Ensures the highest quality of PKI implementation
EJBCA covers all your needs - from certificate management, registration and enrollment to certificate validation
EJBCA is one of the longest running CA software projects, providing time-proven robustness and reliability. EJBCA is platform independent, and easily scalable to match the needs of your PKI requirements, whether you are setting up a national eID, securing your industrial IOT platform or managing your own internal PKI.
EJBCA is a free software public key infrastructure (PKI) certificate authority software package maintained and sponsored by PrimeKey Solutions AB.
EJBCA allows implementation and management of Public Key Infrastructure that provides certificate lifecycle management (request, creation, renewal, revocation). It allows defining a root certification authority, subordinate certification and registration authorities.
EJBCA issues encryption, authentication or signature certificates for various purposes, like:
- Strong authentication for users accessing your intranet/extranet/internet resources;
- Secure communication with SSL servers and SSL clients;
- Smart card logon to Windows and/or Linux;
- Signing and encrypting email;
- VPN connections by issuing certificates to your VPN routers such as OpenVPN, Cisco, Juniper etc.;
- Single sign-on by using a single certificate to secure logon to Web applications;
- Creating signed documents;
EJBCA Design and Architecture
The system is developed in Java EE and designed to be platform independent. EJBCA implements Public Key Infrastructure (PKI) according to standards such as X.509, IETF-PKIX and CVC BSI TR-03110.
The EJBCA component consists of a set of Java classes that provide such functionalities as:
- Create digital certificates and CRLs;
- OCSP support;
- Certificate Authority management;
- Key recovery;
- Profile management;
- User registration and management;
- Certificate and CRL publishing;
- Certificate and CRL retrieval;
- Backup of Certificate data.
Certificate Lifecycle Management
EJBCA provides full capabilities for managing your certificate lifecycles using powerful and easily configurable profiles, automated validation of submitted cryptographic keys, and enrollment through Registration Authority UI.
EJBCA provides easy to use tools to allow administrators to easily revoke and renew certificates, ensuring that lost keys are immediately contained and that organization suffers no downtime.
EJBCA supports many common PKI architectures such as all in a single server, distributed RAs and external validation authority. The following are the key design components of the EJBCA:
- Multiple CA Instances
EJBCA supports running unlimited number of CAs and levels of CAs in a single installation. Build a complete infrastructure, or several, within one instance of EJBCA.
- Registration Authority
The EJBCA software includes a separate registration authority (RA) front end that can run on the same instance as the CA or distributed as external RAs.
A complete PKI can be deployed in a single instance. Since EJBCA has everything built-in there can be a single instance functioning as both CA and RA. This is a very efficient, easy to manage, and cost effective solution that is suitable for many SME enterprise deployments.
CA with Distributed RAs
To set up a PKI capable of enrolling a diverse set of users and devices, it is usually necessary introduce multiple types of RAs, for different purposes. Using EJBCA, one can connect an unlimited number of distributed RAs, communicating with the CA using standard protocols like CMP, SCEP and Web service.
CA with External RAs
Using this architecture an external RA server receives certificate (and revocation) requests, which are stored in a separate database. The request are periodically pulled by the CA and responses returned to the External RA database where they are picked up by the external RA server. No incoming network traffic is allowed from the CA, only outgoing connections are allowed through the CA firewall for polling.
- Certificate Validation
For certificate validation, there is the choice of using X.509 CRLs and OCSP. EJBCA has built-in Validation Authority as well as separate Validation Authority. Using a separate Validation Authority, one can serve multiple PKIs from a single VA.
RSA, ECDSA and DSA, SHA-1 and SHA-2. Compliant with the standards.
Different certificate formats
EJBCA support both X.509v3 certificates and Card Verifiable certificates (CVC BSI TR-03110). Certificates are compliant with all standards such as RFC5280, CA/Browser Forum, eIDAS, ICAO 9303, etc.
Standard Certificate Enrollment Protocols
EJBCA is designed with integration in mind. The standard protocols supported are
- Certificate Management Protocol (CMP)
- Enrollment over Secure Transport (EST)
- Simple Certificate Enrollment Protocol (SCEP)
- Automatic Certificate Management Environment (ACME)
EJBCA supports integration with various third-party applications and Hardware Security Modules (HSMs).
- Third-Party Applications
- USB Tokens and Smart Cards
- Card Management Systems (CMS)
- Hardware Security Modules (HSMs)
- Certificate Auto-Enrollment (example, EverTrust TAP)