.png){kind=logo}
Interoperability and Certifications
The following provides an overview of EJBCA's capabilities and support, with relevant links to documentation and external standards.
This is a selection of the most important standards and does not cover every specification EJBCA supports.
Specifications
Certificate Formats and Standards
EJBCA supports the following formats and standards.
Supported Standard | External Reference | Documentation |
|---|---|---|
X509 and PKIX. | ||
Card Verifiable Certificates (CVC) used by EU EAC ePassports and eIDs. | ENTERPRISE | |
Qualified Certificate Statement for issuing EU/ETSI qualified certificates. | ||
Certificate Transparency. | ENTERPRISE | |
DNS Certificate Authority Authorization (CAA). | ENTERPRISE | |
eIDAS | ENTERPRISE | |
PSD2 | ENTERPRISE | |
FIPS 201-2 (PIV) compliant certificates including FASC-N subjectAltName. | ENTERPRISE | |
Matter “Vendor” PAA, PAI and DAC certificate formats | ||
Matter “Operator” RCA, ICA and NOC certificate formats | ENTERPRISE | |
PEM: Textual Encodings of PKIX, PKCS, and CMS Structures | ||
PKCS#10: Certification Request Syntax | ||
PKCS#7: Cryptographic Message Syntax | ||
PKCS#12: Personal Information Exchange Syntax |
CRL, OCSP and Certificate Distribution
EJBCA supports the following CRL formats and standards.
Supported Standard | External Reference | Documentation |
|---|---|---|
CRL creation and URL based CRL Distribution Points. | ||
Online Certificate Status Protocol (OCSP), including AIA-extension and must-staple extension. | ||
Certificate Store, distribution of CA certificates and CRLs over HTTP. | ||
The German Common PKI SigG CertHash OCSP extension. | ||
LDAP Certificate Publishing. | ||
SCP Publishing |
Algorithms and Key Types
EJBCA supports the following algorithm types and key size/curves. When using HSMs, support is limited to a subset by the PKCS#11 provider and the specific HSM used.
Algorithm | Key Size/curve | External Reference | Documentation |
|---|---|---|---|
RSA | Keys up to and including 8192 bits. | ||
ECDSA | Curves including named curves from Nist, SEC, Teletrust, and X9.62. For long term stability we recommend to use the most commonly | ||
EdDSA | Ed25519 | ||
ML-DSA | ML-DSA-44 | ||
ML-KEM | Supported for EE cert creation only. ML-KEM-512 |
Certificate Enrollment Protocols
For specific features supported in each protocol, see the detailed documentation.
Protocol / Interface | External Reference | Documentation |
|---|---|---|
EJBCA WS Soap API. | ||
EJBCA Enrollment REST API. | ||
EJBCA Management REST API. | ENTERPRISE | |
Simple Certificate Enrollment Protocol (SCEP). | ||
X509 Public Key Infrastructure Certificate Management Protocol (CMP). | ||
3GPP, i.e. LTE/4G, compatible PKI, using CMPv2 with multiple Vendor CAs and vendor certificate authentication. | ENTERPRISE | |
X.509 Public Key Infrastructure Certificate Request Message Format (CRMF). | ||
Enrollment over Secure Transport (EST). | ENTERPRISE | |
Automatic Certificate Management Environment (ACME). | ENTERPRISE | |
Automated Certificate Management Environment (ACME) IP Identifier Validation Extension | ENTERPRISE | |
Microsoft Auto-enrollment Integration. | ENTERPRISE | |
Legacy Native auto-enrollment in Windows environment with add-on auto-enrollment proxy module. | ENTERPRISE |
Certifications
The following lists certifications.
Type | Version | External Reference | Documentation |
|---|---|---|---|
Common Criteria: Issuing and Management Components (CIMC) Version 1.0, EAL4+ | EJBCA 5.0.4 | ENTERPRISE | |
Common Criteria: Protection Profile for Certification Authorities Version 2.1 | EJBCA 7.4.1.1 | ENTERPRISE | |
Common Criteria: Protection Profile for Certification Authorities Version 2.1 | EJBCA 9.1 | On-going | ENTERPRISE |
Interoperability
Hardware Security Modules
The following lists support for Hardware Security Modules (HSMs). There are different APIs supporting HSMs, Java P11 Provider (legacy), P11NG, and REST APIs for some HSMs.
Vendor | Model | Documentation |
|---|---|---|
Generic PKCS#11 Provider | ||
ARX | CoSign | |
AWS CloudHSM | CloudHSM | ENTERPRISE |
AWS Key Management Service | KMS | ENTERPRISE |
Azure Key Vault | Key Vault and Managed HSM | |
Bull | Trustway PCI and Proteccio | |
CardContact | SmartCard-HSM | |
Engage Black | BlackVault HSM | |
Fortanix | Data Security Manager (DSM) | ENTERPRISE |
i4p | Trident HSM | |
Entrust/nCipher | nShield/netHSM | |
NitroKey | NitroKey HSM | |
SoftHSM | SoftHSMv2 | |
Securosys | Securosys Primus HSM and CloudHSM Service | |
Thales | Thales Data Protection on Demand (DPoD) | |
Thales | Thales Luna HSM | |
Thales | ProtectServer | |
Thales TCT | Luna SA HSM | |
Utimaco | CryptoServer | |
Utimaco | CryptoServer CP5 | |
Ultra Electronics AEP | Keyper | |
Yubico | YubiHSM 2 | |
KMS | ENTERPRISE | |
IBM | HPCS |