Interoperability and Certifications
The following provides an overview of EJBCA's capabilities and support, with relevant links to documentation and external standards.
This is a selection of the most important standards and does not cover every specification EJBCA supports.
Specifications
Certificate Formats and Standards
EJBCA supports the following formats and standards.
Supported Standard | External Reference | Documentation |
---|---|---|
X509 and PKIX. | RFC 5280 | Certificate Authority Overview |
Card Verifiable Certificates (CVC) used by EU EAC ePassports and eIDs. | BSI TR-03110 | ENTERPRISE |
Qualified Certificate Statement for issuing EU/ETSI qualified certificates. | RFC 3739 | Certificate Profile Fields |
Certificate Transparency. | RFC 6962 | ENTERPRISE |
DNS Certificate Authority Authorization (CAA). | RFC 6844 | ENTERPRISE |
eIDAS | ENTERPRISE | |
PSD2 | ETSI TS 119 495 | ENTERPRISE |
FIPS 201-2 (PIV) compliant certificates including FASC-N subjectAltName. | FIPS 201-2 | ENTERPRISE |
PEM: Textual Encodings of PKIX, PKCS, and CMS Structures | RFC 7468 | |
PKCS#10: Certification Request Syntax | RFC 2986 | |
PKCS#7: Cryptographic Message Syntax | RFC 5652 | |
PKCS#12: Personal Information Exchange Syntax | RFC 7292 |
CRL, OCSP and Certificate Distribution
EJBCA supports the following CRL formats and standards.
Supported Standard | External Reference | Documentation |
---|---|---|
CRL creation and URL based CRL Distribution Points. | RFC 5280 | CRL Generation |
Online Certificate Status Protocol (OCSP), including AIA-extension and must-staple extension. | RFC 2560, RFC 6960, RFC 5019 and RFC 9654 | OCSP |
Certificate Store, distribution of CA certificates and CRLs over HTTP. | RFC 4387 | Certificate and CRL Access over HTTP |
The German Common PKI SigG CertHash OCSP extension. | Common PKI | OCSP |
LDAP Certificate Publishing. | RFC 4523 | LDAP Publisher/LDAP Search Publisher |
SCP Publishing |
Algorithms and Key Types
EJBCA supports the following algorithm types and key size/curves. When using HSMs, support is limited to a subset by the PKCS#11 provider and the specific HSM used.
Algorithm | Key Size/curve | External Reference | Documentation |
---|---|---|---|
RSA | Keys up to and including 8192 bits. | ||
ECDSA | Curves including named curves from Nist, SEC, Teletrust, and X9.62. For long term stability we recommend to use the most commonly | ECDSA Keys and Signatures | |
EdDSA | Ed25519 | RFC8032 RFC8410 | EdDSA Keys and Signatures |
ML-DSA | ML-DSA-44 | FIPS 204 | Post-Quantum Keys and Signatures |
ML-KEM | Supported for EE cert creation only. ML-KEM-512 | FIPS 203 | Post-Quantum Keys and Signatures |
Certificate Enrollment Protocols
For specific features supported in each protocol, see the detailed documentation.
Protocol / Interface | External Reference | Documentation |
---|---|---|
EJBCA WS Soap API. | Web Service Interface | |
EJBCA Enrollment REST API. | EJBCA REST Interface | |
EJBCA Management REST API. | ENTERPRISE | |
Simple Certificate Enrollment Protocol (SCEP). | SCEP draft 23 | SCEP |
X509 Public Key Infrastructure Certificate Management Protocol (CMP). | RFC 4210 and RFC 6712 | CMP |
3GPP, i.e. LTE/4G, compatible PKI, using CMPv2 with multiple Vendor CAs and vendor certificate authentication. | ETSI-3GPP | ENTERPRISE |
X.509 Public Key Infrastructure Certificate Request Message Format (CRMF). | RFC 4211 | |
Enrollment over Secure Transport (EST). | RFC 7030 | ENTERPRISE |
Automatic Certificate Management Environment (ACME). | RFC 8555 | ENTERPRISE |
Automated Certificate Management Environment (ACME) IP Identifier Validation Extension | RFC 8738 | ENTERPRISE |
Microsoft Auto-enrollment Integration. | ENTERPRISE | |
Legacy Native auto-enrollment in Windows environment with add-on auto-enrollment proxy module. | ENTERPRISE |
Certifications
The following lists certifications.
Type | Version | External Reference | Documentation |
---|---|---|---|
Common Criteria: Issuing and Management Components (CIMC) Version 1.0, EAL4+ | EJBCA 5.0.4 | Certification | ENTERPRISE |
Common Criteria: Protection Profile for Certification Authorities Version 2.1 | EJBCA 7.4.1.1 | Certification | ENTERPRISE |
Interoperability
Hardware Security Modules
The following lists support for Hardware Security Modules (HSMs). There are different APIs supporting HSMs, Java P11 Provider (legacy), P11NG, and REST APIs for some HSMs.
Vendor | Model | Documentation |
---|---|---|
Generic PKCS#11 Provider | Generic PKCS#11 Provider | |
ARX | CoSign | ARX CoSign |
AWS CloudHSM | CloudHSM | ENTERPRISE |
AWS Key Management Service | KMS | ENTERPRISE |
Azure Key Vault | Key Vault and Managed HSM | Azure Key Vault and Managed HSM |
Bull | Trustway PCI and Proteccio | Bull Trustway PCI Crypto Card Bull Trustway Proteccio |
CardContact | SmartCard-HSM | SmartCard-HSM |
Engage Black | BlackVault HSM | BlackVault HSM |
Fortanix | Data Security Manager (DSM) | ENTERPRISE |
i4p | Trident HSM | Trident HSM |
Entrust/nCipher | nShield/netHSM | nCipher nShield/netHSM |
NitroKey | NitroKey HSM | Nitrokey HSM |
SoftHSM | SoftHSMv2 | SoftHSM |
Securosys | Securosys Primus HSM and CloudHSM Service | Securosys Primus HSM and CloudHSM Service |
Thales | Thales Data Protection on Demand (DPoD) | Thales DPoD |
Thales | Thales Luna HSM | Thales Luna HSM |
Thales | ProtectServer | Thales ProtectServer |
Thales TCT | Luna SA HSM | Thales TCT Luna SA |
Utimaco | CryptoServer | Utimaco CryptoServer |
Utimaco | CryptoServer CP5 | Contact Sales |
Ultra Electronics AEP | Keyper | AEP Keyper |
Yubico | YubiHSM 2 | YubiHSM 2 |
KMS | ENTERPRISE | |
IBM | HPCS | IBM HPCS |