PKI/CA Server you can rely on

Khatim PKI Server enables organizations to build a secure, auditable PKI – HSM-backed, PQC-ready, and compliant with WebTrust, CA/B Forum and RFC-5280. Khatim PKI Server offer seamless integration, scalability, and compliance with global security standards with support for Post-Quantum Cryptography (PQC).

  • Setup public or closed PKI
  • Seamless integration with HSMs
  • Easy to integrate with business apps
  • Multilingual interface with built in PKI designer
  • Compatible with Web Trust, IETF 5280, CA/B forum standards

 

What makes Codegic the best Certification Authority?

Simplify PKI Management

Khatim PKI Server, along with its intuitive PKI Designer, offers a user-friendly web-based GUI that simplifies both PKI deployment and architecture design. PKI Admins can easily configure, visualize, and test PKI components—enabling faster rollout and smoother operations compared to traditional solutions.

Secured Processing & Audit

Ensuring a high level of security and assurance is paramount in any business. Khatim PKI Server accomplishes this by employing military-grade security measures across all its functions, including key management, CA management, certificate issuance and transaction management.

Web Trust, CA/B Forum Compliant

Khatim PKI Server adheres to all of the recommended guidelines from WebTrust, CA/B Forum, and IETF standards, meeting the regulatory and security requirements.

Post Quantum Resistant!

Khatim PKI Server supports hybrid certificates with both traditional and post-quantum algorithms, ensuring long-term security against quantum threats.

Khatim PKI Server Usages

IAM & Trust

Embrace a flexible PKI platform to adapt to evolving security requirements & growing needs for user identity management.

IOT Security

Embed certificate-based identity into millions of devices, ensuring identity, secure communication and trust

Signatures

Issue certificates to apps & users to create digital signatures protecting the integrity of data, transactions and documents

Core Features

Features you get from Khatim PKI Server

  • Web Trust, IETF and CA/B Forum Compliant

    Khatim PKI Server adheres to the industry standards set by Web Trust, IETF and CA/B Forum for Certification Authorities including RFC 5280. Khatim PKI Server helps organizations in joining root certification programs by providing the necessary functionalities and features to meet their requirements.

    For more details, see eIDAS PKI Compliance.

  • Support all HSMs

    Quickly integrates with your existing HSMs over PKCS#11. Some of these are:

    Entrust nShield
    Thales Luna & Protect Server
    Utimaco Cryptoserver
    Microsoft Azure Cloud HSM
    AWS HSM

    Environments which doesn’t require HSMs, can still use software based cryptographic keystores.

    For more details, see Khatim PKI Server – HSM Integrations.

  • Manage Multiple CAs & PKIs using PKI Designer

    A single deployment of Khatim PKI Server can handle multiple Certification Authorities, online/offline CAs making it easy to handle from a single portal. With built in PKI Hierarchy viewer, PKI admins can easily match the design provided to them by PKI architects.

    For more details see Visualize PKI Hierarchies.

  • Cryptographic Agility

    Khatim PKI server supports diverse cryptographic requirements such as:

    RSA (2048, 4096, 8192)
    ECDSA (192, 224, 256, 320, 384, 512)
    SHA-256, 384 and 512 hashing algorithms

    For more details see Cryptographic Agility with PQC.

  • Developer friendly Integration

    PKI Admins can either manually issue X.509 digital certificates based on PKCS#10/CSR or allow business applications to request for client-end certificate via Restful interfaces. Keep your business applications in charge of creating, deleting or revoking digital certificates. Integrate with Khatim RA Server to support more protocols like:

    CMP
    EST
    SCEP
    ACME

    For more details, see Developer-Friendly Integrations.

  • Reporting, Stats, Logging & Auditing

    Admins can monitor their PKI servers in real-time and filter data based on CA policies, templates, success/failure, signing algorithm and more. Khatim PKI server also creates daily summary reports along similar data points providing administrator a snapshot of what types of certificates were generated during the day, any failures and alerts.

    Khatim PKI Server also saves all incoming transactions and configurations for thorough analysis. Administrators can easily download and review request/responses in real-time for investigation. All updates made to the system by operators is also recorded providing a reliable audit trail.

    For more details see Live Monitoring, Reporting, Auditing & Logging.

  • Ensuring IoT Security

    Khatim PKI Server seamlessly issues digital certificates to IoT devices, allowing them to securely authenticate themselves and communicate with other devices and systems. Support matter spec from connectivity standards alliance and more.

    For more details, see PKI for IoT Integration.

  • Complete Certificate Coverage

    Khatim PKI Server lets you issue X.509 digital certificate for all the purposes required to ensure a trusted infrastructure such as:

    Email / Document Signing (RFC 9336)
    SSL Client / Server / VPN Authentication
    Code Signing / QWAC / QSeal / PSD2 / mDL (18013-5)
    Timestamping Certificate
    OCSP

    For more details regarding mDL, see Mobile Driving License PKI.

  • Simplified Migration

    Upgrade to Khatim PKI Server for your existing Root CA or Sub CA keys/certificates. Say goodbye to legacy CA servers effortlessly and adopt the new way of managing keys and certificates with more control and insights.

