Product Documentation

Generic PKI (GPKI)

Dec 21, 2015
The Generic PKI (GPKI) protocol is a proprietary XenMobile protocol running atop a SOAP Web Service layer for purposes of uniform interfacing with various PKI solutions. The GPKI protocol defines three fundamental PKI operations:
  • sign The adapter is capable of taking Certificate Signing Requests (CSR), transmitting them to the PKI and returning newly signed certificates.
  • fetch The adapter is capable of retrieving (recovering) existing certificates and key pairs (depending on input parameters) from the PKI.
  • revoke The adapter is able to cause the PKI to revoke a given certificate.

The receiving end of the GPKI protocol is the GPKI Adapter. The adapter translates the fundamental operations to the specific type of PKI for which it was built (in other words, there is a GPKI Adapter for RSA, another for OpenTrust, and so on).

Figure 1. GPKI Communication Overview

The GPKI Adapter, being a SOAP Web Services endpoint, publishes a self-describing WSDL. Creating a GPKI PKI Entity amounts to providing XenMobile with that WSDL, either through a URL or by uploading the file itself.

Support for each of the PKI operations in an adapter is optional. If an adapter supports a given operation, it is said to have the corresponding capability (sign, fetch or revoke). Each of these capabilities may be associated with a set of user parameters.

User parameters are parameters that are defined by the GPKI adapter for a specific operation and for which you need to provide values to XenMobile. Which operations the adapter supports (which capabilities it has) and which parameters it requires for each of them is determined by XenMobile by parsing the WSDL. The connection between XenMobile and the GPKI Adapter may optionally be secured using SSL client authentication.