enrollment Protocol)
  • Easy adjustment of workflows to personal needs
  • Run multiple separate CAs with a single installation, automated rollover of CA generations
  • Can use Hardware Security Modules (e. g. Thales HSMs) for crypto operations
  • Issue certificates with public trusted CAs (e. g. SwissSign, Comodo, VeriSign)
  • Based on OpenSSL and Perl, runs on most *nix platforms
  • 100% Open Source, commercial support available



Related Projects

Dogtag - Certificate System

The Dogtag Certificate System is an enterprise-class open source Certificate Authority (CA). It is a full-featured system, and has been hardened by real-world deployments. It supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management, and much more. It supports Certificate issuance, revocation, and retrieval, Certificate Revocation List (CRL) generation and publishing, Encryption key archival and recovery and lot more.

Confidant - Your Secret Keeper. Stores secrets in DynamoDB, encrypted at rest.

Confidant is a open source secret management service that provides user-friendly storage and access to secrets in a secure way, from the developers at Lyft. Confidant stores secrets in an append-only way in DynamoDB, generating a unique KMS data key for every revision of every secret, using Fernet symmetric authenticated cryptography.

Vault - A tool for managing secrets

Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Vault presents a unified API to access multiple backends: HSMs, AWS IAM, SQL databases, raw key/value, and more.

Ejbca - PKI Certificate Authority software

EJBCA is an enterprise class PKI Certificate Authority software. It supports SSL/TLS, Smart card logon to Windows and/or Linux, Signing and encrypting email (SMIME), Mobile PKI, Secure mobile networks and lot more.

Keywhiz - A system for distributing and managing secrets

Keywhiz is a system for managing and distributing secrets. Keywhiz servers in a cluster centrally store secrets encrypted in a database. Clients use mutually authenticated TLS (mTLS) to retrieve secrets they have access to. Authenticated users administer Keywhiz via CLI or web app UI. To enable workflows, Keywhiz has automation APIs over mTLS and support for simple secret generation plugins.

Cryptlib - provides Encryption and Authentication Service

cryptlib is a powerful security toolkit that allows even inexperienced crypto programmers to easily add encryption and authentication services to their software. It provides support for S/MIME and PGP/OpenPGP secure enveloping, SSL/TLS and SSH secure sessions, CA services such as CMP, SCEP, RTCS, and OCSP, and other security operations such as secure timestamping.

OpenCA - PKI Management Software

The OpenCA PKI Development Project is a collaborative effort to develop a robust, full-featured and Open Source out-of-the-box Certification Authority implementing the most used protocols with full-strength cryptography world-wide. The project development is divided in two main tasks: studying and refining the security scheme that guarantees the best model to be used in a CA and developing software to easily setup and manage a Certification Authority.

Public Key Infrastructure PowerShell module

This module is intended to simplify certain PKI management tasks by using automation with Windows PowerShell.

etcd - Distributed reliable key-value store for the most critical data of a distributed system

etcd is a distributed, consistent key-value store for shared configuration and service discovery. It is simple, secure, fast and reliable. it uses the Raft consensus algorithm to manage a highly-available replicated log.

Certificate Request (PKCS#10) Generator

A .NET application that can create PKCS#10 Certificate Requests, either by generating a new key or reusing a preexisting one. Minimum requirement : Windows Vista and above. .NET 2.0.

Flock - Private contact and calendar sync for Android.

A secure contact and calendar syncing application for Android.The Android app can be downloaded through Google Play or via our alternative distribution channel. Note that the certificate presented by our alternative distribution channel is signed by the same private certificate authority pinned by Flock's trust store.

Flock - Private contact and calendar sync for Android.

A secure contact and calendar syncing application for Android. The Android app can be downloaded through Google Play or via our alternative distribution channel. Note that the certificate presented by our alternative distribution channel is signed by the same private certificate authority pinned by Flock's trust store.

Kong - The Microservice API Gateway

Kong is a cloud-native, fast, scalable, and distributed Microservice Abstraction Layer (also known as an API Gateway, API Middleware or in some cases Service Mesh). Backed by the battle-tested NGINX with a focus on high performance, Kong was made available as an open-source platform in 2015. Under active development, Kong is used in production at thousands of organizations from startups, Global 5000 and Government organizations.


A graphical tool for generating RSA and ECDSA cryptographic key-pairs, creating Certificate Signing Requests (CSRs) from them, and combining the key-pair with an issued digital certificate to create a secure portable container (PKCS12, JKS, JCEKS, etc.).

trillian - Trillian implements a Merkle tree whose contents are served from a data storage layer, to allow scalability to extremely large trees

Trillian is an implementation of the concepts described in the Verifiable Data Structures white paper, which in turn is an extension and generalisation of the ideas which underpin Certificate Transparency.Note that Trillian requires particular applications to provide their own personalities on top of the core transparent data store functionality; example code for a certificate transparency log and for a log-derived map are included to help with this.

EJBCA, JEE PKI Certificate Authority

EJBCA is an enterprise class PKI Certificate Authority built on JEE technology. It is a robust, high performance, platform independent, flexible, and component based CA to be used standalone or integrated in other JEE applications.

Zen Cart - A PHP based e-Commerce Shopping Cart Software

ZenCart is a PHP based e-Commerce Shopping Cart Software. ZenCart is easy to install. Products, Customers, Pricing, Payment and Shipping could be easily managed by administrators. It is built on top of osCommerce. It supports Multiple gateway services, Sales, Discounts, Gift certificate, Audit trail, Newsletter manager, Advertising banners, Tax rate configuration, multiple shipping options and lot more.

Apache Accumulo - Key Value Store based on Google BigTable

The Apache Accumulo sorted, distributed key/value store is a robust, scalable, high performance data storage and retrieval system. Apache Accumulo is based on Google's BigTable design and is built on top of Apache Hadoop, Zookeeper, and Thrift. Apache Accumulo features a few novel improvements on the BigTable design in the form of cell-based access control and a server-side programming mechanism that can modify key/value pairs at various points in the data management process.

boulder - An ACME-based CA, written in Go.

This is an implementation of an ACME-based CA. The ACME protocol allows the CA to automatically verify that an applicant for a certificate actually controls an identifier, and allows domain holders to issue and revoke certificates for their domains.Boulder has a Dockerfile to make it easy to install and set up all its dependencies. This is how the maintainers work on Boulder, and is our main recommended way to run it.

certstrap - Tools to bootstrap CAs, certificate requests, and signed certificates.

A simple certificate manager written in Go, to bootstrap your own certificate authority and public key infrastructure. Adapted from etcd-ca.certstrap is a very convenient app if you don't feel like dealing with openssl, its myriad of options or config files.