PKI system features
Multiple CAs and levels of CAs, build a complete infrastructure (or several) within one instance of EJBCA.
Unlimited number of Root CAs and SubCAs. Request cross certificates and bridge certificates from other CAs and Bridge CAs. Issue cross certificates to other CAs.
Support all common
PKI Architectures, as well as many uncommon. Follows X509 and PKIX (RFC5280) standards where applicable.
Supports RSA key algorithm up to 8192 bits.
Supports DSA key algorithm with 1024 bits.
Supports ECDSA key algorithm with named curves or implicitlyCA.
Support multiple hash algorithms for signatures, SHA-1, SHA-2, SHA-3.
Compliant with NSA SUITE B algorithms and certificates.
Support for X.509 certificates and Card Verifiable certificates (CVC BSI TR-03110) used by EU
EAC ePassports and eIDs. Supports short and long lived certificates. From infinite validity down to minutes or even seconds.
Support for Hardware Security Modules (HSMs). Built in support for Thales/nCipher, SafeNet Luna, SafeNet ProtectServer, Utimaco CryptoServer, AEP Keyper, ARX CoSign, Bull Trustway, Nitrokey, YubiHSM and other HSMs with a good PKCS#11 library.
Individual enrollment or batch production of certificates.
Issues SSL/TLS certificates that work with all common servers.
Admin registration and self-registration work-flows out of the box. Supports virtually any work-flow with plug-ins and integration. Server and client certificates can be exported as PKCS12, JKS or PEM.
Easy to use
RA web UI for self registration and issuance by administrators. Legacy browser enrollment with Firefox.
Enrollment for other applications through open APIs and tools.
Enrollment generating complete OpenVPN installers for VPN users.
Mobile enrollment, i.e. iOS using
SCEP. Revocation and Certificate Revocation Lists (CRLs).
CRL creation and URL-based CRLDistribution Points according to RFC5280.
Smart card logon certificates for Windows, Linux and Mac OS X.
Configurable certificate profiles for different types and contents of certificates.
Standard and custom certificate extensions supported.
Qualified Certificate Statement (RFC3739) for issuing EU/ETSI qualified certificates.
Supports the Online Certificate Status Protocol (
OCSP - RFC2560, RFC6960 and RFC5019), including AIA-extension. Supports RFC4387 for distribution of CA certificates and CRLs over HTTP.
Support for RFC4683, Subject Identification Method (SIM).
Validation Authority service serving OCSP responses (RFC2560/5019), CA certificates and CRLS (RFC4387).
Supports the German
Common PKI SigG CertHash OCSP extension. Key recovery to store private keys for recovery for selected users and certificates.
Standard integration protocols and APIs. SCEP, CMP, EST, ACME, REST and SOAP WS (see Integration Features).
Validators for standard key quality measures, and calling external scripts (for example linters).
ePassport, eID and eDL PKI features
Support for BAC PKI, Country Signing CA (CSCA) and Document Signer (DS) certificates.
SignServer as Document Signer creating Security Objects (SOD). Support for EAC PKI (EJBCA Enterprise only).
PrimeKey NPKD for a National PKD. Publisher for ICAO PKD, publishing DS certificates and CSCA CRLs to ICAO PKD LDAP directory.
Support ISO 18013 Amendment 2 eDL (Driver License).
Built on the Java EE (now Jakarta EE) specification.
Flexible, component based architecture.
Run standalone or integrated in any JEE application.
Web service (WS) interface for remote administration and integration. Supports the Simple Certificate Enrollment Protocol (
CMP (Relevant parts of RFC4210 and RFC4211). Supports
EST (Relevant parts of RFC7030, Enterprise only). Supports
ACME (Relevant parts of RFC8555, Enterprise only).
REST Certificate Management API (Enterprise only). External Validation Authority and OCSP responder also works with any other CA than EJBCA and support large scale OCSP deployments.
Validation Authority and OCSP responder can run integrated with EJBCA or stand alone (clustered) for security, high-performance and high-availability.
Simple OCSP client in pure java.
Plug-in functionality allowing you to enhance with your own functionality and work flows. Command line interface for scripts etc.
Administration GUI localizable and available in several languages (whole or in part) - Japaneese, English, French, German, Italian, Portuguese, Spanish, Chinese, ...
Internal log messages are localizable for different languages.
Component- and plug-in based architecture for publishing certificates and CRLs to different sources.
API for an external RA, restricting in-bound traffic to CA.
Simple installation and configuration.
Administration through Web GUI, command line or Web Services.
Powerful Web based administration GUI using strong authentication.
Easy to use RA web UI for self registration and issuance by administrators.
Configurable entity profiles for different types of users.
Notification system for e-mail notification to users and administrators when a user is added or certificates expire etc.
Random or manual password for initial user authentication.
Multiple levels of administrators with specified privileges and roles.
Authentication of local CLI users enabling role separation also for local CLI.
Stores Certificates and CRLs in SQL database, LDAP and/or other custom data source.
OCSP and WS transaction logging suitable for statistics and billing.
Optional multiple publishers for publishing certificates and CRLs in LDAP or legacy databases. Several flexible standard publishers exist to meet different demands.
Supports authentication and publishing of certificates to Microsoft Active Directory.
Optional approval mechanism so several admins are required to perform an action, a.k.a. dual-authentication or 4-eyes principle.
Component based architecture for various authorization methods of entities when issuing certificates.
batch enrollment GUI for CSRs (webservice RA). Possibility for autoenrollment, using scripts and APIs.
Easy upgrade paths when new versions are released.
Written in pure Java, running in a JEE application server. Interfaces with Hardware Security Modules using standard PKCS#11 interface.
High performance and capacity, issue hundreds of certificates per second, store hundreds of millions of certificates.
Stress test and performance measuring tools in the
EJBCA Client Toolbox. Using standard, high performance RDBMS for storage. Easy to understand and manage.
Supports different architectures; all-in-one, clustered, external RA, external OCSP, etc.
Possible to integrate into large java applications for optimal integration into business process.
Deploys easily in a clustered, high availability environment.
Health check monitoring service to support efficient clustering and monitoring.
Supports multiple databases: MySQL, PostgreSQL, H2, Oracle, DB2, MS SQL, ...
Unique possibility to configure either as fully audited CA or as high speed
certificate factory, with the same level of management features.
Enterprise Edition features
Support and maintenance from PrimeKey, world renowned PKI experts.
Regular maintenance and security releases.
Common Criteria EAL4+ certified.
Used in many WebTrust, CWA 14167 and eIDAS audited installations.
eIDAS compliant certificates including profiles for Qualified certificates and PSD2.
FIPS 201-2 (PIV) compliant certificates including FASC-N subjectAltName
audit log (log signing), with digital signature or HMAC protection. Full database integrity protection of all tables, to detect database manipulation.
Command line tool for verification of audit and database integrity protection.
Validation tool for conformance checking of certificates and OCSP responders.
EAC PKI (EAC 1.11 and 2.10) for ePassports and eIDs, Country Verifying CA (CVCA) and Document Verifiers (DV) issuing Inspection System (IS) certificates.
Certified access control and authorization module, for assurance and high trust role separation.
Support for EST protocol,
RFC7030 (relevant parts), Enrollment over Secure Transport. Support for ACME protocol,
IETF Draft, RFC8555 (relevant parts).
REST Certificate Management API Support for Native
Autoenrollment in Windows environment with add-on autoenrollment proxy module.
3GPP, i.e. LTE/4G, compatible PKI, using CMP with multiple Vendor CAs and vendor certificate authentication.
CMP Proxy to add an additional network layer, with message check, between the CA and CMP clients. Command line CMP client in Java useful for scripting, testing and prototyping.
SCEP RA mode, using SCEP controlling entity creation from an RA.
SCEP Client Certificate Renewal, allowing client certificate renewal using SCEP
Certificate Transparency, RFC6962.
CertSafe publisher to send, and revoke, certificates from a CertSafe server.
Peer Connectors for managing Peer Systems, such as OCSP Responders. Proxy CMP and Windows Autoenrollment through the
RA (using Peers) to avoid direct communication with the CA. Direct Validation Authority (OCSP responder) updates from CA to VA. Ideal for low latency revocation and white listing.
Create Crypto Tokens and CAs, generate keys and add and remove administrators through the Web Service API.
EV Certificate specific DN components as defined in CABForum guidelines (jurisdictionLocality, State and Country).
eIDAS specific fields as defined in ETSI EN 319 412 (organizationIdentifier).
Additional algorithms using HSMs through PKCS#11,
RSASSA-PSS (SHA256WithRSAAndMGF1). Available through patches for Java. Support for GOST and DSTU algorithms (Russian and Ukrainian algorithms).
Penetration tested with improved security.
CAA records (RFC6844) during certificate issuance. GDPR features, configurable to not publish PII from CA to VA.
© 2002-2019 PrimeKey Solutions AB. EJBCA
® is a registered trademark of PrimeKey Solutions AB.