Khatim PKI Server 4.2 is Released – PKI Simplified!

Khatim PKI Server v4.1 - Released-4

The team at Codegic is delighted to introduce the next version Khatim PKI & OCSP Server packed with advanced features and increased functionality. This new version continues to provide organizations with unparalleled security, transparency and simplicity for PKI operations. From stronger encryption algorithms to integration with emerging technologies, Khatim PKI Server product is set to revolutionize CA & OCSP management. Setting up PKI and management is complex with multiple crypto pieces adding a lot of risk. Khatim PKI Servers reduces these risks making PKI management quick and simple. Here we touch upon some of the new features which set’s us apart.

Some of the new features of Khatim PKI Server is:

  • More PKI Insights with Graphs
  • Simplified Certification Authority Management
  • Khatim OCSP Server – New Powerful features
  • Improved Daily Summary Reports
  • Supports WCAG v2.0
  • Supports 30+ languages

More PKI Insights with Graphs

Graphs and charts play a vital role in PKI by offering valuable insights and visual representations of complex data, enabling a better understanding of certificate lifecycles, authentication trends, and system performance. PKI Admin’s love stats and so do we! Khatim PKI Server provides detailed graphs covering:

Certification Authorities

Khatim PKI Server v4.1 - CA Dashboard

CA Stats covers many key areas like:

  • Issued Certificates
  • About To Expire Certificates
  • Templates Used
  • Signing Algorithm
  • Key Info
  • Weakness

PKI Admin can also filter based on:

  • A particular CA
  • All CAs

Certificate Provider (CP)

Khatim PKI Server v4.1 - CP Dashboard

Certificate Provider allows business applications to interact with the CA to manage X.509 digital certificates. Some of the insights you can get are:

  • Requests Count
  • Call Type
  • CA Alias
  • Alerts
  • Certificate Provider Policy
  • RA Policy
  • Certificate Template
  • Client / Host IP
  • Failures

PKI Admin can also filter based on:

  • A particular CP instance
  • All instances

OCSP Insights

PKI Admin can also filter based on:

  • A particular OCSP instance
  • All instances
Khatim PKI Server v4.1 - OCSP Dashboard

Simplified Certification Authority Management

Khatim PKI Server allows admin to manage & visualize Certification Authority management making it easier for them to control. The CA dashboard shows the list of CAs in card style with critical information like:

  • CA Type
  • Template
  • Key Vault Alias
  • Key Algorithm/Size
  • Subject DN
  • Issuer DN
  • Expiry

Khatim PKI Server v4.1 - CA -Table - Card

Using the built in, customizable Certificate templates, admins can setup Certificate Templates & multiple CAs including Root CAs, Sub CAs, Online CAs and Offline CAs. PKI Admin can use the powerful filter to search the issued certificates and CRLs.

For offline CA’s admin can also manually enter certificate information which later helps in OCSP white list checking. For online CA’s, certificates can be issued via Certificate Provider (see below) or manually via PKCS#10/CSR.

Managing issued certificates & CRLs

PKI admins can easily see the list of issued certificates from a respective CA. These can be either generated for internal usage or issued programmatically via Certificate Provider. With in the same single screen, PKI admins can also:

  • Download Certificate
  • Revoke / Un-revoke Certificate
  • Delete Certificate
  • <image of issued certificates and CRLs>

Similarly PKI admins can see the list of issued CRLs and their details issued by a particular CA.

Khatim PKI Server v4.1 - Issued Certs - List

Issued CRL List Viewer & Management

Khatim PKI Server v4.1 - Issued CRLs - List

Khatim PKI Server v4.1 - Issued CRLs Entries- List

Certificate Provider

Khatim PKI Server v4.1, simplifies setting up certificate issuance policies and accessible via secure Restful interface and also improves the performance of certificate issuance. Policies can defines multiple facets like:

  • Which CA is going to issue the X.509 certificate
  • Which type of certificate will be issued; controlled via the Certificate Template (Code Signing, Document Signing, Email Signing, TLS Client Auth, TLS Server Auth etc.). This also controls the hash algorithm, duration and certificate extensions (Key Usage, Extended Key Usage)
  • Where will be the key; Key Control (Server or Client-CSR)
  • What is the key size and type; RSA, ECDSA
  • Where is the key stored; KeyVault Location (HSM etc.)
  • What will be the certificate subject DN (Supports 20+ DN attributes)

