Breadcrumbs

Interoperability and Certifications

The following provides an overview of EJBCA's capabilities and support, with relevant links to documentation and external standards. 

This is a selection of the most important standards and does not cover every specification EJBCA supports.

Specifications

Certificate Formats and Standards

EJBCA supports the following formats and standards.

Supported Standard

External Reference

Documentation

X509 and PKIX.

RFC 5280

Certificate Authority Overview

Card Verifiable Certificates (CVC) used by EU EAC ePassports and eIDs.

BSI TR-03110

Enterprise

CVC CA

Qualified Certificate Statement for issuing EU/ETSI qualified certificates.

RFC 3739

Certificate Profile Fields

Certificate Transparency.

RFC 6962

Enterprise

Certificate Transparency

DNS Certificate Authority Authorization (CAA).

RFC 6844

Enterprise

Certificate Field Validators

eIDAS

Regulation (EU) No 910/2014
EN 319 411, EN 319 412

Enterprise

Certificate Profile Fields

PSD2

ETSI TS 119 495

Enterprise

Certificate Profile Fields

FIPS 201-2 (PIV) compliant certificates including FASC-N subjectAltName.

FIPS 201-2

Enterprise

End Entity Profiles Fields

Matter “Vendor” PAA, PAI and DAC certificate formats

Matter Specification Version 1.4

Create CAs for Matter IoT

Matter “Operator” RCA, ICA and NOC certificate formats

Matter Specification Version 1.4

Enterprise

Create CAs for Matter IoT

PEM: Textual Encodings of PKIX, PKCS, and CMS Structures

RFC 7468


PKCS#10: Certification Request Syntax

RFC 2986


PKCS#7: Cryptographic Message Syntax

RFC 5652


PKCS#12: Personal Information Exchange Syntax

RFC 7292


CRL, OCSP and Certificate Distribution

EJBCA supports the following CRL formats and standards.

Supported Standard

External Reference

Documentation

CRL creation and URL based CRL Distribution Points.

RFC 5280

CRL Generation

Online Certificate Status Protocol (OCSP), including AIA-extension and must-staple extension.

RFC 2560, RFC 6960RFC 5019 and RFC 9654

OCSP

Certificate Store, distribution of CA certificates and CRLs over HTTP.

RFC 4387

Certificate and CRL Access over HTTP

The German Common PKI SigG CertHash OCSP extension.

Common PKI

OCSP

LDAP Certificate Publishing.

RFC 4523

LDAP Publisher/LDAP Search Publisher

SCP Publishing


SCP Publisher

Algorithms and Key Types

EJBCA supports the following algorithm types and key size/curves. When using HSMs, support is limited to a subset by the PKCS#11 provider and the specific HSM used.

Algorithm

Key Size/curve

External Reference

Documentation

RSA

Keys up to and including 8192 bits.



ECDSA

Curves including named curves from Nist, SEC, Teletrust, and X9.62.

For long term stability we recommend to use the most commonly used EC curves, if no other requirements apply choose P-256/P-384/P-521.


View curves...

FRP256v1
brainpoolP224r1
brainpoolP224t1
brainpoolP256r1
brainpoolP256t1
brainpoolP320r1
brainpoolP320t1
brainpoolP384r1
brainpoolP384t1
brainpoolP512r1
brainpoolP512t1
c2pnb272w1
c2pnb304w1
c2pnb368w1
c2tnb239v1
c2tnb239v2
c2tnb239v3
c2tnb359v1
c2tnb431r1
prime239v1
prime239v2
prime239v3
prime256v1/secp256r1/P-256
secp224k1
secp224r1/P-224
secp256k1
secp384r1/P-384
secp521r1/P-521
sect233k1/K-233
sect233r1/B-233
sect239k1
sect283k1/K-283
sect283r1/B-283
sect409k1/K-409
sect409r1/B-409
sect571k1/K-571
sect571r1/B-571
sm2p256v1


ECDSA Keys and Signatures

EdDSA

Ed25519
Ed448

RFC8032
RFC8410

EdDSA Keys and Signatures

ML-DSA

ML-DSA-44
ML-DSA-65
ML-DSA-87

FIPS 204
RFC9881
RFC9882

Post-Quantum Keys and Signatures

ML-KEM

Supported for EE cert creation only.

