OpenXPKI features and requirements

OpenXPKI makes a few assumptions about its operating environment. You will need some infrastructure components to make it work properly.

Operating environment

Supported operating systems

OpenXPKI runs on most Unix-like operating systems that use the Unix process model and provide a POSIX environment. It has been successfully tested on

Because of some assumptions about the process environment it will not run natively under Microsoft Windows.

Supported databases

OpenXPKI requires a relational database for operation. Drivers are included for

(Adding support for databases not mentioned here should be possible if a Perl DBD driver module exists for this particular database. At a minimum, the database must support multiple concurrent connections (ruling out SQLite for production use) and transaction support.)

Request tracking

OpenXPKI provides built-in integration with the RT Request Tracker. It can automatically create and link tickets in the RT system for incoming certificate requests and thus allows Registration Officers to keep track of their workload.

Key features

Multiple CA instances

OpenXPKI supports the configuration of multiple independent logical PKIs ("PKI Realms") in one single application instance. This allows for configuration e. g. of a Root CA and one or more subordinate CAs within one single installation.

Fully automatic CA rollover

Within a logical PKI (PKI Realm) OpenXPKI provides the possibility to configure multiple Issuing CAs with overlapping validity. Once a new Issuing CA becomes valid it takes over for issuing new certificates. This unique feature allows for a fully automatic CA rollover where administrators do not have to take down and reconfigure the whole PKI installation once a CA certificate is about to expire.

Highly customizable

Instead of hard-wiring the interface and the PKI operations in a monolithic application, OpenXPKI utilizes a workflow engine that allows to easily modify and extend the basic operation of the PKI (e. g. certificate request and approval). Customizing the behaviour of the system is often accomplished by simply modifying the workflow description in XML format.

In addition the workflow engine makes it possible to extend the system with customized workflows.

Hardware Security Module support

Critical cryptographic operations such as Digital Signatures can be performed via a Hardware Security Module. Currently OpenXPKI supports nCipher nShield modules.