.png){kind=logo}
Contract Subscription Options
EJBCA SaaS is available in different sizes and contract options to meet customer needs and allow you to scale as you grow.
Contract Options Overview
The following provides a contract option and size comparison overview.
Abbreviations:
- AKV = Azure Key Vault
- CloudHSM = AWS PKCS11 CloudHSM
- KMS = AWS Key Management Service
- MHSM = Azure Key Vault Managed HSM
To view the table in full screen, click the expand icon 
| EJBCA SaaS | Entry Level | Available Upon Request |
|---|---|---|
| Use case |
|
|
| Service Level Agreement | ||
| Service Level Agreement (SLA) | 99.9% | Up to 99.99% |
| Certificate capacity | 2500 Active / 10,000 Total | Up to Billions |
| Certificate performance capacity with KMS or AKV* | 10 Certificates per second | Up to 200 Certificates per second |
| Certificate performance capacity with CloudHSM or MHSM* | 25 Certificates per second | Up to 750 Certificates per second |
| OCSP performance capacity with KMS or AKV* | 25 OCSP responses per second | Up to 600 OCSP responses per second |
| OCSP performance capacity with CloudHSM or MHSM* | 50 OCSP responses per second | Up to 1200 OCSP responses per second |
| On demand performance and capacity upgrades |  | |
| Geographic availability |
|
|
| HSM |
|
|
| CP/CPS templates | | |
| Dedicated offline root EJBCA Instance | | |
| Fully controlled, self service root CA | | |
| Custom user configurable domain name | | |
| Dedicated, load balanced Issuing Instances | | |
| Fully controlled, self service keystore and truststore changes | | |
| Full EJBCA administrator access | | |
| Fully controlled, self service source IP access to PKI | | |
| Fully controlled, self service syslog export to external servers | | |
| On Command Provisioning** | | |
| PKI intelligence dashboard | | |
| 2 Factor Authentication |
| |
| Key Recovery | CloudHSM, AKV, or MHSM Only | CloudHSM, AKV, or MHSM Only |
| Protocols & APIs | ||
| SCEP | CloudHSM, AKV, or MHSM Only | CloudHSM, AKV, or MHSM Only |
| CMP | | |
| EST | | |
| ACME | | |
| WebServices API | | |
| REST API | | |
| Integration | ||
| Microsoft Intune Integration | CloudHSM, AKV, or MHSM Only | CloudHSM, AKV, or MHSM Only |
Hashicorp Vault Integration | | |
| Microsoft Windows Autoenrollment integration | | |
| Enhanced Features | ||
| Free development, secondary instance of EJBCA SaaS | N/A | |
| Upgrade scheduler |
|
|
| Self Service Trust Store Management |
|
|
*Certificate generation performance limited by latency and connectivity to the EJBCA SaaS platform.
**On Command Provisioning means that everything is uniquely configured for you upon startup without any pre-provisioned infrastructure.
Notes on AWS Key Management Service (KMS)
AWS KMS supports two different asymmetric key types: encryption keys and signing keys. AWS KMS does however not support keys having both functionalities at the same time. For more information, refer to the AWS documentation on Selecting the key usage. Due to this design decision, the following functions within EJBCA cannot be used when using AWS KMS:
- SCEP: Per the RFC, SCEP uses the CAs private key to encrypt the SCEP message. Since there is no way to have a key be an encrypt key and a signing key at the same time, the signing key type must be chosen to ensure that the CA can sign certificates and CRLS. For more information on SCEP, see the EJBCA Documentation on SCEP.
- Key Recovery: EJBCA uses the CAs keyEncryptKey which is an RSA key used to wrap/unwrap keys in a CMS structure (RFC 5652) for stored key recovery data. Currently, using KMS asymmetric keys for decryption does not work with EJBCA. For more information on Key Recovery, see the EJBCA Documentation on Key Recovery.
Any features that use an encryption key usage (such as Microsoft Intune, SCEP, or Key Recovery) will not work with AWS KMS-based solutions. If these features are needed, please pick AWS CloudHSM, Azure Key Vault, or Azure Key Vault Managed HSM-backed solutions.