.png){kind=logo}
Get Started with EJBCA
EJBCA offers flexible deployment options to help you get started with PKI for testing, evaluation, and early-stage prototyping, without the need for a full-scale production setup. These approaches provide flexibility in exploring EJBCA’s capabilities and validating integrations with other products and systems.
Here is an overview of the deployment options:
Deployment Method | Use Case | Data Persistence | Tooling | EJBCA edition |
|---|---|---|---|---|
Quick feature testing | No | Docker | EJBCA Community | |
Durable PoC, repeated testing | Yes | Docker Compose | EJBCA Community | |
Production-aligned evaluation | Yes | Helm | EJBCA Community (limited functionality) EJBCA Enterprise | |
Quick feature testing | No | Helm | EJBCA Community (limited functionality) EJBCA Enterprise | |
PQC certificate issuing and artifact signing | Preconfigured Keyfactor Test Drive is available for 30 days. | Preconfigured Keyfactor Test Drive on Azure | EJBCA Enterprise | |
Full-featured EJBCA Enterprise evaluation | 30-day trial | AWS/Azure Marketplace | EJBCA Enterprise |
EJBCA Community vs Enterprise Options
Deployment options are provided for both the EJBCA Community and EJBCA Enterprise editions:
EJBCA Community Edition offers a core set of capabilities for evaluation and testing purposes. It is open-source and well-suited for testing, learning, and prototyping, but it is not designed or supported for production use.
EJBCA Enterprise Edition is recommended for PKI deployments supporting business-critical systems or critical infrastructure. It offers the security hardening, automation, scalability, and professional support required in production. Some advanced features and deployment methods described in this guide are only available in the Enterprise Edition.
Why Use EJBCA PKI during Development and Prototyping
Many development and testing environments rely on self-signed certificates or ad hoc tools and scripts. While these approaches are simple to start with, they often lead to long-term challenges around maintainability, security, and compliance. Such setups are not suitable for business-critical systems or critical infrastructure applications and platforms.
Since PKI is a foundational component of any security solution, production environments require a properly managed and supported PKI to ensure reliability, scalability, and compliance.
Using a standards-based PKI solution such as EJBCA during development helps:
Simulate real-world trust models.
Prepare for compliance and production-readiness.
Reduce integration errors later in the software lifecycle.
Reuse the same toolchain across development, staging, and production.
Be ready to scale securely
Migration to Enterprise is straightforward, regardless of whether you start with Community or a free trial
Try EJBCA Container deployment options
Ephemeral EJBCA Using Docker
Spin up a temporary EJBCA instance for quick testing without persisting any data.
Purpose: Try a feature, test an API, or verify configuration.
Data persistence: None. The container is removed after use.
This is useful when testing configuration flows or features that don’t require long-term storage or backups. Step-by-step guides and videos are provided, demonstrated with the Community Edition of EJBCA, which is readily available via Docker Hub.
Read more:
https://docs.keyfactor.com/how-to/latest/quick-start-ejbca-container-with-unauthenticated-n
https://docs.keyfactor.com/how-to/latest/quick-start-ejbca-container-with-client-certificat
Persistent EJBCA with Docker or Docker Compose
For a more durable evaluation or prototype environment, use Docker with mounted volumes or Docker Compose.
Purpose: Evaluate EJBCA features over time, build PoCs, and integrate with other systems.
Data persistence: Yes. Mounted volumes ensure data is retained between restarts.
The step-by-step guides and video examples leverage the Community edition of EJBCA. You can also pull the EJBCA Community container from the AWS Marketplace.
Read more: https://docs.keyfactor.com/how-to/latest/start-out-with-ejbca-docker-container
Kubernetes Deployment Using the EJBCA Helm Chart
The official EJBCA Helm chart provides a Kubernetes-native deployment option.
Purpose: Evaluate EJBCA in environments that mirror production.
Features:
Helm-based deployment and upgrades.
Ephemeral or persistent volumes and configurable resources.
Optional ingress, clustering, and external database integration.
Get the full Kubernetes experience - this is suitable for users who:
Are using Kubernetes.
Want to test integrations with cert-manager, Istio, SPIRE, or other Kubernetes-native tools.
There are tutorials available for both a more basic EJBCA Community installation using Helm and more advanced Enterprise High-Availability, resilience, and scaling options.
The same Helm chart can be used to deploy both EJBCA Community and Enterprise editions.
Read more:
https://docs.keyfactor.com/how-to/latest/deploy-ejbca-using-a-helm-chart
https://docs.keyfactor.com/how-to/latest/install-microk8s-to-run-ejbca
https://docs.keyfactor.com/how-to/latest/deploy-ejbca-container-in-microk8s
Try EJBCA and SignServer Enterprise with PQC in a Test Drive
Use this option to quickly get to know and evaluate Post-Quantum Cryptography (PQC) capabilities in EJBCA and/or SignServer Enterprise. The PQC Lab Test Drive provides a pre-configured environment that allows you to issue quantum-safe certificates and test PQC signing on arbitrary artifacts without any configuration or installation.
Read more and sign up: PQC Lab Test Drive
Deploy EJBCA Enterprise on AWS or Azure (30-day free trial)
EJBCA Enterprise is available as a 30-day free trial on both Amazon Web Services (AWS) and Microsoft Azure.
Use this option to evaluate EJBCA Enterprise features in a managed cloud environment. If the deployment meets your requirements, you can convert it into a commercial instance without redeploying.
Read more:
https://docs.keyfactor.com/ejbca/latest/get-started-with-ejbca-community-container-on-aws
https://docs.keyfactor.com/how-to/latest/set-up-a-free-trial-version-of-ejbca-on-aws
Next Steps: Configure Your PKI for Testing
After completing your initial deployment, the next step is to configure your Public Key Infrastructure (PKI) to support your testing or evaluation use case. This typically includes setting up certificate authorities (CAs), defining roles and permissions, and issuing test certificates.
To help you get started quickly, there are multiple how-to guides that walk you through the essential tasks, such as:
Create a PKI Hierarchy
Create your first Root CA
Create your first issuing CA
Configuring Revocation
Set up roles and permissions
etc
These guides are designed to help you get a working PKI configuration with minimal effort and are applicable to both the EJBCA Community and Enterprise editions unless otherwise stated.
Read more: https://docs.keyfactor.com/how-to/latest/
Contact us
Request a live demo with one of our experts — whether you want to explore workflows hands-on or discuss your specific needs.