EJBCA - Open Source PKI Certificate Authority
Search ejbca.org for:

EJBCA support, development and maintenance by

Features

Built on the J2EE 1.3 (EJB 2.0) specification.

  • Flexible, component based architecture.
  • Using standard, high performance RDBMS for storage.
  • Multiple CAs and levels of CAs, build a complete infrastructure (or several) within one instance of EJBCA.
  • Unlimited number of Root CAs and SubCAs. Request cross certificates and bridge certificates from other CAs and Bridge CAs. Issue cross certificates to other CAs.
  • Supports RSA key algorithm up to 8192 bits.
  • Supports DSA key algorithm with 1024 bits.
  • Supports ECDSA key algorithm with named curves or implicitlyCA.
  • Support multiple hash algorithms for signatures, MD5, SHA-1, SHA-2.
  • Support for X.509 certificates and Card Verifiable certificates (CVC used by EU EAC ePassports).
  • Standalone or integrated in any J2EE application.
  • Simple installation and configuration.
  • Powerful Web based administration GUI using strong authentication.
  • Administration GUI available in several languages - Chinese, English, French, German, Italian, Portuguese, Spanish and Swedish.
  • Internal log messages are localizable for different languages.
  • Command line administration for scripts etc.
  • Web service (WS) interface for remote administration and integration.
  • Modular API for HSMs. Built in support for nCipher, PrimeCardHSM, SafeNet ProtectServer, SafeNet Luna, Utimaco CryptoServer, AEP Keyper, ARX CoSign and other HSMs with a good PKCS#11 library.
  • Supports different architectures; all-in-one, clustered, external RA, external OCSP, etc.
  • Individual enrollment or batch production of certificates.
  • Server and client certificates can be exported as PKCS12, JKS or PEM.
  • Browser enrollment with Firefox, IE, etc.
  • Enrollment for other applications through open APIs and tools.
  • Enrollment generating complete OpenVPN installers for VPN users.
  • Smart card logon certificates.
  • Notification system for e-mail notification to users and administrators when a user is added or certificates expire etc.
  • Random or manual password for initial user authentication.
  • Hard token module for integrating with hard token issuing system (smart cards).
  • Multiple levels of administrators with specified privileges and user groups.
  • Configurable certificate profiles for different types and contents of certificates.
  • Configurable entity profiles for different types of users.
  • Supports the Simple Certificate Enrollment Protocol (SCEP).
  • Follows X509 and PKIX (RFC5280) standards where applicable.
  • Qualified Certificate Statement (RFC3739) for issuing EU/ETSI qualified certificates.
  • Supports the Online Certificate Status Protocol (OCSP - RFC2560 and RFC5019), including AIA-extension.
  • Supports RFC4387 for distribution of CA certificates and CRLs over HTTP.
  • Validation Authority service serving OCSP responses (RFC2560/5019), CA certificates and CRLS (RFC4387).
  • Validation Authority and OCSP responder can run integrated with EJBCA or stand alone (clustered) for security, high-performance and high-availability.
  • External Validation Authority and OCSP responder also works with any other CA than EJBCA and support large scale OCSP deployments.
  • Simple OCSP client in pure java.
  • Supports a subset of CMP (RFC4210 and RFC4211).
  • Supports synchronous XKMS version 2 requests.
  • Revocation and Certificate Revocation Lists (CRLs).
  • CRL creation and URL-based CRLDistribution Points according to RFC5280.
  • Stores Certificates and CRLs in SQL database, LDAP and/or other custom data source.
  • Optional multiple publishers for publishing certificates and CRLs in LDAP or legacy databases. Several flexible standard publishers exist to meet different demands.
  • Supports authentication and publishing of certificates to Microsoft Active Directory.
  • Autoenrollment for windows clients.
  • Component- and plug-in based architecture for publishing certificates and CRLs to different sources.
  • Key recovery module to store private keys for recovery for selected users and certificates.
  • Advanced log signing of PKI audit logs.
  • API for an external RA, restricting in-bound traffic to CA.
  • Optional approval mechanism so several admins are required to perform an action, a.k.a. dual-authentication.
  • Component based architecture for various authorization methods of entities when issuing certificates.
  • Possible to integrate into large java applications for optimal integration into business process.
  • Deploys easily in a clustered, high availability environment.
  • Health check service to support efficient clustering and monitoring.
  • Supports multiple application servers: JBoss, Weblogic, Glassfish, OC4J, Websphere
  • Supports multiple databases: Hypersoniq, MySQL, PostgreSQL, Oracle, DB2, Ingres, MS-SQL, Derby, Sybase, Informix.
  • Simple stand-alone batch enrollment GUI for CSRs (webservice RA).
  • Unique possibility to configure either as fully audited CA or as high speed certificate factory, with the same level of management features.