.png){kind=logo}
Interoperability and Certifications
The following provides an overview of EJBCA's capabilities and support, with relevant links to documentation and external standards.
This is a selection of the most important standards and does not cover every specification EJBCA supports.
Specifications
Certificate Formats and Standards
EJBCA supports the following formats and standards.
Supported Standard | External Reference | Documentation |
|---|---|---|
X509 and PKIX. | ||
Card Verifiable Certificates (CVC) used by EU EAC ePassports and eIDs. | ENTERPRISE | |
Qualified Certificate Statement for issuing EU/ETSI qualified certificates. | ||
Certificate Transparency. | ENTERPRISE | |
DNS Certificate Authority Authorization (CAA). | ENTERPRISE | |
eIDAS | ENTERPRISE | |
PSD2 | ENTERPRISE | |
FIPS 201-2 (PIV) compliant certificates including FASC-N subjectAltName. | ENTERPRISE | |
Matter “Vendor” PAA, PAI and DAC certificate formats | ||
Matter “Operator” RCA, ICA and NOC certificate formats | ENTERPRISE | |
PEM: Textual Encodings of PKIX, PKCS, and CMS Structures | ||
PKCS#10: Certification Request Syntax | ||
PKCS#7: Cryptographic Message Syntax | ||
PKCS#12: Personal Information Exchange Syntax |
CRL, OCSP and Certificate Distribution
EJBCA supports the following CRL formats and standards.
Supported Standard | External Reference | Documentation |
|---|---|---|
CRL creation and URL based CRL Distribution Points. | ||
Online Certificate Status Protocol (OCSP), including AIA-extension and must-staple extension. | ||
Certificate Store, distribution of CA certificates and CRLs over HTTP. | ||
The German Common PKI SigG CertHash OCSP extension. | ||
LDAP Certificate Publishing. | ||
SCP Publishing |
Algorithms and Key Types
EJBCA supports the following algorithm types and key size/curves. When using HSMs, support is limited to a subset by the PKCS#11 provider and the specific HSM used.
Algorithm | Key Size/curve | External Reference | Documentation |
|---|---|---|---|
RSA | Keys up to and including 8192 bits. | ||
ECDSA | Curves including named curves from Nist, SEC, Teletrust, and X9.62. For long term stability we recommend to use the most commonly | ||
EdDSA | Ed25519 | ||
ML-DSA | ML-DSA-44 | ||
ML-KEM | Supported for EE cert creation only. ML-KEM-512 | ||
SLH-DSA | SLH-DSA-SHA2-128F |
Certificate Enrollment Protocols
For specific features supported in each protocol, see the detailed documentation.
Protocol / Interface | External Reference | Documentation |
|---|---|---|
EJBCA WS Soap API. | ||
EJBCA Enrollment REST API. | ||
EJBCA Management REST API. | ENTERPRISE | |
Simple Certificate Enrollment Protocol (SCEP). | ||
X509 Public Key Infrastructure Certificate Management Protocol (CMP). | ||
3GPP, i.e. LTE/4G, compatible PKI, using CMPv2 with multiple Vendor CAs and vendor certificate authentication. | ENTERPRISE | |
X.509 Public Key Infrastructure Certificate Request Message Format (CRMF). | ||
Enrollment over Secure Transport (EST). | ENTERPRISE | |
Automatic Certificate Management Environment (ACME). | ENTERPRISE | |
Automated Certificate Management Environment (ACME) IP Identifier Validation Extension | ENTERPRISE | |
Microsoft Auto-enrollment Integration. | ENTERPRISE | |
Legacy Native auto-enrollment in Windows environment with add-on auto-enrollment proxy module. | ENTERPRISE |
Certifications
The following lists certifications.
Type | Version | External Reference | Documentation |
|---|---|---|---|
Common Criteria: Issuing and Management Components (CIMC) Version 1.0, EAL4+ | EJBCA 5.0.4 | ENTERPRISE | |
Common Criteria: Protection Profile for Certification Authorities Version 2.1 | EJBCA 7.4.1.1 | ENTERPRISE | |
Common Criteria: Protection Profile for Certification Authorities Version 2.1 | EJBCA 9.1 | On-going | ENTERPRISE |
NATO Information Assurance Product Catalogue (NIAPC) | Keyfactor EJBCA Enterprise | NIAPC |
Interoperability
Supported Hardware Security Modules (HSMs)
The following table lists HSM support for each EJBCA deployment option. Integration methods include REST APIs and PKCS #11 standard.
HSM Type | Software stack | SaaS | Cloud | Software Appliance | Hardware Appliance | Container Set |
Network HSMs integrated with REST APIs | ||||||
AWS Key Management Service (KMS) | ✔️ | ✔️ | ✔️ | ✔️ | ||
Azure Key Vault / MS Managed HSM | ✔️ | ✔️ | ✔️ | | | ✔️ |
Fortanix Data Security Manager (DSM) | ✔️ | | | | | ✔️ |
Securosys Primus HSM and CloudHSM Service | ✔️ | | | ✔️ | | ✔️ |
Network HSMs integrated with PKCS#11 | ||||||
AWS CloudHSM | ✔️ | ✔️ | ✔️ | | | ✔️ |
Bull TrustWay Proteccio | ✔️ | | | ✔️ | | |
Entrust nShield Connect | ✔️ | | | ✔️ | | ✔️ |
Thales DPoD | ✔️ | | | ✔️ | | |
Thales Luna 7 | ✔️ | | | ✔️ | | ✔️ |
Thales TCT | ✔️ | | | ✔️ | | |
Utimaco CryptoServer | ✔️ | | | ✔️ | | ✔️ |
Utimaco u.trust Anchor | ✔️ | | | ✔️ | | |
Internal Hardware Appliance HSMs integrated with PCIe | ||||||
Thales Luna PCIe | ✔️ | ✔️ | ||||
Utimaco PCIe | ✔️ | ✔️ | ||||