Khatim PKI Server v4.1 - Certificate Provider PolicyDeveloper Friendly Integrations with the CA

PKI admins can setup business applications to generate either:

  • Certificate vis PKCS#10/CSR
  • Certificate held on the server

Certificates issued on the server can be later used to Sign data or documents with password based authorization. Once policies are setup, business application can utilize the secure Restful interfaces of Certificate Provider for complete certificate lifecycle management:

  • Certificate issuance
  • Certificate revocation (Revoke/Unrevoke)
  • Certificate delete
Restful Certificate Generation
Accept: application/json
Content Type: application/json  
Verb: POST
Body: multipart/form-data
{
    "cpPolicyId": "client-rsa-cert",
    "raPolicyId": "rapolicy123",
    "accountId": "ahmad123",
    "csr": "-----BEGIN CERTIFICATE REQUEST----- MIICVTCCAT0CAQAwEDEOMAwGA1UEAxMFdGFsaGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCca5wWIoHt7YXm6Q/XLEfQPisqzV4w8e2e3QfXsiZBWtckRqRniRc2IGi8G/JXGpRJ7rDv6HpWZisGbKeGrIPrmooZPnASBJ4wVLVoDm1bbMUAiBZG0wYLawHu+DBLNuBviexy9+Sk4O9KMzCljeUMPhdC+rz01wa01AjZYeX1+0CyDr6WRY+EiizRiSzKK6RQtFO69mB3sXox2pIYn+KMxCBWgLS+4h8bPQ+RvNzghp8TUHwT4hp5d7iKXFiZI5vG/m6inFHOv/v2FEOGSy3DZ+d8gbHtxxkZetRnZsdTI/8RGv8juG0HQXxQZMAZdJG7GlQtUIk2/JLcehoKxwXjAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAOD6iiuLZk73L+zyzTLPNtieGashqDVfxiAFhECki0DRMDyKaoNJjltB6Bu4HRbLcurfnmPPVqsM5ifIRLzC21+c0ESt86szRq4wBc3/UXo7xtuF/bNbT4SvTiRHDZy+b41m1xblnEATilBSf7b5wv0Pt11HFmEp6MX5WCnc3dNTUq4Og0giIqfuVrP5DcVlhtOi5qGI17YpF9F156p7HxdUrMtORTTFTDJ1tb85jXJiACbpdAvrUDyiJoAuw/2sxipiYcxMAP9BTQOsckFoe6wpIUpraTs7k+yBNknzHLTRpetTPi9sr6ZnLKVNGabe3dEtFHQjGHNYpK4sJWfJSfg==-----END CERTIFICATE REQUEST-----",
    "certAlias": "ahmad123"
}
Certificate Generation Response
{
    "responseStatus": "0",
