EJBCA - Open Source PKI Certificate Authority

EJBCA - The Open Source CA

EJBCA is a PKI Certificate Authority software, built using Java (JEE) technology. Robust, flexible, high performance, scalable, platform independent, and component based, EJBCA can be used stand-alone or integrated with other applications.

Extremely scalable and flexible, EJBCA is suitable to build a complete PKI infrastructure for any large enterprise or organization. If you only want to issue a few single certificates for testing, there are probably other options that will get you started quicker, but if you want a serious Certificate Authority to manage your Public Key Infrastructure, we recommend EJBCA.

EJBCA has everything for your trust center. Contact us for more info, or look at the extensive feature list.

EJBCA News Feed

Want to take your PKI to the next level? With EJBCA Enterprise Cloud you can quickly and easily get access to EJBCA Enterprise without long-term contracts or up-front commitements. Available on AWS marketplace, EJBCA Enterprise Cloud gives you the robust security of EJBCA Enterprise with a pay-as-you-grow structure and you can be up and running within a few minutes. Read more about EJBCA Enterprise Cloud on our web page or on AWS marketplace.
Posted: 2018-12-19

EJBCA Enterprise 7.1.0 has now been released. PrimeKey's EJBCA Enterprise is Common Criteria EAL4+ certified ETSI/eIDAS/WebTrust compliant to provide the most powerful and flexible PKI. For entire non-community features, only available in EJBCA Enterprise, see the section on "Enterprise Edition features" in the features list. EJBCA 7.0 brings an updated technology stack, PSD2 support and Blacklist validators.
Posted: 2019-04-29

EJBCA Community is now available Visit the download section. There you will also find a pre-installed VM (of an older EJBCA version though) to try.
Posted: 2019-05-24

EJBCA Community Containers Go to DockerHub to run the latest EJBCA Community edition as a container.
Posted: 2019-03-11

Keep track of certificate issuance using Graylog Create nice dashboards with Graylog or other log analytics tools!
Posted: 2018-10-08

PKI-in-a-box! By integrating secure hardware technology with the flexibility, reliability and feature set of EJBCA Enterprise, the turnkey PKI Appliance features an easy to install PKI-in-a-box, offering predictable costs and increased quality to your PKI solution. Check out the simpler, yet safer, PrimeKey PKI Appliance.

Windows Autoenrollment! Native Windows Autoenrollment is now available using the, Autoenrollment Gateway.


Certificate issuance

Example uses cases (non-exhaustive) where EJBCA is used to issue certificates are:

  • PKI Trust and Certificate service providers, WebTrust and ETSI (including eIDAS) compliant.
  • Strong authentication for users accessing your intranet/extranet/internet resources.
  • Secure communication with TLS servers and TLS clients. EJBCA is an excellent TLS PKI.
  • PKI Automation using integration protocols: CMP, EST, SCEP, ACME, REST, SOAP, ...
  • Native Windows Autoenrollment using Autoenrollment Gateway.
  • Smart card and token management.
  • Smart card logon to Windows and/or Linux.
  • Linux autoenrollment, automated secure VM and container deployment, and more.
  • Signing and encrypting email (SMIME).
  • VPN connections by issuing certificates to your VPN routers such as OpenVPN, Cisco, Juniper etc.
  • Client VPN access with certificates in users VPN clients.
  • Network authentication with 802.1x.
  • Single sign-on by using a single certificate to secure logon to web applications.
  • Creating signed documents.
  • Mobile PKI, enrolling iOS etc.
  • Secure mobile networks, i.e. 3GPP/LTE/4G using the CMP protocol.
  • Counterfeit prevention by signing and pairing accessories.
  • PKI for the Internet of Things (IoT PKI). Unique identities for each IoT device, certificate authentication for TLS/DTLS, Code Signing. Need hundreds of millions of certificates fast? EJBCA will handle it.
  • Mobile Device Management (MdM) and Enterprise Mobility Management (EMM).
  • Issue citizen certificates for access to government resources, used in passports etc.
  • ePassport PKI. CSCA and Document Signers, CVCAs, DVs and CV certificates (CVC) to Document Verifiers and Inspection Systems for EAC ePassports, eIDs and eDL.
  • ... and many many more ...
You can also use EJBCA to set up a CA independent, high performance, highly available OCSP responder service.

Together with sister projects (see Complementary software) of EJBCA you can also:

The cert-cvc library handles CVC certificates for EU EAC ePassport PKIs and the current release is feature complete for EU EAC ePassports using all algorithms.
The library is freely usable under the LGPL 2.1 (or later) license for all parties interesting in handling CVC certificates, in particular for EU EAC ePassports. The cert-cvc library was donated to the open source by the Swedish National Police Board.