There are many reasons why you may be looking for open-source public key infrastructure (PKI) software. Maybe you need to enable authentication and encryption for IoT products you deliver to the market. Or maybe you’re issuing certificates into a microservices environment to secure machine-to-machine connections. In any case, you’ve got options.

This blog will discuss the best open-source PKI software tools available today and provide tips on choosing the right tool for your needs.

First off, let’s begin with a few definitions. PKI is used to issue certificates that enable authentication, encryption, and digital signatures for multiple use cases. 

Authentication: proving your identity to a website or other entity

Encryption: protecting data from unauthorized access

Digital signatures: verifying the authenticity of a message or document

Open-source PKI solutions are a type of CA software that is available for anyone to use, modify and distribute. Open source software could be used for publicly trusted SSL/TLS certificates or, more commonly, as a private certificate authority (CA) for internal trust within an enterprise. 

The code for these tools is typically published under an open-source license, allowing anyone to view, edit and redistribute the software. 

Developers and engineers increasingly leverage PKI to embed security into their products or application development and delivery pipelines. Open source certificate authority (CA) software is a great way to get started with PKI.

There are many different open-source PKI software tools available today. Here we’ve broken down the four most common open source PKI solutions, including key considerations and recommendations when choosing the right fit for your use case.

EJBCA is a Java-based PKI solution that offers both enterprise and community editions. EJBCA Community Edition (CE) is free to download and has all the core features needed for certificate issuance and management. It includes multiple certificate enrollment methods, as well as a REST API. EJBCA was developed by PrimeKey, now a part of Keyfactor, and it is the most widely trusted and adopted solution for open-source PKI CA today. 

Core capabilities include:

• X.509  and SSH certificate issuance and lifecycle management
• Certificate authority (CA), registration authority (RA), and OCSP functionality
• Extensibility via CMP, SCEP, and REST API
• Audit logging to file or database
• Basic HSM support using Java PKCS#11

EJBCA Enterprise Edition (EE) includes features for production-ready environments, including high availability, clustering, authentication, advanced protocol and HSM support, professional support and services, and deployment flexibility. EJBCA Enterprise can be deployed as a turnkey hardware appliance, software appliance, cloud-based, or SaaS-delivered PKI.

Dogtag Certificate System (also known as Dogtag PKI) is an open-source certificate authority (CA) that supports many common PKI use cases. It offers a web-based management interface that allows you control over your certificates while also supporting multiple formats so that they can easily fit different use cases.

Core capabilities include:

• X.509 certificate issuance and certificate management
• CRL generation and publishing
• Local registration authority (LRA) for authentication and policies
• Extensibility via ACME, SCEP, and REST API
• Does not support relational databases – requires LDAP

The OpenXPKI is a toolkit based on OpenSSL and Perl that can create, manage, and deploy digital certificates. It includes support for multiple certificate formats and an online interface to help you oversee your PKI workloads.

Core capabilities include:

• X.509 certificate issuance and certificate management
• Web-based GUI compatible with all major browsers
• Extensibility via SCEP and EST

Step-ca is a simple yet flexible CLI-based open-source PKI tool that can create and manage digital certificates. It similarly includes support for multiple certificate formats and integrates with tools like Kubernetes, Nebula, and Envoy.

Core capabilities include:

• X.509 and SSH certificate issuance and management
• CLI-based interface for certificate 
• Extensibility via ACME and SCEP protocol
• Requires technical expertise in PKI concepts and JSON

When choosing an open source PKI management tool, there are several factors you will want to consider based on your specific use case and requirements.

Ease of use:

Setting up and running a PKI isn’t for the faint of heart. Even the best tools can create vulnerabilities if they are not properly configured and deployed. Open-source PKI solutions should be easy to deploy, with published containers offering the simplest method. They should also provide an easy-to-use interface for configuration, reporting, and management.

Flexibility and extensibility:

Once you have your PKI up and running, you’ll need to integrate certificate issuance and management workflows with your tools and applications. Industry-standard protocols such as ACME, SCEP, EST, and CMP provide certificate lifecycle management and enrollment capabilities. A REST API is also important to offer additional extensibility and functionality specific to the tool you choose.

Documentation and user community:

Good documentation is essential for any PKI solution. Be sure to check that the documentation is up-to-date and easy to understand. Support typically isn’t available with open-source projects, so you’ll need to ensure that you can set up and deploy the solution independently.

You should also ensure that there’s a solid community to provide support and guidance when you need it. A good indicator of an active community is to check the number of downloads, discussions, and online forums where end users can discuss features and assist one another.

Maintenance and support:

Security isn’t static, and your PKI shouldn’t be either. Ensure that your open source PKI solution is actively developed and maintained by the community and project owner. This ensures that vulnerabilities are addressed swiftly, and new features and functionality are continuously available as the PKI landscape evolves.

If something goes wrong with your PKI implementation, you’ll need access to troubleshooting documentation. Make sure the supplier you choose offers thorough documentation and a commercial/premium support agreement available from the vendor with an enterprise version, should the need arise to upgrade.

Enterprise upgrade:

If you need enterprise-grade features, be sure to choose a tool that offers a simple path to upgrade. A full-featured enterprise PKI should be able to handle the increased load of large-scale production environments without compromising performance or security. To support these requirements, you’ll need capabilities like high availability, multi-node clustering, compliance certifications, advanced protocols, and hardware security module (HSM).integrations.

EJBCA CE is a powerful, flexible, and easy-to-use PKI solution used by everyone from developers and engineers to IAM and security teams to issue trusted identities for all of their devices and workloads. Here are just a few of the key reasons why teams choose EJBCA CE over open source PKI alternatives:

Complete PKI solution:

EJBCA provides a complete PKI solution that includes everything you need to get started. It supports CA, RA, and OCSP functionality out of the box and can easily scale to meet even the most demanding transaction workloads for certificate issuance and validation.

Extensibility:

EJBCA is extremely flexible and can be easily extended to meet your specific needs. It supports pre-built plugins with other open-source tools such as HashiCorp Vault and Kubernetes, and it also supports SCEP, CMP, and REST API protocols. Advanced protocols such as ACME and EST are available with EJBCA Enterprise.

Easy to deploy and use:

EJBCA is readily available for download from GitHub and Sourceforge. It’s also available as a published container via Docker Hub, making it easy to deploy quickly and securely. It also offers a web-based GUI for centralized administration of CAs, audit logs, templates and policies, and more.

Proven and trusted:

EJBCA is one of the longest-running CA software projects, with millions of downloads and time-proven robustness and reliability. It’s built on open standards and a Common-Criteria certificate open-source platform.

Robust documentation:

EJBCA is supported by comprehensive documentation, including how-to guides, tutorial videos, troubleshooting guides, and use cases. This makes it incredibly easy for end-users to get up and running quickly and to get the most out of their PKI.

Path to enterprise:

If you need an enterprise-grade PKI solution, EJBCA offers an easy path to upgrade from the community edition to the enterprise edition. EJBCA Enterprise is available in many different forms and flavors to meet your specific requirements for simplicity, availability, and compliance.

If you’re looking for an open source PKI management tool, be sure to explore EJBCA Community with Keyfactor. Ready to try EJBCA Enterprise? No problem. You can get started with a free 30-day trial of EJBCA Cloud in Microsoft Azure or AWS in minutes.