    "issuedCertPem": "-----BEGIN CERTIFICATE-----\nMIIDhDCCAmygAwIBAgIUYYRe04Qm4SDA3Clfo2SZIpm8bDUwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UEBhMCUEsxETAPBgNVBAMTCHdrLXN1YmNhMRAwDgYDVQQKEwdjb2RlZ2ljMREwDwYDVQQLEwhzZWN1cml0eTAeFw0yMzA2MjcxMzU3MDBaFw0yNDA2MjYxMzU3MDBaMBAxDjAMBgNVBAMTBXRhbGhhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnGucFiKB7e2F5ukP1yxH0D4rKs1eMPHtnt0H17ImQVrXJEakZ4kXNiBovBvyVxqUSe6w7+h6VmYrBmynhqyD65qKGT5wEgSeMFS1aA5tW2zFAIgWRtMGC2sB7vgwSzbgb4nscvfkpODvSjMwpY3lDD4XQvq89NcGtNQI2WHl9ftAsg6+lkWPhIos0YksyiukULRTuvZgd7F6MdqSGJ/ijMQgVoC0vuIfGz0Pkbzc4IafE1B8E+IaeXe4ilxYmSObxv5uopxRzr/79hRDhkstw2fnfIGx7ccZGXrUZ2bHUyP/ERr/I7htB0F8UGTAGXSRuxpULVCJNvyS3HoaCscF4wIDAQABo4GgMIGdMA4GA1UdDwEB/wQEAwIGwDBABggrBgEFBQcBAQQ0MDIwMAYIKwYBBQUHMAGGJGh0dHA6Ly8xOTIuMTY4LjE4LjY6ODA4MS9vY3NwL2VuZ2luZTAfBgNVHSMEGDAWgBQkbFCLjk47SKciBtCZfDeU07DOUTAJBgNVHRMEAjAAMB0GA1UdDgQWBBRBc7+MscAUu1pCLR77AcbP+yDZ4zANBgkqhkiG9w0BAQsFAAOCAQEAOfGUZ76LculKnGe0dgGu3w0sBqKGNkXs+Drt8tKCW130mRIiqwxUOyPodFIQlhtuba20J8NlB66MpQ0UB6hj13bMFhdq8RTe9H4ox2mxByn8Av4sMBkLvqkj8SCzbWsy+uboGytlx1BOrgpNu1sgWow/DRGN6nP33o+5nugL7SUiPngfZG3bTzU9DlEeYFnwGKDg3A5Z8314GdH26PlTzV2T/gMuN2ACao+A3U712t+mcgablYIhDR5UZtXoSReDwLX0BPio8VobPpJtrGcrdyCkqfQQ8KOB6TpzZQs6TdyuGO7mNrX2/A9csBOzjWyZGPBuR9A4fznhyohr+Fg1/A==\n-----END CERTIFICATE-----",
    "certAlias": "ahmad123",
    "accountCertsKeysId": 13,
    "caChain": "MIIHvQYJKoZIhvcNAQcCoIIHrjCCB6oCAQExADALBgkqhkiG9w0BBwGgggeSMIIDxDCCAqygAwIBAgIURtrUVDrKPLSBQgK+Ol4nGBW0UZQwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UEBhMCUEsxEzARBgNVBAMTCndrLXJvb3QtY2ExEDAOBgNVBAoTB2NvZGVnaWMxETAPBgNVBAsTCHNlY3VyaXR5MB4XDTIzMDYwMTA4MTIyMVoXDTI0MDUzMTA4MTIyMVowRTELMAkGA1UEBhMCUEsxETAPBgNVBAMTCHdrLXN1YmNhMRAwDgYDVQQKEwdjb2RlZ2ljMREwDwYDVQQLEwhzZWN1cml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMDz8yos8rbWMyjeyueqm1g6rictWk0OwzWM99peLSh+yV3w4cNq+1wB4jkcEQvSqMO4YmSS8vACrKZOdeDGASFh86GqV3uO3bvLkYP4xkVI7TSs9KjHpDHtUx+lt/jBxHTXY1nsROiTATlYRjqm0WcJRFtboMF0hoLdgQs56KyLFdC7XVvrCPiQD0id/ESSZx32jt8oYOguUuv0epAJPbyJb00f4HSdgOlSJ7FrqNUVPz2wjHoB8cp+oPAJO0cTTsDL4g/E88Pa82Z9ZmxlR872WjFA6HOA+l3D0qOZ5a1G7eXNmlQmmX+7d4Q+RmuIZkgjEM4JU3yMnTYlxYBGIjcCAwEAAaOBqTCBpjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBCjBABggrBgEFBQcBAQQ0MDIwMAYIKwYBBQUHMAGGJGh0dHA6Ly8xOTIuMTY4LjE4LjY6ODA4MS9vY3NwL2VuZ2luZTAfBgNVHSMEGDAWgBQeN5/VxmKInS+eBchqgAGD0AzdiDAdBgNVHQ4EFgQUJGxQi45OO0inIgbQmXw3lNOwzlEwDQYJKoZIhvcNAQELBQADggEBABSfFVU9L9aMdfSNmwWk2h81mSnV+G6LtTBnn3VbBrAXV8vhOXAM4lgItU4F7P/xAfRE40c9nSpItmGpcROmjpSHcca592xyXPchBoqsu0hCpfPTr+4fD6Ne0m06w4JEZ+dOdW3TssgPSyppm0LlWH4UQCMgL3t46Kk4+BMzQyOePlFt4STEYaDkN8DX5h49Q6//rfXJNxs5nf47n5a70CQrDntG4dH6tOzKEgGsjB/KHbbueihCFEZh1/3OXCkBFDLdae4zk5A9kE32QKUMMx7d+WPOgoxBJuJJ6m6+Ax1ADvgCiO+3BPHIfuzRF/zR+G7rFy6GHpUUs6ZZ+ezbd3wwggPGMIICrqADAgECAhR2iJLECiMWxRJ1yyjSsggAo4oy0TANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJQSzETMBEGA1UEAxMKd2stcm9vdC1jYTEQMA4GA1UEChMHY29kZWdpYzERMA8GA1UECxMIc2VjdXJpdHkwHhcNMjMwNjAxMDgxMTQ3WhcNMjQwNTMxMDgxMTQ3WjBHMQswCQYDVQQGEwJQSzETMBEGA1UEAxMKd2stcm9vdC1jYTEQMA4GA1UEChMHY29kZWdpYzERMA8GA1UECxMIc2VjdXJpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPVxce3ok5iTEmPQ5d8QrMaoIxOPxkXdljaXvwkLHU9VMRj/sxiWec+yiub7iL66HV02HDRDxTNs1dmRdoY0hFe14sAlcqlR1Ta08Q+DpqaHRyK2WZtJ2AYcugdZqEpQHSvFj25PlOLRDAsJUQCYeQhGWo+EIksbadpVkOX4WM8zc1mBb75KsFfPS2kPjndl6VHmB/i8/v0slF8XpofRizsKBUaJ3j3/F3/WsYfpslO9uJ2WT1uU4uufQ+f/E1U17+KWXbMaQJIV+KpAZjZ5zgwm9TwWpShP6rP7eI44/zS8GgNyDdqWUMCTgHG34u2jXfhdaNVhMhYUe/vNUZ9DyZAgMBAAGjgakwgaYwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQowQAYIKwYBBQUHAQEENDAyMDAGCCsGAQUFBzABhiRodHRwOi8vMTkyLjE2OC4xOC42OjgwODEvb2NzcC9lbmdpbmUwHwYDVR0jBBgwFoAUHjef1cZiiJ0vngXIaoABg9AM3YgwHQYDVR0OBBYEFB43n9XGYoidL54FyGqAAYPQDN2IMA0GCSqGSIb3DQEBCwUAA4IBAQCBkMP07cRbjYUyqLdIaZk7KYAfmswGmS6abBlUGsKPua9SexplkGqk4WgoUdCSNhlqLnJssPky9+MeuGc1jam38FoH335TKZ3j5wMceGQIX+rMy5gz1FKUQKj6m+jh5gfGAKjPcrvsXBg7CMcA88NDgAmBOFQVYvSxDInDwnEXD6ge8qsK4RVX9R5mUOo+GatDHvrzzTfIbwfN9oFzYbYPuNeumv1qAI9/5KMsyllxxgR7l+wAj/v89+g9cNNmIWElrb49jawOxD58M9kNPDi0bnyNR1je+d8APTL+LZr7VbE8eLf21hldFgT8zo2nS/yQCy3imvlFNnHSJ5TeEwujMQA="
}

