Trusted e-Passport PKI for National Identity Programs

Khatim e-Passport Server enables governments, identity authorities, and ICAO-compliant entities to effortlessly issue, manage, and maintain all trust elements required in electronic passport ecosystems—right from CSCA and Document Signer Certificates to Master List Signers and SPOC components.

  • Fully aligned with ICAO Doc 9303 and EU e-passport guideline
  • Secure CSCA key pair generation and lifecycle management
  • ICAO-compliant Document Signer Certificate (DSC) issuance
  • Ensures operational reliability and cryptographic trust
  • Master List creation and digital signing for global verification

 

Why Choose Khatim e-Passport Server?

Designed For Trust

Purpose-built to secure the digital identity lifecycle of e-passports. CSCA, DSC, and SPOC trust anchors are tightly governed for maximum assurance.

Easy Integration

REST APIs and simple command-line utilities for smooth integration with national ID systems, personalization workflows, and third-party applications.

Border Ready

Supports all ICAO member state requirements for certificate exchange, master list ingestion, and SPOC interoperability.

Live Monitoring

Built-in monitoring for certificate issuance events, expiration warnings, and cryptographic operations—keep your identity infrastructure under full control.

e-Passport Server Usages

National Passport Agencies

Ensure secure, auditable issuance of digital credentials for machine-readable passports.

eID / e-MRTD Personalization Units

Integrate with personalization systems to embed ICAO-compliant DSCs into e-passports.

Border Security & Control Authorities

Strengthen border security through cryptographic verification of identity documents.

Core Features

Features you get from Khatim e-Passport Server

  • CSCA & Document Signer Management

    Generate and manage CSCA keys and certificates securely. Issue ICAO-compliant Document Signer Certificates for e-passport personalization systems.

  • Master List Generation & Signing

    Create and sign Master Lists with your Master List Signer to facilitate cross-border certificate validation, trust, and interoperability.

  • Cross Platform, Diverse Deployments

    Issue and manage SPOC Client Certificates and SPOCA CAs for secure communication between eMRTD issuing authorities across borders.

  • ICAO & EU Compliance

    Supports ICAO Doc 9303 and EU Decision 2008/616/JHA Annex—ensuring seamless integration into international and European trust infrastructures.

  • Web-Based GUI for Fast Operations

    Visual, easy-to-navigate admin panel to perform certificate issuance, revoke operations, and manage SPOC/SPOCA relationships with minimal training.

  • Secure Key Handling

    Leverages HSM or software-based modules for CSCA key protection, ensuring cryptographic security and regulatory compliance.

Deployment

  • Supported OS

    All flavors of Windows Server & Linux (Centos Stream, Ubuntu, RedHat, Fedora)

  • Languages

    50+ Languages (English, Chinese, French, Italian Spanish, Arabic, German, Portuguese etc.)

  • Minimum H/W Requirement

    8 GB RAM, 2 vCPU (2.3 GHz), 10 GB disk space.

Words from Client

Leading companies rely on us for their PKI and digital signature needs

We were struggling with our PKI implementation when Codegic came to the rescue. They not only sorted our technical issues but also designed the whole PKI for the infrastructure.

Hemal Patel, CEO, Ray Pte. Ltd.

Pricing

  • Khatim e-Passport Server is charged per bundle
  • Each bundle allows you to deploy 2 instance of PKI server in high availability mode
  • To add more servers in your existing pool; Add more bundles OR Buy a single server instance at 50% of the bundle price
  • Test environments or Staging environments are charged 50% of the price

Maintenance Plan

With active annual software maintenance plan:

  • Keep your installation safe and secure with the latest security updates
  • Get free access to the newest features, enhancements, and bug fixes
  • Get premium support from our technical engineers (within 24 hours on business days)

Has your maintenance expired?

Want to renew your maintenance plan? The price for 12 months is 25% of your license’s (current) list price.

Save more with extended supported

  • Extend for 24 months and save 10%
  • Extend for 36 months and save 15% best value

FAQs

Can we integrate with existing CAs?

Naturally, integrating Khatim e-Passport Server with your current CAs is possible, and any customization required for the integration will be free of charge.

What is needed to run a e-Passport Server?

To run an e-Passport Server, you need a secure environment with access to a Hardware Security Module (HSM) for CSCA and DSC key protection, ICAO-compliant software for certificate and Master List management, and integration capabilities with national eID or passport issuance systems. Compliance with ICAO Doc 9303 and secure networking are also essential.

How can developers integrate with the Khatim e-Passport Server?

Developers can integrate with Khatim e-Passport Server using its secure, RESTful APIs to automate CSCA, DSC, Master List, and SPOC certificate operations. The server provides detailed API documentation, sample payloads, and supports integration with eID, passport personalization, and border control systems for seamless deployment.

There are already many PKI servers in the market why choose Khatim e-Passport server?

Khatim e-Passport Server is purpose-built for e-MRTD ecosystems, offering out-of-the-box support for CSCA, DSC, SPOC, and Master List operations—aligned with ICAO and EU standards. Unlike generic PKI solutions, Khatim provides a streamlined, GUI-driven interface, automation-friendly APIs, seamless HSM integration, and real-time monitoring—ensuring faster deployment, lower complexity, and long-term compliance for passport authorities.

Can alerts to be pushed to a central logging system?

The server features a built-in logging and alerting system that captures all incoming requests and responses. It proactively notifies administrators of any issues and securely forwards alerts and logs to centralized systems such as Splunk, Grafana, Graylog, LogRhythm, and others.

 

How many e-Passport server instances I need to deploy?

The number of instances depends on your operational scale and high availability requirements. For most national setups, a primary instance with a standby (disaster recovery) instance is sufficient. High-volume or distributed environments (e.g., multiple issuance or verification sites) may benefit from clustered deployments for load balancing and redundancy.