OpenXPKI Enterprise Edition

Web-basiertes User-Interface: OpenXPKI offers a modern, browser-based frontend for certificate management. The interface reflects the current state of workflow instances and supports role-based applicant and approver processes. All common browsers are supported.

Flexible enrollment endpoints: Any number of enrollment endpoints of type SCEP, EST, ACME or RPC can be configured for each PKI realm. Each endpoint has its own finely configurable enrollment policy – from authentication through validation to profile assignment.

Configuration-driven workflow engine: Workflows are defined via YAML-based configuration files, not code. Complexity ranges from simple stateless operations (e.g. reporting) to long-lived processes with manual interaction by multiple parties over days. Workflow instances can be paused, resumed and referenced at any time via their workflow ID.

Connector-based data integration: Every literal configuration value in OpenXPKI can be replaced by a connector that queries external sources at runtime. Connectors exist for LDAP directories, SQL databases, REST web services, flat files and more. The same concept also controls the publication of certificates and CRLs – whether to an LDAP directory, a file system or via SCP to a remote system.

Flexible authentication: User authentication is controlled per PKI realm via configurable authentication stacks. LDAP, SAML, OAuth and local passwords are supported, among others. External SSO systems can be easily integrated.

Notification system: Workflows can automatically trigger notifications for defined events. In addition to email (SMTP), integrations with Request Tracker (RT) and ServiceNow are also supported if required. OpenXPKI additionally generates reminders for expiring certificates.

RA/CA flexibility: In standard operation, Registration Authority and Certificate Authority work on the same system. For higher security requirements, the RA can be separated from the CA, or an external backend CA can be connected – and this can also be a public CA!

Microsoft autoenrollment: Native Windows auto-enrollment is optionally supported via products from partner companies, enabling seamless integration of OpenXPKI into Active Directory environments.

Internal issuing CA with integrated certificate management: OpenXPKI is ideally suited as a central internal issuing CA for manual and automated request processes. The integrated certificate lifecycle management handles automatic renewal, escalates failed renewals and provides flexible reporting functions – all configuration-driven and without individual scripts.

Automated certificate provisioning for IT infrastructure: Network devices, telephone systems, virtualisation platforms or device management systems are automatically provisioned with certificates via SCEP, EST, ACME or RPC. Dedicated enrollment endpoints with individual policies can be configured per device type or organisational unit.

IoT certificate provisioning: From the initial issuance of device certificates during production to automated certificate renewal in live operation: OpenXPKI provides the infrastructure for the entire certificate lifecycle of IoT devices – scalable and fully automatable.

Integration with external data sources: Via the connector interface, OpenXPKI integrates external systems directly into the certificate process. REST APIs, web services, databases, directory services or asset management systems provide metadata for enriching certificate requests or control automated approval decisions.

Consolidation of a grown CA landscape: Instead of operating a separate CA for each department or use case, OpenXPKI combines any number of logical CAs in a single installation. Each PKI realm retains its own policies, endpoints and authentication settings, but operation, monitoring and maintenance are centrally bundled.