Certificate Provider Transaction Logs

PKI admins can easily monitor the incoming request for certificate issuance and diagnose problems.

Khatim PKI Server v4.1 - Certificate Provider Transaction Logs

Khatim OCSP Server - New Powerful features

With Khatim PKI Server, the latest version of Khatim OCSP Server v4.1 is also released. This now provides both CRL based and also real-time revocation checking using CA’s issued certificate database. The performance of OCSP Server has also improved reducing the latency in revocation checking. PKI Admins can easily setup OCSP Policies which allows them to setup:

  • CA’s for which OCSP is to be responded
  • Use either the CA’s certificate to sign OCSP response or a delegated OCSP responder cert
  • Enable Extended revocation checking
  • OCSP Signing Algorithm

Khatim PKI Server v4.1 - OCSP Policy

Advanced OCSP Transaction Log Viewer

Khatim OCSP Server has an advanced transaction log view with built in OCSP request/response viewers allowing simple troubleshooting of incoming OCSP transactions. The built in OCSP viewer gives PKI admins a transparent view of what the request/response consist of. This avoids the need for PKI Admin to export OCSP data and view in complex DER encoded OCSP data viewers.

Khatim PKI Server v4.1 - OCSP Transaction Logs

Khatim PKI Server v4.1 - OCSP Response Viewer

Improved Daily Summary Reports

The latest version provides more insight on the following aspects:

  • Statistics on issued certificates
  • Statistics on about to expire certificates for certificates 
  • Statistics on OCSP Server Processing

These stats can be broken down into:

Certificate Provider stats

Khatim PKI Server v4.1 - Daily Summary Report - Certificate ProviderThis provides the following critical stats data:

  • Requests Status
  • Failure Breakdown
    • SUB_DN_NOT_FOUND
    • PWD_NOT_FOUND
    • DUPLICATE_CERT_ALIAS
    • DUPLICATE_KEY_ALIAS
    • POLICY_NOT_FOUND
    • DN_INCORRECT
    • CA_KEY_NOT_FOUND
    • CA_CERT_NOT_EXISTS
    • CSR_NOT_FOUND
    • INVALID_CSR
  • API Breakdown (Create, Revoke, Un-revoke, Delete etc.)
  • Certificate Provider Policy Breakdown
  • CA Alias Breakdown
  • Template Alias Breakdown
  • Host / Client IP Breakdown

Per CA stats

Khatim PKI Server v4.1 - Daily Summary Report - CA

  • Issued Certs; Count of issued, valid, revoked, expired
  • Weaknesses Breakdown; Provides count of those certificate which are using a weak key size of signing algorithm
  • To-be-expired certificate; with in 7, 30 or 60 days
  • Templates Breakdown
  • Template Count
  • Key Info Breakdown
  • Sign Algorithm Breakdown

OCSP Stats

Khatim PKI Server v4.1 - Daily Summary Report - OCSP

  • Request Status
  • Policy Breakdown
  • Client IP Breakdown
  • Host IP Breakdown
  • Cert Status Breakdown
  • Signing Algo Breakdown

WCAG v2.0 Compliancy

With full support for Web Content Accessibility Guidelines (WCAG) v2.0, Khatim PKI Server ensures an inclusive digital environment for all users. We understand the importance of accessibility in today’s digital landscape, and our PKI product goes above and beyond to provide an accessible user experience without compromising on security or functionality. Empower your organization with a PKI solution that embraces inclusivity and compliance, while delivering robust security and seamless certificate management.

Supports 30+ languages

Our feature-rich PKI product goes beyond language barriers, providing support for over 30+ languages, including English, German, French, Spanish, Portuguese, Russian, Italian, Polish, Ukrainian, Romanian, Dutch, Turkish, Greek, Hungarian, Swedish, Czech, Portuguese, Serbian, Bulgarian, Croatian, Danish, Finnish, Norwegian, Slovak, Catalan, Lithuanian, Bosnian, Galician, Slovene, Latvian, Estonian, Welsh, Icelandic and Irish.

We recognize the importance of global accessibility and strive to eliminate language limitations in digital security. With our solution, users from diverse backgrounds can seamlessly navigate and interact with the PKI system in their preferred language. Experience the power of multilingual support combined with top-notch security, empowering your organization to operate effectively on a global scale while ensuring linguistic inclusivity.

Concluding Thoughts

As we conclude our preview of the Khatim PKI Server, we are thrilled to share that this is merely the beginning of an exciting journey. Codegic has an extensive roadmap in place, brimming with remarkable enhancements in usability and functionality for the upcoming release. Our commitment is to deliver the most secure, cost-effective, and efficient Certification Authority & OCSP server available in the market. Stay tuned for the forthcoming advancements that will propel your trust, identity & digital transformation experience to new heights.