.png){kind=logo}
This page provides a high-level overview of algorithm support across the logical layers involved in EJBCA certificate signing. Detailed information about enrollment protocols, Certificate Authority (CA) types, and Hardware Security Module (HSM) support is documented in their respective documentation sections.
This overview is intended as a reference and may not always reflect the latest changes to individual features or components. In case of inconsistencies, the feature-specific or component-specific documentation is considered authoritative.
Supported Algorithms for Certificate Signing
EJBCA supports the following key algorithms, signature algorithms, and key specifications for certificate signing.
Note that HSM support depends on vendor implementation, firmware capabilities, and operational mode. Confirm with your HSM supplier that the required algorithms are supported in your target configuration, including FIPS mode where applicable. Operating an HSM in FIPS mode may impose additional restrictions, such as disallowing SHA1-based signature algorithms.
|
Key Algorithm / Key Specification |
Signature Algorithm |
Enrollment Protocol |
CA Type |
HSM Support |
|---|---|---|---|---|
|
RSA (RSASSA-PKCS1_v1.5 and RSASSA-PSS) |
||||
|
Keys up to and including 8192 bits.
|
SHA1withRSA |
|||
|
SHA224withRSA |
||||
|
SHA256withRSA |
||||
|
SHA384withRSA |
||||
|
SHA512withRSA |
||||
|
SHA1withRSAandMGF1 |
||||
|
SHA224withRSAandMGF1 |
||||
|
SHA256withRSAandMGF1 |
||||
|
SHA384withRSAandMGF1 |
||||
|
SHA512withRSAandMGF1 |
||||
|
ECDSA |
||||
|
Algorithm with named curves. |
SHA1withECDSA |
|||
|
SHA224withECDSA |
||||
|
SHA256withECDSA |
||||
|
SHA384withECDSA |
||||
|
SHA512withECDSA |
||||
|
EdDSA |
||||
|
Ed25519 |
Ed25519 |
|||
|
Ed448 |
Ed448 |
|||
|
ML-DSA |
||||
|
ML-DSA-44 |
ML-DSA-44 |
|
||
|
ML-DSA-65 |
ML-DSA-65 |
|||
|
ML-DSA-87 |
ML-DSA-87 |
|||
|
ML-DSA |
ML-DSA-EXTERNAL-MU |
|
||
|
ML-DSA Composite |
||||
|
ML-DSA-44 & RSA 2048 |
MLDSA44-RSA2048-PSS-SHA256 |
|
||
|
ML-DSA-44 & ECDSA |
MLDSA44-ECDSA-P256-SHA256 |
|||
|
ML-DSA-44 & Ed25519 |
MLDSA44-Ed25519-SHA512 |
|||
|
ML-DSA-65 & RSA 3072 |
MLDSA65-RSA3072-PSS-SHA512 |
|||
|
ML-DSA-65 & RSA 4096 |
MLDSA65-RSA4096-PSS-SHA512 |
|||
|
ML-DSA-65 & ECDSA |
MLDSA65-ECDSA-P256-SHA512 |
|||
|
ML-DSA-65 & ECDSA |
MLDSA65-ECDSA-P384-SHA512 |
|||
|
ML-DSA-65 & ECDSA |
MLDSA65-ECDSA-brainpoolP256r1-SHA512 |
|||
|
ML-DSA-65 & Ed25519 |
MLDSA65-Ed25519-SHA512 |
|||
|
ML-DSA-87 & RSA 3072 |
MLDSA87-RSA3072-PSS-SHA512 |
|||
|
ML-DSA-87 & RSA 4096 |
MLDSA87-RSA4096-PSS-SHA512 |
|||
|
ML-DSA-87 & ECDSA |
MLDSA87-ECDSA-P384-SHA512 |
|||
|
ML-DSA-87 & ECDSA |
MLDSA87-ECDSA-P521-SHA512 |
|||
|
ML-DSA-87 & ECDSA |
MLDSA87-ECDSA-brainpoolP384r1-SHA512 |
|||
|
ML-DSA-87 & Ed448 |
MLDSA87-Ed448-SHAKE256 |
|||
|
SLH-DSA |
||||
|
SLH-DSA |
SLH-DSA-SHA2-128F |
|
||
|
SLH-DSA |
SLH-DSA-SHA2-128S |
|||
|
SLH-DSA |
SLH-DSA-SHA2-192F |
|||
|
SLH-DSA |
SLH-DSA-SHA2-192S |
|||
|
SLH-DSA |
SLH-DSA-SHA2-256F |
|||
|
SLH-DSA |
SLH-DSA-SHA2-256S |
|||
|
SLH-DSA |
SLH-DSA-SHAKE-128F |
|||
|
SLH-DSA |
SLH-DSA-SHAKE-128S |
|||
|
SLH-DSA |
SLH-DSA-SHAKE-192F |
|||
|
SLH-DSA |
SLH-DSA-SHAKE-192S |
|||
|
SLH-DSA |
SLH-DSA-SHAKE-256F |
|||
|
SLH-DSA |
SLH-DSA-SHAKE-256S |
|||