Interoperability and Certifications

The following provides an overview of EJBCA's capabilities and support, with relevant links to documentation and external standards.

This is a selection of the most important standards and does not cover every specification EJBCA supports.

Specifications

Certificate Formats and Standards

EJBCA supports the following formats and standards.

Supported Standard	External Reference	Documentation
X509 and PKIX.	RFC 5280	Certificate Authority Overview
Card Verifiable Certificates (CVC) used by EU EAC ePassports and eIDs.	BSI TR-03110	ENTERPRISE CVC CA
Qualified Certificate Statement for issuing EU/ETSI qualified certificates.	RFC 3739	Certificate Profile Fields
Certificate Transparency.	RFC 6962	ENTERPRISE Certificate Transparency
DNS Certificate Authority Authorization (CAA).	RFC 6844	ENTERPRISE Certificate Field Validators
eIDAS	Regulation (EU) No 910/2014 EN 319 411, EN 319 412	ENTERPRISE Certificate Profile Fields
PSD2	ETSI TS 119 495	ENTERPRISE Certificate Profile Fields
FIPS 201-2 (PIV) compliant certificates including FASC-N subjectAltName.	FIPS 201-2	ENTERPRISE End Entity Profiles Fields
PEM: Textual Encodings of PKIX, PKCS, and CMS Structures	RFC 7468
PKCS#10: Certification Request Syntax	RFC 2986
PKCS#7: Cryptographic Message Syntax	RFC 5652
PKCS#12: Personal Information Exchange Syntax	RFC 7292

CRL, OCSP and Certificate Distribution

EJBCA supports the following CRL formats and standards.

Supported Standard	External Reference	Documentation
CRL creation and URL based CRL Distribution Points.	RFC 5280	CRL Generation
Online Certificate Status Protocol (OCSP), including AIA-extension and must-staple extension.	RFC 2560, RFC 6960, RFC 5019 and RFC 8964	OCSP
Certificate Store, distribution of CA certificates and CRLs over HTTP.	RFC 4387	Certificate and CRL Access over HTTP
The German Common PKI SigG CertHash OCSP extension.	Common PKI	OCSP
LDAP Certificate Publishing.	RFC 4523	LDAP Publisher/LDAP Search Publisher
SCP Publishing		SCP Publisher

Algorithms and Key Types

EJBCA supports the following algorithm types and key size/curves. When using HSMs, support is limited to a subset by the PKCS#11 provider and the specific HSM used.

Algorithm	Key Size/curve	External Reference	Documentation
RSA	Keys up to and including 8192 bits.
ECDSA	Curves including named curves from Nist, SEC, Teletrust, and X9.62. For long term stability we recommend to use the most commonly used EC curves, if no other requirements apply choose P-256/P-384/P-521. View curves... FRP256v1 brainpoolP224r1 brainpoolP224t1 brainpoolP256r1 brainpoolP256t1 brainpoolP320r1 brainpoolP320t1 brainpoolP384r1 brainpoolP384t1 brainpoolP512r1 brainpoolP512t1 c2pnb272w1 c2pnb304w1 c2pnb368w1 c2tnb239v1 c2tnb239v2 c2tnb239v3 c2tnb359v1 c2tnb431r1 prime239v1 prime239v2 prime239v3 prime256v1/secp256r1/P-256 secp224k1 secp224r1/P-224 secp256k1 secp384r1/P-384 secp521r1/P-521 sect233k1/K-233 sect233r1/B-233 sect239k1 sect283k1/K-283 sect283r1/B-283 sect409k1/K-409 sect409r1/B-409 sect571k1/K-571 sect571r1/B-571 sm2p256v1		ECDSA Keys and Signatures
EdDSA	Ed25519 Ed448	RFC8032 RFC8410	EdDSA Keys and Signatures

Certificate Enrollment Protocols

For specific features supported in each protocol, see the detailed documentation.

Protocol / Interface	External Reference	Documentation
EJBCA WS Soap API.		Web Service Interface
EJBCA Enrollment REST API.		EJBCA REST Interface
EJBCA Management REST API.		ENTERPRISE EJBCA REST Interface
Simple Certificate Enrollment Protocol (SCEP).	SCEP draft 23	SCEP
X509 Public Key Infrastructure Certificate Management Protocol (CMP).	RFC 4210 and RFC 6712	CMP
3GPP, i.e. LTE/4G, compatible PKI, using CMPv2 with multiple Vendor CAs and vendor certificate authentication.	ETSI-3GPP	ENTERPRISE CMP
X.509 Public Key Infrastructure Certificate Request Message Format (CRMF).	RFC 4211
Enrollment over Secure Transport (EST).	RFC 7030	ENTERPRISE EST
Automatic Certificate Management Environment (ACME).	RFC 8555	ENTERPRISE ACME
Automated Certificate Management Environment (ACME) IP Identifier Validation Extension	RFC 8738	ENTERPRISE ACME
Microsoft Auto-enrollment Integration.		ENTERPRISE Auto-enrollment
Legacy Native auto-enrollment in Windows environment with add-on auto-enrollment proxy module.		ENTERPRISE Auto-enrollment (legacy)

Certifications

The following lists certifications.

Type	Version	External Reference	Documentation
Common Criteria: Issuing and Management Components (CIMC) Version 1.0, EAL4+	EJBCA 5.0.4	Certification	ENTERPRISE Common Criteria
Common Criteria: Protection Profile for Certification Authorities Version 2.1	EJBCA 7.4.1.1	Certification	ENTERPRISE Common Criteria

Interoperability

Hardware Security Modules

The following lists support for Hardware Security Modules (HSMs). There are different APIs supporting HSMs, Java P11 Provider (legacy), P11NG, and REST APIs for some HSMs.

Vendor	Model	Documentation
Generic PKCS#11 Provider		Generic PKCS#11 Provider
ARX	CoSign	ARX CoSign
AWS CloudHSM	CloudHSM	ENTERPRISE AWS CloudHSM
AWS Key Management Service	KMS	ENTERPRISE AWS KMS
Azure Key Vault	Key Vault and Managed HSM	Azure Key Vault and Managed HSM
Bull	Trustway PCI and Proteccio	Bull Trustway PCI Crypto Card Bull Trustway Proteccio
CardContact	SmartCard-HSM	SmartCard-HSM
Engage Black	BlackVault HSM	BlackVault HSM
Fortanix	Data Security Manager (DSM)	ENTERPRISE Fortanix Data Security Manager
i4p	Trident HSM	Trident HSM
Entrust/nCipher	nShield/netHSM	nCipher nShield/netHSM
NitroKey	NitroKey HSM	Nitrokey HSM
SoftHSM	SoftHSMv2	SoftHSM
Securosys	Securosys Primus HSM and CloudHSM Service	Securosys Primus HSM and CloudHSM Service
Thales	Thales Data Protection on Demand (DPoD)	Thales DPoD
Thales	Thales Luna HSM	Thales Luna HSM
Thales	ProtectServer	Thales ProtectServer
Thales TCT	Luna SA HSM	Thales TCT Luna SA
Utimaco	CryptoServer	Utimaco CryptoServer
Utimaco	CryptoServer CP5	Contact Sales
Ultra Electronics AEP	Keyper	AEP Keyper
Yubico	YubiHSM 2	YubiHSM 2
Google	KMS	ENTERPRISE Google KMS
IBM	HPCS	IBM HPCS