  • Unlimited Scalability

    Khatim PKI Server can be clustered, minimizing latency enabling high throughput. It allows for new servers to be added seamlessly without the need to stop running instances, ensuring uninterrupted service for your business. Khatim PKI Server can meet the growing needs of your enterprise and ensure that your digital security infrastructure can keep pace with your business growth.

  • Quick & Bulk Revocation

    Khatim PKI Server allows quick revocation of existing digital certificates and also ‘Bulk Revocation’. You can also configure your CAs to issue CRLs at recurring time frames avoiding the hassle of manual CRL issuance.

  • Military Grade Access Control

    Trusted personnel can only access CA functions via powerful, password less authentication using military-grade TLS Client authentication.

  • Proactive Alerts & Troubleshooting

    Khatim PKI Server sends proactive notifications to administrators in case of server malfunction. All issues are recorded for traceability and can also be securely pushed to your central logging systems such:

    Splunk
    Grafana
    Greylog
    LogRhythm etc.

  • Cross Platform, Diverse Deployments

    The Khatim PKI server is platform-independent, making it compatible with both Windows and Linux. It can be deployed in various environments such as:

    On-premise private or public cloud
    VMs
    Physical machines

Deployment

  • Supported OS

    All flavors of Windows Server & Linux (Centos Stream, Ubuntu, RedHat, Fedora)

  • Languages

    50+ Languages (English, Chinese, French, Italian Spanish, Arabic, German, Portuguese etc.)

  • Minimum H/W Requirement

    8 GB RAM, 2 vCPU (2.3 GHz), 10 GB disk space.

Words from Client

Leading companies rely on us for their PKI and digital signature needs

We were struggling with our PKI implementation when Codegic came to the rescue. They not only sorted our technical issues but also designed the whole PKI for the infrastructure.

Hemal Patel, CEO, Ray Pte. Ltd.

Pricing

  • Khatim PKI Server is charged per bundle
  • Each bundle allows you to deploy 2 instance of PKI server in high availability mode
  • To add more servers in your existing pool; Add more bundles OR Buy a single server instance at 50% of the bundle price
  • Test environments or Staging environments are charged 50% of the price

Maintenance Plan

With active annual software maintenance plan:

  • Keep your installation safe and secure with the latest security updates
  • Get free access to the newest features, enhancements, and bug fixes
  • Get premium support from our technical engineers (within 24 hours on business days)

Has your maintenance expired?

Want to renew your maintenance plan? The price for 12 months is 25% of your license’s (current) list price.

Save more with extended supported

  • Extend for 24 months and save 10%
  • Extend for 36 months and save 15% best value

FAQs

Can we integrate with existing CAs?

Naturally, integrating Khatim PKI Server with your current CAs is possible, and any customization required for the integration will be free of charge.

What is needed to run a Certification Authority?

Deploying PKI server requires two core components:

 

  • CA software and an efficient hardware on which to deploy
  • Cryptographic Hardware; Such as an HSM, ensures that the keys for Root CA, Sub CA and end-entities remain secure and protected.

 

Note that running a PKI is not merely deploying software, there are other areas like planning, deployment & auditing. See our article on what is PKI all about.

How can developers integrate with the PKI server?

There are 2 options:

 

  • Keys are generated on the server; Developers can use any tool which generate JSON based Restful request to send requests for certificate management
  • Key are generated on the client: Developer can use any cryptographic API which provides client side implementation for key generation. Some of these are:
    • Bouncy castle
    • OpenSSL
    • Microsoft Crypto API
    • Libgcrypt
    • Botan
    • Crypto++
    • WolfSSL
    • GnuTLS
    • LibreSSL
    • Java Cryptography Architecture (JCA)
    • Apple Security Framework
    • PKI.js
    • NSS-Tools

How many PKI server instances I need to deploy?

Deploy multiple instances of Khatim PKI Server for high availability and increase as needed to achieve the desired TPS rates or regulatory needs. It’s important to consider deploying in both staging and DR zones.

How can we boost TPS with Khatim PKI Server?

There are many factor which can boost the performance. This includes:

 

  • Opting for ECDSA over RSA keys (Check with your HSM vendor too)
  • 2048 bit RSA keys over 4096 bit
  • 384 bit ECDSA key over 521 bit
  • Deploying multiple load balanced servers instead of a single instance
  • Deploying OCSP server near your client region with low network latency
  • Using HSM for keys storage instead of software
  • Using a PCI based HSM over network/cloud based HSM

There are already many PKI servers in the market why choose Khatim PKI server?

Choosing the right OCSP server could be difficult. In any case, follow the checklist to choose the right one:

 

– Does it provide quick installation and simple configuration?
– Does it provide the throughput you expect & scales quickly?
– Does it support Web Trust, CA/B Forum guidelines?
– Does it support RSA and ECDSA based encryption?
– Does it raise alerts in case of failures?
– Does the vendor provide quick support?
– Are all operations done securely?
– Does it fit your budget?

Can alerts to be pushed to a central logging system?

The Khatim PKI Server comes equipped with an integrated logging system that records all incoming requests and responses. Administrators are promptly notified of any issues, and secure notifications can be sent to central logging systems like Splunk, Grafana, Greylog, LogRhythm, and more.

Which technology stack is used?

Khatim PKI server is built with Java (OpenJDK) and Apache Tomcat, providing platform independence and allowing for easy deployment on multiple platforms such as Linux, Windows, and Mac.