EJBCA - Open Source PKI Certificate Authority
Search ejbca.org for:
PrimeKey Support, Development and Maintenance services

Features

PKI system features

  • Multiple CAs and levels of CAs, build a complete infrastructure (or several) within one instance of EJBCA.
  • Unlimited number of Root CAs and SubCAs. Request cross certificates and bridge certificates from other CAs and Bridge CAs. Issue cross certificates to other CAs.
  • Get your own CA signed by public recognized CAs such as Comodo or T-Systems.
  • Follows X509 and PKIX (RFC5280) standards where applicable.
  • Supports RSA key algorithm up to 8192 bits.
  • Supports DSA key algorithm with 1024 bits.
  • Supports ECDSA key algorithm with named curves or implicitlyCA.
  • Support multiple hash algorithms for signatures, SHA-1, SHA-2.
  • Compliant with NSA SUITE B algorithms and certificates.
  • Support for X.509 certificates and Card Verifiable certificates (CVC BSI TR-03110 used by EU EAC ePassports) and eIDs.
  • Support for Hardware Security Modules (HSMs). Built in support for Thales/nCipher, SafeNet Luna, SafeNet ProtectServer, Utimaco CryptoServer, AEP Keyper, ARX CoSign and other HSMs with a good PKCS#11 library.
  • Individual enrollment or batch production of certificates.
  • Issues SSL/TLS certificates that work with all common servers.
  • Admin registration and self-registration work-flows out of the box. Supports virtually any work-flow with plug-ins and integration.
  • Server and client certificates can be exported as PKCS12, JKS or PEM.
  • Browser enrollment with Firefox, IE, etc.
  • Enrollment for other applications through open APIs and tools.
  • Enrollment generating complete OpenVPN installers for VPN users.
  • Mobile enrollment, i.e. iOS using SCEP.
  • Revocation and Certificate Revocation Lists (CRLs).
  • CRL creation and URL-based CRLDistribution Points according to RFC5280.
  • Smart card logon certificates for Windows, Linux and Mac OS X.
  • Configurable certificate profiles for different types and contents of certificates.
  • Standard and custom certificate extensions supported.
  • Supports the Simple Certificate Enrollment Protocol (SCEP).
  • Qualified Certificate Statement (RFC3739) for issuing EU/ETSI qualified certificates.
  • Supports the Online Certificate Status Protocol (OCSP - RFC2560, RFC6960 and RFC5019), including AIA-extension.
  • Supports RFC4387 for distribution of CA certificates and CRLs over HTTP.
  • Validation Authority service serving OCSP responses (RFC2560/5019), CA certificates and CRLS (RFC4387).
  • Supports the German Common PKI SigG CertHash OCSP extension.
  • Supports CMP (RFC4210 and RFC4211).
  • Supports synchronous XKMS version 2 requests.
  • Key recovery to store private keys for recovery for selected users and certificates.

ePassport PKI features

  • Support for BAC PKI, Country Signing CA (CSCA) and Document Signer (DS) certificates.
  • Integration with SignServer as Document Signer creating Security Objects (SOD).
  • Support for EAC PKI (EJBCA Enterprise only).
  • Integration with PrimeKey SPOC for a Single Point of Contact between countries.
  • Publisher for ICAO PKD, publishing DS certificates and CSCA CRLs to ICAO PKD LDAP directory.

Integration features

  • Built on the JEE 5 (EJB 3.0) specification.
  • Flexible, component based architecture.
  • Run standalone or integrated in any JEE application.
  • External Validation Authority and OCSP responder also works with any other CA than EJBCA and support large scale OCSP deployments.
  • Validation Authority and OCSP responder can run integrated with EJBCA or stand alone (clustered) for security, high-performance and high-availability.
  • Simple OCSP client in pure java.
  • Plug-in functionality allowing you to enhance with your own functionality and work flows.
  • Web service (WS) interface for remote administration and integration.
  • Command line interface for scripts etc.
  • Administration GUI localizable and available in several languages - Japaneese, English, French, German, Italian, Portuguese, Spanish, Chinese, ...
  • Internal log messages are localizable for different languages.
  • Component- and plug-in based architecture for publishing certificates and CRLs to different sources.
  • API for an external RA, restricting in-bound traffic to CA.
  • Hard token module for integrating with hard token issuing system (smart cards).

Administration features

  • Simple installation and configuration.
  • Administration thrugh Web GUI, command line or Web Services.
  • Powerful Web based administration GUI using strong authentication.
  • Configurable entity profiles for different types of users.
  • Notification system for e-mail notification to users and administrators when a user is added or certificates expire etc.
  • Random or manual password for initial user authentication.
  • Multiple levels of administrators with specified privileges and roles.
  • Authentication of local CLI users enabling role separation also for local CLI.
  • Stores Certificates and CRLs in SQL database, LDAP and/or other custom data source.
  • OCSP transaction logging suitable for statistics and billing.
  • Optional multiple publishers for publishing certificates and CRLs in LDAP or legacy databases. Several flexible standard publishers exist to meet different demands.
  • Supports authentication and publishing of certificates to Microsoft Active Directory.
  • Optional approval mechanism so several admins are required to perform an action, a.k.a. dual-authentication.
  • Component based architecture for various authorization methods of entities when issuing certificates.
  • Simple stand-alone batch enrollment GUI for CSRs (webservice RA).
  • Possibility for autoenrollment (albeit not using windows standard autoenroll).
  • Easy upgrade paths when new versions are released.

System features

  • Written in pure Java, running in a JEE application server. Interfaces with Hardware Security Modules using standard PKCS#11 interface.
  • High performance and capacity, issue hundreds of certificates per second, store hundreds of millions of certificates.
  • Stress test and performance measuring tools in client toolbox.
  • Using standard, high performance RDBMS for storage. Easy to understand and manage.
  • Supports different architectures; all-in-one, clustered, external RA, external OCSP, etc.
  • Possible to integrate into large java applications for optimal integration into business process.
  • Deploys easily in a clustered, high availability environment.
  • Health check monitoring service to support efficient clustering and monitoring.
  • Supports multiple application servers: JBoss, Glassfish and to some extent WebLogic
  • Supports multiple databases: Hypersoniq, MySQL, PostgreSQL, Oracle, DB2, MS SQL Server, Derby, Sybase, Informix.
  • Unique possibility to configure either as fully audited CA or as high speed certificate factory, with the same level of management features.

Enterprise Edition features

  • Common Criteria EAL4+ and CWA 14167 certified.
  • Support and maintenance from PrimeKey, world renowned PKI experts.
  • Integrity protected audit log (log signing), with digital signature or HMAC protection.
  • Full database integrity protection of all tables, to detect database manipulation.
  • Command line tool for verification of audit and database integrity protection.
  • Validation tool for conformance checking of certificates and OCSP responders.
  • EAC PKI (EAC 1.11 and 2.10) for ePassports and eIDs, Country Verifying CA (CVCA) and Document Verifiers (DV) issuing Inspection System (IS) certificates.
  • Certified access control and authorization module, for assurance and high trust role separation.
  • Penetration tested with improved security.
  • 3GPP, i.e. LTE/4G, compatible PKI, using CMP with multiple Vendor CAs and vendor certificate authentication.
  • Certificate Transparency, RFC6962.
  • Support for GOST and DSTU algorithms (Russian and Ukrainian algorithms).