Khatim Trust Suite

Empowering you to become the authorative 'Trust Service Provider'
  • Supports EU eIDAS and ETSI Standards for TSPs
  • One suite to cover all your CA & Signing needs
  • Robust Security and Compliance Standards
  • Reliable Timestamping for Digital Integrity
  • Exceptional Support and Maintenance
EU TSPs' PKI Vendor Guide

Your Gateway to Secure Digital Transactions

Khatim Trust Suite > Digital Trust

Designed specifically for Trust Service Providers (TSPs) operating within the European Union, Khatim Trust Suite offers a robust, scalable, and compliant Public Key Infrastructure (PKI) framework. Our suite encompasses all essential components required to manage digital identities, secure communications, and ensure the integrity of digital transactions.

At the heart of Khatim Trust Suite are our powerful modules: Certificate Authority (CA), Registration Authority (RA), Online Certificate Status Protocol (OCSP) responder, Timestamping, and Digital Signing & Verification tools. Together, these modules provide a seamless and integrated platform for issuing, managing, and validating digital certificates, timestamps, and signatures.

Trust Service Provider services

Khatim Trust Suite Modules

Khatim PKI Server

Maintaining an elevated standard of security and confidence is imperative for every business endeavor. Khatim PKI Server achieves this by implementing military-grade security protocols across its entire spectrum of operations, encompassing key management, CA management, certificate issuance, and transaction management.

Khatim RA Server

Khatim RA Server guarantees dependable validation and vetting for large-scale X.509 certificate issuance spanning various business applications, devices, and users meticulously tracks the entire lifecycle of certificate requests.

Khatim Sign Server

Khatim's digital signing solution simplifies document digitization and transactions, including eSeal functionality. It seamlessly integrates with existing enterprise systems, enabling robust PKI-driven advanced digital signatures. This ensures document authenticity, integrity, and non-repudiation, with archivable and verifiable status for years.

Khatim OCSP Server

Complex OCSP systems can breed confusion and elevate the risk of errors. Khatim OCSP Server stands out with its intuitive web GUI tailored for administrators, streamlining deployment, integration, and testing processes significantly compared to alternative solutions on the market.

Khatim Timestamp Server

Engineered for unparalleled performance, Khatim Timestamp Server (also known as KTS) delivers market-leading speed tailored for high-volume processing, offering top-tier speeds that surpass what other solutions can provide.


Experience the transformative power of KhatimDoc, revolutionizing your approach to secure and legally binding contract signings. Envision the thrill of effortlessly applying your digital signature, enhanced with state-of-the-art cryptographic technology, guaranteeing unparalleled authenticity and integrity for your documents.

Success Story


“We needed the ability to use X.509 Certificate based SSL Client Authentication to provide an additional security layer for our cloud-based applications and Codegic not only quickly provisioned the certificates we needed, but also provided very responsive support when we had questions. Rolling out any PKI project can be hard work, but having a partner like Codegic has made it fast and easy.


Kevin de Smidt, Head of Technology, CURE International


Can we install all components of Khatim Trust Suite on one box?

While it is technically feasible to install all components of the Khatim Trust Suite on a single server, it’s crucial to evaluate your specific requirements and constraints. For optimal performance, security, and reliability, a distributed setup with dedicated servers for each component is recommended, especially for larger deployments or high-security environments.

If you have further questions or need assistance with your deployment, please contact our support team. We’re here to help you design a setup that meets your needs and ensures the highest levels of trust and security.

What is needed to run a Certification Authority?

Deploying PKI server requires two core components:


  • CA software and an efficient hardware on which to deploy
  • Cryptographic Hardware; Such as an HSM, ensures that the keys for Root CA, Sub CA and end-entities remain secure and protected.


Note that running a PKI is not merely deploying software, there are other areas like planning, deployment & auditing. See our article on what is PKI all about.

How can developers integrate with the PKI server?

There are 2 options:


  • Keys are generated on the server; Developers can use any tool which generate JSON based Restful request to send requests for certificate management
  • Key are generated on the client: Developer can use any cryptographic API which provides client side implementation for key generation. Some of these are:
    • Bouncy castle
    • OpenSSL
    • Microsoft Crypto API
    • Libgcrypt
    • Botan
    • Crypto++
    • WolfSSL
    • GnuTLS
    • LibreSSL
    • Java Cryptography Architecture (JCA)
    • Apple Security Framework
    • PKI.js
    • NSS-Tools

How many PKI server instances I need to deploy?

Deploy multiple instances of Khatim PKI Server for high availability and increase as needed to achieve the desired TPS rates or regulatory needs. It’s important to consider deploying in both staging and DR zones.

How can we boost TPS with Khatim PKI Server?

There are many factor which can boost the performance. This includes:


  • Opting for ECDSA over RSA keys (Check with your HSM vendor too)
  • 2048 bit RSA keys over 4096 bit
  • 384 bit ECDSA key over 521 bit
  • Deploying multiple load balanced servers instead of a single instance
  • Deploying OCSP server near your client region with low network latency
  • Using HSM for keys storage instead of software
  • Using a PCI based HSM over network/cloud based HSM

There are already many PKI servers in the market why choose Khatim PKI server?

Choosing the right PKI server could be difficult. In any case, follow the checklist to choose the right one:


– Does it provide quick installation and simple configuration?
– Does it provide the throughput you expect & scales quickly?
– Does it support Web Trust, CA/B Forum guidelines?
– Does it support RSA and ECDSA based encryption?
– Does it raise alerts in case of failures?
– Does the vendor provide quick support?
– Are all operations done securely?
– Does it fit your budget?

Can alerts to be pushed to a central logging system?

The Khatim PKI Server comes equipped with an integrated logging system that records all incoming requests and responses. Administrators are promptly notified of any issues, and secure notifications can be sent to central logging systems like Splunk, Grafana, Greylog, LogRhythm, and more.

Which technology stack is used?

Khatim PKI server is built with Java (OpenJDK) and Apache Tomcat, providing platform independence and allowing for easy deployment on multiple platforms such as Linux, Windows, and Mac.


Test drive Khatim Trust Suite and explore its powerful features.

Still not convinced?

All it takes few minutes to see Khatim Trust Suite into action!
Super Simple Installation

Khatim Trust Suite boasts a hassle-free installation and configuration process that administrators find easy to use.

All Compliant

Khatim Trust Suite is compliant with the standards set by Web Trust, IETF 5280, and CA/B forum.

Try for free

Want to witness the power of Khatim Trust Suite firsthand? Sign up for our 30-day free trial today.