Codegic releases Khatim PKI Server 4.6 – Enhanced Security & Usability

Codegic releases Khatim PKI Server 4.6 – Enhanced Security & Usability

Team Codegic is excited to unveil the release of Khatim PKI Server 4.6! Since the last major update in November 2023 (version 4.3), we’ve focused on enhancing timestamping, core PKI functionalities, signing capabilities, and overall usability. The intermediate releases, 4.4 and 4.5, brought significant improvements in timestamping and support for PSD2 certificates and other qualified statements. Now, with version 4.6, we’re introducing a host of new features, including a brand-new verification engine and significant enhancements in signing and Certificate Authority (CA) functions.

KPS - Components

Exciting New Features in Khatim PKI Server 4.6


  • Advanced Authentication: Supports HTTP Basic Auth and CMS Authentication for secure timestamping.
  • Service Plan Management: Unique feature allowing PKI admins to set up service plans with quotas and assign them to clients, providing detailed usage reports.
  • Time-Based Graphs: Detailed analytics on timestamp data over time, offering insights on daily, weekly, monthly, and yearly trends.

Certificate Authority (CA)

  • Certificate Publishing: Support for publishing certificates to a remote database for OCSP, ensuring real-time revocation with white-listing.
  • Qualified Statements: Comprehensive support for EU Qualified Statements, including PSD2 & CA/B forum ones to meet eIDAS regulations.
  • Zlint Integration: Automated certificate linting with Zlint to ensure compliance with multiple standards before issuing certificates.


  • Enhanced Revocation Checking: Now supports checking revocation status from either local or remote databases, improving deployment flexibility.

Signing & Verification

  • ASiC Digital Signatures: Support for ASiC digital signatures, including ASiC-B, ASiC-T, ASiC-LT, and ASiC-LTA with both XAdES and CAdES formats.
  • New Verification Engine: Other than signature verification, provides fine-grained control over encryption algorithms, key lengths, hashing algorithms, trust building & certificate validity checks.

Feature Details


Advanced Authentication: Khatim Timestamp Server now supports HTTP Basic and CMS authentication, allowing only authenticated users to access the service. PKI admins can set up client apps, enable basic authentication, and assign policies to enhance security.

Service Plan Management: A unique feature among timestamp servers, KPS allows PKI admins to create service plans with specific quotas for their clients. Plans can be unlimited, limited, or recurring, with detailed reports available to track usage and provide clients with daily usage proofs.

Time-Based Graphs: The new ‘Trends’ section provides in-depth insights into timestamp data, including the number of timestamps processed, breakdown of failures, TPS metrics, and more. This feature allows PKI admins to analyze timestamp data on a daily, weekly, monthly, or yearly basis.

Timestamp - timeline based stats - trends

The most powerful feature inside these graphs is that it not only show the requests count but also performance of your timestamping engine over the period of time using ‘transaction per second’ option. This helps PKI admins to ensure their timestamp servers are running in top notch condition. These stats are generated also against each of the running timestamp nodes so admin can see how their timestamp instances are performing.

Certificate Authority (CA)

Certificate Publishing: KPS now supports publishing issued certificates to a remote database. This remote database can then be configured with an OCSP server to provide real-time revocation with white-listing. Certificates are published automatically as they are issued, along with any changes in their revocation statuses.

Qualified Statements: KPS 4.6 supports a series of EU Qualified Statements, including PSD2, to cover eIDAS regulations. The newly supported extensions are:

  • PSD2 roles (PSP_IC, PSP_AI, PSP_PI, PSP_AS)
  • National Competent Authority Information
  • Type of Qualified certificate (QWAC, QSeal, QESign)
  • Qualified Transaction Limit
  • CA Retention Period
  • SSCD
  • PKI Disclosure Statement
  • CA/Browser Forum Extensions (Organization Identifier, Country, State, Registration Reference)

Zlint Integration: Ensuring X.509 certificate and CRL compliance with standards can be complex. To address this, KPS now integrates with Zlint, which provides advanced certificate linting against multiple lint sources, such as:

  • Apple
  • Community
  • Mozilla
  • RFC5280
  • RFC5480
  • RFC5891.

If linting fails for any reason, the certificate is marked as revoked. PKI admins can configure specific lint sources per certificate templates. This gives admins maximum flexibility as not all lint sources are relevant e.g. CABF_SMIME_BR source is relevant to an SSL cert and vice versa.

Usability: 4.6 adds number of usability features making it super easy for PKI to be managed. Some of these are:

  • Simplified Rekey: Admin can click on a CA & press Rekey to triggering the process. Admin can then setup:
    • Whether the new CA issues ‘Indirect CRL’
    • Swap existing Certificate Provider policies with the new CA
    • Optionally configure AIA address to be setup in the Indirect CRL
    • Admin can also see a CA history view to see how the CA progressed over time starting from the first generation of the CA till the last
  • Enhanced Card View: The CA card view is enhanced guiding admins whether:
    • CRL auto issuance is enabled
    • Cert synching is enabled
    • If any ‘Certificate Provider’ (CP) policy is configured with this CA

More CA info shown in CA cards


Enhanced Revocation Checking: The improved OCSP engine now checks revocation status from either local or remote databases, enabling flexible deployment options. This allows OCSP servers to be deployed inside application zones disconnect from your CA deployments which are deployed inside internal zones.

Signing & Verification

ASiC Digital Signatures: Khatim Sign Server now supports 26 signature formats, including ASiC signatures. ASiC (Associated Signature Containers) is a standardized format for packaging electronic documents along with their digital signatures and metadata, ensuring integrity and authenticity. Khatim Sign Server supports ASiC-B, ASiC-T, ASiC-LT, and ASiC-LTA with both XAdES and CAdES formats.


  • ASiC-B-XAdES
  • ASiC-T-XAdES
  • All of above with CAdES


  • PAdES-T
  • PAdES-LT


  • XAdES-B
  • XAdES-T
  • XAdES-LT
  • XAdES-A
  • XAdES-C
  • XAdES-X
  • XAdES-XL

CMS & Misc

  • CAdES-B

  • CAdES-T

  • CAdES-LT


  • PKCS#1

  • PKCS#7

Verification Engine: Other than signature verification, it provides robust control over multiple factors such as:

  • Allowed encryption algorithms
  • Allowed Key lengths
  • Allowed hashing algorithms
  • Configurable Trust Anchors
  • Configurable revocation checking options

Other than that, PKI admins can view detailed transaction logs and see statistics based on multiple parameters such as request success/failure, policy, signature format, signing algorithm, client IP, and host IP.


Khatim PKI Server 4.6 is a significant leap forward in ensuring secure, efficient, and compliant PKI deployments. With advanced features in timestamping, certificate management, and digital signing, KPS 4.6 is poised to meet the growing demands of modern digital security.

Stay tuned for more updates as we continue to innovate and enhance the Khatim PKI Server. Explore these exciting new features and elevate your PKI infrastructure with KPS 4.6 today!