.png){kind=logo}
The following provides an overview of EJBCA's capabilities and support, with relevant links to documentation and external standards.
This is a selection of the most important standards and does not cover every specification EJBCA supports.
Specifications
Certificate Formats and Standards
EJBCA supports the following formats and standards.
|
Supported Standard |
External Reference |
Documentation |
|---|---|---|
|
X509 and PKIX. |
||
|
Card Verifiable Certificates (CVC) used by EU EAC ePassports and eIDs. |
Enterprise |
|
|
Qualified Certificate Statement for issuing EU/ETSI qualified certificates. |
||
|
Certificate Transparency. |
Enterprise |
|
|
DNS Certificate Authority Authorization (CAA). |
Enterprise |
|
|
eIDAS |
Enterprise |
|
|
PSD2 |
Enterprise |
|
|
FIPS 201-2 (PIV) compliant certificates including FASC-N subjectAltName. |
Enterprise |
|
|
Matter “Vendor” PAA, PAI and DAC certificate formats |
||
|
Matter “Operator” RCA, ICA and NOC certificate formats |
Enterprise |
|
|
PEM: Textual Encodings of PKIX, PKCS, and CMS Structures |
|
|
|
PKCS#10: Certification Request Syntax |
|
|
|
PKCS#7: Cryptographic Message Syntax |
|
|
|
PKCS#12: Personal Information Exchange Syntax |
|
CRL, OCSP and Certificate Distribution
EJBCA supports the following CRL formats and standards.
|
Supported Standard |
External Reference |
Documentation |
|---|---|---|
|
CRL creation and URL based CRL Distribution Points. |
||
|
Online Certificate Status Protocol (OCSP), including AIA-extension and must-staple extension. |
||
|
Certificate Store, distribution of CA certificates and CRLs over HTTP. |
||
|
The German Common PKI SigG CertHash OCSP extension. |
||
|
LDAP Certificate Publishing. |
||
|
SCP Publishing |
|
Algorithms and Key Types
EJBCA supports the following algorithm types and key size/curves. When using HSMs, support is limited to a subset by the PKCS#11 provider and the specific HSM used.
|
Algorithm |
Key Size/curve |
External Reference |
Documentation |
|---|---|---|---|
|
RSA |
Keys up to and including 8192 bits. |
|
|
|
ECDSA |
Curves including named curves from Nist, SEC, Teletrust, and X9.62. For long term stability we recommend to use the most commonly
|
|
|
|
EdDSA |
Ed25519
|
||
|
ML-DSA |
ML-DSA-44
|
||
|
ML-KEM |
Supported for EE cert creation only. ML-KEM-512
|
||
|
SLH-DSA |
SLH-DSA-SHA2-128F
|
Certificate Enrollment Protocols
For specific features supported in each protocol, see the detailed documentation.
|
Protocol / Interface |
External Reference |
Documentation |
|---|---|---|
|
EJBCA WS Soap API. |
|
|
|
EJBCA Enrollment REST API. |
|
|
|
EJBCA Management REST API. |
|
Enterprise |
|
Simple Certificate Enrollment Protocol (SCEP). |
||
|
X509 Public Key Infrastructure Certificate Management Protocol (CMP). |
||
|
3GPP, i.e. LTE/4G, compatible PKI, using CMPv2 with multiple Vendor CAs and vendor certificate authentication. |
Enterprise |
|
|
X.509 Public Key Infrastructure Certificate Request Message Format (CRMF). |
|
|
|
Enrollment over Secure Transport (EST). |
Enterprise |
|
|
Automatic Certificate Management Environment (ACME). |
Enterprise |
|
|
Automated Certificate Management Environment (ACME) IP Identifier Validation Extension |
Enterprise |
|
|
Microsoft Auto-enrollment Integration. |
|
Enterprise |
|
Legacy Native auto-enrollment in Windows environment with add-on auto-enrollment proxy module. |
|
Enterprise |
Certifications
The following lists certifications.
|
Type |
Version |
External Reference |
Documentation |
|---|---|---|---|
|
Common Criteria: Issuing and Management Components (CIMC) Version 1.0, EAL4+ |
EJBCA 5.0.4 |
Enterprise |
|
|
Common Criteria: Protection Profile for Certification Authorities Version 2.1 |
EJBCA 7.4.1.1 |
Enterprise |
|
|
Common Criteria: Protection Profile for Certification Authorities Version 2.1 |
EJBCA 9.1 |
On-going |
Enterprise |
|
NATO Information Assurance Product Catalogue (NIAPC) |
Keyfactor EJBCA Enterprise |
NIAPC
|
|
Interoperability
Supported Hardware Security Modules (HSMs)
The following table lists HSM support for each EJBCA deployment option. Integration methods include REST APIs and PKCS #11 standard.
|
HSM Type |
Software stack |
SaaS |
Cloud |
Software Appliance |
Hardware Appliance |
Container Set |
|
Network HSMs integrated with REST APIs |
||||||
|
AWS Key Management Service (KMS) |
✔️
|
✔️
|
✔️
|
|
|
✔️
|
|
Azure Key Vault / MS Managed HSM |
✔️
|
✔️
|
✔️
|
|
|
✔️
|
|
Fortanix Data Security Manager (DSM) |
✔️
|
|
|
|
|
✔️
|
|
Securosys Primus HSM and CloudHSM Service |
✔️
|
|
|
✔️
|
|
✔️
|
|
Network HSMs integrated with PKCS#11 |
||||||
|
AWS CloudHSM |
✔️
|
✔️
|
✔️
|
|
|
✔️
|
|
Bull TrustWay Proteccio |
✔️
|
|
|
✔️
|
|
|
|
Entrust nShield Connect |
✔️
|
|
|
✔️
|
|
✔️
|
|
Thales DPoD |
✔️
|
|
|
✔️
|
|
|
|
Thales Luna 7 |
✔️
|
|
|
✔️
|
|
✔️
|
|
Thales TCT |
✔️
|
|
|
✔️
|
|
|
|
Utimaco CryptoServer |
✔️
|
|
|
✔️
|
|
✔️
|
|
Utimaco u.trust Anchor |
✔️
|
|
|
✔️
|
|
|
|
Internal Hardware Appliance HSMs integrated with PCIe |
||||||
|
Thales Luna PCIe |
✔️ |
|
|
|
✔️
|
|
|
Utimaco PCIe |
✔️ |
|
|
|
✔️
|
|