23C3 - 1.5

23rd Chaos Communication Congress
Who can you trust?

Alexander Klink
Michael Bell
Day 1
Room Saal 4
Start time 21:45
Duration 01:00
ID 1596
Event type Lecture
Track Hacking
Language English

Building an Open Source PKI using OpenXPKI

Take a lot of Perl, add some OpenSSL, sprinkle it with a few HSMs, stir, season to taste, enjoy!

OpenXPKI is an open source trust center software, written by the OpenXPKI Project, which aims to create an enterprise-scale PKI solution. You can see what OpenXPKI is all about, what you can do with it out-of-the-box and how you can hack it to your liking.

In this talk, the open source trust center software OpenXPKI will be presented. OpenXPKI aims at creating an enterprise-scale PKI/trust center software supporting well established infrastructure components like RDBMS and Hardware Security Modules (HSMs). It is the successor of OpenCA, and builds on the experience gained while developing it. Currently still under heavy development, OpenXPKI aims to be used in production by mid-October. Thus, a working release will be present before the congress.

Features that are available as of this writing (September 2006): - CA rollover: "Normal" trust center software usually does not account for the installment of a new CA certificate, thus if the CA certificate becomes invalid, a complete re-deployment has to be undertaken. OpenXPKI solves this problem by automatically deciding which CA certificate to use at a certain point in time. - Support for multiple so-called "PKI realms": Different CA instances can be run in a single installation without any interaction between them, so one machine can be used for different CAs. - Private key support both in hardware and software: OpenXPKI has support for professional Hardware Security Modules such as the nCipher nShield or the Chrysalis-ITS Luna CA modules. If such modules are not available, access to a key can be protected by using a threshold secret sharing algorithm. - Professional database support: The user can choose from a range of database backends, including commercial ones such as Oracle or DB2, which are typically used in enterprise scenarios. - Many different interfaces to the server: Currently, one can access the CA server using a web-interface (which also allows for client-side request generation using SPKAC) or using a command line client. Embedded devices such as routers can use the Simple Certificate Enrollment Protocol (SCEP) to talk to the server and apply for certificates. - Workflow Engine: OpenXPKI aims to be extremly customizable by allowing the definition of workflows for any process you can think of in the PKI area. Typical workflows such as editing and approving certificate signing requests, certificate and CRL issuance are already implemented. Implementing your own idea is normally pretty easy by defining a workflow in XML and (maybe) implementing a few lines in Perl. - I18N: Localization of the application and interfaces is easily possible and OpenXPKI can of course deal with the whole range of Unicode characters in certificates.

Features that will be done by the time the congress happens: - LDAP publication: It will be possible to publish both certificates as well as Certificate Revocation Lists (CRLs) using LDAP. - Self-Service application for token personalization: A web application will be available that allows a user to easily create and install certificates to a SmartCard.

For the future, an integration with management systems such as Tivoli and Nagios, clustering support for issuance of more than 500.000 certificates/day as well as CMC (the Certificate Management protocol using CMS) support are planned. Implementing CMC over COM would be especially useful as it would then be possible to seamlessly replace a Microsoft CA. A large financial corporation plans to use OpenXPKI in production once it is ready for prime-time.