ML-KEM-512
ML-KEM-768
ML-KEM-1024

FIPS 203

Post-Quantum Keys and Signatures

SLH-DSA

SLH-DSA-SHA2-128F
SLH-DSA-SHA2-128S
SLH-DSA-SHA2-192F
SLH-DSA-SHA2-192S
SLH-DSA-SHA2-256F
SLH-DSA-SHA2-256S
SLH-DSA-SHAKE-128F
SLH-DSA-SHAKE-128S
SLH-DSA-SHAKE-192F
SLH-DSA-SHAKE-192S
SLH-DSA-SHAKE-256F
SLH-DSA-SHAKE-256S

FIPS 205

Post-Quantum Keys and Signatures

Composite algorithms

MLDSA44-RSA2048-PSS-SHA256
MLDSA44-ECDSA-P256-SHA256
MLDSA44-Ed25519-SHA512 MLDSA65-RSA3072-PSS-SHA512
MLDSA65-RSA4096-PSS-SHA512
MLDSA65-ECDSA-P256-SHA512
MLDSA65-ECDSA-P384-SHA512
MLDSA65-Ed25519-SHA512
MLDSA65-ECDSA-brainpoolP256r1-SHA512
MLDSA87-RSA3072-PSS-SHA512
MLDSA87-RSA4096-PSS-SHA512
MLDSA87-ECDSA-P384-SHA512
MLDSA87-ECDSA-P521-SHA512
MLDSA87-ECDSA-brainpoolP384r1-SHA512
MLDSA87-Ed448-SHAKE256

Composite ML-DSA for use in X.509 Public Key Infrastructure

Post-Quantum Cryptography Keys and Signatures

Certificate Enrollment Protocols

For specific features supported in each protocol, see the detailed documentation.

Protocol / Interface

External Reference

Documentation

EJBCA WS Soap API.


Web Service Interface

EJBCA Enrollment REST API.


EJBCA REST Interface

EJBCA Management REST API.


Enterprise

EJBCA REST Interface

Simple Certificate Enrollment Protocol (SCEP).

SCEP draft 23

RFC 8894

SCEP

X509 Public Key Infrastructure Certificate Management Protocol (CMP).

RFC 4210
RFC 6712
RFC 9480
(limitations apply)

CMP

3GPP, i.e. LTE/4G, compatible PKI, using CMPv2 with multiple Vendor CAs and vendor certificate authentication.

ETSI-3GPP

Enterprise

CMP

X.509 Public Key Infrastructure Certificate Request Message Format (CRMF).

RFC 4211
RFC 9045


Enrollment over Secure Transport (EST).

RFC 7030

Enterprise

EST

Automatic Certificate Management Environment (ACME).

RFC 8555

Enterprise

ACME

Automated Certificate Management Environment (ACME) IP Identifier Validation Extension

RFC 8738

Enterprise

ACME

Certification Authority Authorization (CAA) Record Extensions for Account URI and Automatic Certificate Management Environment (ACME) Method Binding

RFC 8657

Enterprise

ACME

Automated Certificate Management Environment (ACME) Device Attestation, version 08 of first draft, with Apple Managed Device Attestation support

draft-acme-device-attest-08

Enterprise

ACME Device Attestation

ACME Renewal Information (ARI)

RFC 9773

Enterprise

ACME

Automated Certificate Management Environment (ACME) TLS Application-Layer Protocol Negotiation (ALPN) Challenge Extension

RFC 8737

Enterprise

ACME

Automated Certificate Management Environment (ACME) DNS Labeled With ACME Account ID Challenge

draft-ietf-acme-dns-account-label-03

Enterprise

ACME

Microsoft Auto-enrollment Integration.


Enterprise

Auto-enrollment

Legacy Native auto-enrollment in Windows environment with add-on auto-enrollment proxy module.


Enterprise

Auto-enrollment (legacy)


Certifications

The following lists certifications.

Type

Version

External Reference

Documentation

Common Criteria: Issuing and Management Components (CIMC) Version 1.0, EAL4+

EJBCA 5.0.4

Certification

Enterprise

Common Criteria

Common Criteria: Protection Profile for Certification Authorities Version 2.1

EJBCA 7.4.1.1

Certification

Enterprise

Common Criteria

Common Criteria: Protection Profile for Certification Authorities Version 2.1

EJBCA 9.3.3

Certification

Enterprise

Common Criteria

NATO Information Assurance Product Catalogue (NIAPC)

Keyfactor EJBCA Enterprise

NIAPC
Based on Common Criteria certification above



For an overview of Hardware Security Modules (HSMs) supported for each EJBCA deployment type, see Supported Hardware Security Modules (HSMs).