There are several commercial PKI solutions that have a complex feature set and a very scary price as common denominator. So more and more customers – especially in the Industrial, IoT and Embedded market are searching for open source tools, which can provide certificates for their need.
Let us summarize the open-source PKI offerings available:
OpenSSL: There are various how-to articles available to use Linux openssl tool to create keys, and single-tier CAs. Keys are typically located as file in the Linux filesystem. Implementation of key usages and extended key usages require massive customization of the /etc/ssl/openssl.cnf configuration file. Using Linux shell scripts regular tasks can be automated, but this requires custom development of highly privileged tasks. GUI? Nope!
XCA: A tiny OpenSSL based Windows application to manage asymmetric keys, CAs, CRLs, CSRs, and X.509 certificates. All objects are stored in a file database. Certificate management is only possible with the Windows app, no automatization or API offered.
EJBCA Community Edition: A Java based PKI software developed by PrimeKey Solutions AB. EJBCA Community is an older version of the EJBCA Enterprise edition, offering radical limited feature support and community support only.
DogTag: An Apache Tomcat based PKI for Fedora Linux maintained by an open-source community. Setup and maintenance need highly qualified JAVA personnel. DogTag offering a CLI as well as a Web GUI, but mandatory requires a 389 Directory Server (previous Fedora Directory Server).
OpenXPKI: Is a Perl based PKI solution for Debian 10 (Buster), where only the feature-reduced community edition is free of charge. Documentation is poor and community support is only offered through a mailing list. You won’t find known issues or current release notes unless you purchase the costly enterprise edition.
OpenCA: Is an early open-source PKI based on Apache HTTP server, OpenLDAP and OpenSSL. Unluckily the development stopped 2013. The latest release v1.5.1 dated September 2013. OpenXPKI is widely recognized as the succeeding fork of OpenCA.
XiPKI: An Apache Tomcat / Java JRE/JDK based PKI maintained by Lijun Liao a Chinese developer working for Huawei in Germany (as of January 2022, source: LinkedIn). In case of questions, better ask you Java developers to look at the source code in GitHub than to hope for an understandable documentation.
Open Source PKI Conclusion
All open-source PKI solutions are either available on specific operating systems only or have reduced features and very limited support. In 2021 we decided to develop an easy-to-use PKI solution under the se.SAM™ brand with the following characteristics:
- Intuitive use – PKI operation for non-crypto experts
- Ready-to-use setup – no implementation efforts
- Hardware security for keys
- Manage many root and issuing CAs at once
- Support for RSA and ECC algorithms including Brainpool
- Scalable from 50 to hundreds of thousands of certificates
- Elimination of complex issuing workflows
- Fully automatable issuing process using REST API
- Covers modern IT, OT, IoT and IIoT use cases
- Very affordable total cost of HSM hardware
There will be bundles available for the se.SAM™ N200 Crypto Appliance and se.SAM™ NX200 24-48V Industrial DIN_rail fan-less appliance.
See our first screenshots of se.SAM™ PKI (early bird release March 2022)
Keep an eye on:
- se.SAM™ U110 and U210 USB Modules For secure certificate and key storage
- se.SAM™ P210 and P220 MiniPCIe Modules For secure certificate and key storage
- se.SAM™ Embedded For secure certificate and key storage in embedded systems
- se.SAM™ N200 19″ Network Crypto Appliance optional PKI Module
- se.SAM™ N200X Industrial Crypto Appliance DIN-rail network HSM, 24-48V DC, with optional PKI Module
For more information contact us: