Skip to main content
Skip table of contents

Interoperability and Certifications

The following provides an overview of EJBCA's capabilities and support, with relevant links to documentation and external standards. 

This is a selection of the most important standards and does not cover every specification EJBCA supports.

Specifications

Certificate Formats and Standards

EJBCA supports the following formats and standards.

Supported StandardExternal ReferenceDocumentation
X509 and PKIX.RFC 5280Certificate Authority Overview

Card Verifiable Certificates (CVC) used by EU EAC ePassports and eIDs.

BSI TR-03110

ENTERPRISE

CVC CA

Qualified Certificate Statement for issuing EU/ETSI qualified certificates.

RFC 3739Certificate Profile Fields
Certificate Transparency.RFC 6962
DNS Certificate Authority Authorization (CAA).RFC 6844
eIDAS

Regulation (EU) No 910/2014
EN 319 411, EN 319 412

PSD2ETSI TS 119 495

FIPS 201-2 (PIV) compliant certificates including FASC-N subjectAltName.

FIPS 201-2
PEM: Textual Encodings of PKIX, PKCS, and CMS StructuresRFC 7468
PKCS#10: Certification Request SyntaxRFC 2986
PKCS#7: Cryptographic Message SyntaxRFC 5652
PKCS#12: Personal Information Exchange SyntaxRFC 7292

CRL, OCSP and Certificate Distribution

EJBCA supports the following CRL formats and standards.

Supported StandardExternal ReferenceDocumentation
CRL creation and URL based CRL Distribution Points.RFC 5280CRL Generation
Online Certificate Status Protocol (OCSP), including AIA-extension and must-staple extension.RFC 2560, RFC 6960RFC 5019 and RFC 9654OCSP
Certificate Store, distribution of CA certificates and CRLs over HTTP.RFC 4387Certificate and CRL Access over HTTP

The German Common PKI SigG CertHash OCSP extension.

Common PKIOCSP
LDAP Certificate Publishing.RFC 4523LDAP Publisher/LDAP Search Publisher
SCP Publishing

Algorithms and Key Types

EJBCA supports the following algorithm types and key size/curves. When using HSMs, support is limited to a subset by the PKCS#11 provider and the specific HSM used.

AlgorithmKey Size/curveExternal ReferenceDocumentation
RSAKeys up to and including 8192 bits.

ECDSA

Curves including named curves from Nist, SEC, Teletrust, and X9.62.

For long term stability we recommend to use the most commonly
used EC curves, if no other requirements apply choose
P-256/P-384/P-521.


View curves...

FRP256v1
brainpoolP224r1
brainpoolP224t1
brainpoolP256r1
brainpoolP256t1
brainpoolP320r1
brainpoolP320t1
brainpoolP384r1
brainpoolP384t1
brainpoolP512r1
brainpoolP512t1
c2pnb272w1
c2pnb304w1
c2pnb368w1
c2tnb239v1
c2tnb239v2
c2tnb239v3
c2tnb359v1
c2tnb431r1
prime239v1
prime239v2
prime239v3
prime256v1/secp256r1/P-256
secp224k1
secp224r1/P-224
secp256k1
secp384r1/P-384
secp521r1/P-521
sect233k1/K-233
sect233r1/B-233
sect239k1
sect283k1/K-283
sect283r1/B-283
sect409k1/K-409
sect409r1/B-409
sect571k1/K-571
sect571r1/B-571
sm2p256v1


ECDSA Keys and Signatures
EdDSA

Ed25519
Ed448

RFC8032
RFC8410
EdDSA Keys and Signatures
ML-DSA

ML-DSA-44
ML-DSA-65
ML-DSA-87

FIPS 204Post-Quantum Keys and Signatures
ML-KEM

Supported for EE cert creation only.

ML-KEM-512
ML-KEM-768
ML-KEM-1024

FIPS 203Post-Quantum Keys and Signatures

Certificate Enrollment Protocols

For specific features supported in each protocol, see the detailed documentation.

Protocol / InterfaceExternal ReferenceDocumentation
EJBCA WS Soap API.
Web Service Interface

EJBCA Enrollment REST API.


EJBCA REST Interface
EJBCA Management REST API.
Simple Certificate Enrollment Protocol (SCEP).SCEP draft 23SCEP
X509 Public Key Infrastructure Certificate Management Protocol (CMP).RFC 4210 and RFC 6712CMP
3GPP, i.e. LTE/4G, compatible PKI, using CMPv2 with multiple Vendor CAs and vendor certificate authentication.ETSI-3GPP

ENTERPRISE

CMP

X.509 Public Key Infrastructure Certificate Request Message Format (CRMF).RFC 4211
Enrollment over Secure Transport (EST).RFC 7030

ENTERPRISE

EST

Automatic Certificate Management Environment (ACME).RFC 8555

ENTERPRISE

ACME

Automated Certificate Management Environment (ACME) IP Identifier Validation ExtensionRFC 8738

ENTERPRISE

ACME

Microsoft Auto-enrollment Integration.

ENTERPRISE

Auto-enrollment

Legacy Native auto-enrollment in Windows environment with add-on auto-enrollment proxy module.


Certifications

The following lists certifications.

TypeVersionExternal ReferenceDocumentation
Common Criteria: Issuing and Management Components (CIMC) Version 1.0, EAL4+EJBCA 5.0.4Certification

ENTERPRISE

Common Criteria

Common Criteria: Protection Profile for Certification Authorities Version 2.1EJBCA 7.4.1.1Certification

ENTERPRISE

Common Criteria

Interoperability

Hardware Security Modules

The following lists support for Hardware Security Modules (HSMs). There are different APIs supporting HSMs, Java P11 Provider (legacy), P11NG, and REST APIs for some HSMs.

VendorModelDocumentation
Generic PKCS#11 Provider
Generic PKCS#11 Provider
ARXCoSignARX CoSign
AWS CloudHSMCloudHSM

ENTERPRISE

AWS CloudHSM

AWS Key Management ServiceKMS

ENTERPRISE

AWS KMS

Azure Key VaultKey Vault and Managed HSMAzure Key Vault and Managed HSM
BullTrustway PCI and ProteccioBull Trustway PCI Crypto Card
Bull Trustway Proteccio
CardContactSmartCard-HSMSmartCard-HSM
Engage Black
BlackVault HSMBlackVault HSM
FortanixData Security Manager (DSM) 
i4pTrident HSM Trident HSM
Entrust/nCiphernShield/netHSMnCipher nShield/netHSM
NitroKeyNitroKey HSMNitrokey HSM
SoftHSMSoftHSMv2SoftHSM
Securosys

Securosys Primus HSM and CloudHSM Service

Securosys Primus HSM and CloudHSM Service
ThalesThales Data Protection on Demand (DPoD)Thales DPoD
ThalesThales Luna HSMThales Luna HSM
ThalesProtectServerThales ProtectServer
Thales TCTLuna SA HSMThales TCT Luna SA
UtimacoCryptoServerUtimaco CryptoServer
UtimacoCryptoServer CP5Contact Sales
Ultra Electronics AEPKeyperAEP Keyper
YubicoYubiHSM 2YubiHSM 2
GoogleKMS

ENTERPRISE

Google KMS

IBMHPCSIBM HPCS
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.