PKI system features
Multiple CAs and levels of CAs, build a complete infrastructure (or several) within one instance of EJBCA.
Unlimited number of Root CAs and SubCAs. Request cross certificates and bridge certificates from other CAs and Bridge CAs. Issue cross certificates to other CAs.
Get your own CA signed by public recognized CAs such as
Comodo or T-Systems. Follows X509 and PKIX (RFC5280) standards where applicable.
Supports RSA key algorithm up to 8192 bits.
Supports DSA key algorithm with 1024 bits.
Supports ECDSA key algorithm with named curves or implicitlyCA.
Support multiple hash algorithms for signatures, SHA-1, SHA-2.
Compliant with NSA SUITE B algorithms and certificates.
Support for X.509 certificates and Card Verifiable certificates (CVC BSI TR-03110 used by EU
EAC ePassports) and eIDs. Support for Hardware Security Modules (HSMs). Built in support for Thales/nCipher, SafeNet Luna, SafeNet ProtectServer, Utimaco CryptoServer, AEP Keyper, ARX CoSign and other HSMs with a good PKCS#11 library.
Individual enrollment or batch production of certificates.
Issues SSL/TLS certificates that work with all common servers.
Admin registration and self-registration work-flows out of the box. Supports virtually any work-flow with plug-ins and integration. Server and client certificates can be exported as PKCS12, JKS or PEM.
Browser enrollment with Firefox, IE, etc.
Enrollment for other applications through open APIs and tools.
Enrollment generating complete OpenVPN installers for VPN users.
Mobile enrollment, i.e. iOS using
SCEP. Revocation and Certificate Revocation Lists (CRLs).
CRL creation and URL-based CRLDistribution Points according to RFC5280.
Smart card logon certificates for Windows, Linux and Mac OS X.
Configurable certificate profiles for different types and contents of certificates.
Standard and custom certificate extensions supported.
Supports the Simple Certificate Enrollment Protocol (
SCEP). Qualified Certificate Statement (RFC3739) for issuing EU/ETSI qualified certificates.
Supports the Online Certificate Status Protocol (
OCSP - RFC2560, RFC6960 and RFC5019), including AIA-extension. Supports RFC4387 for distribution of CA certificates and CRLs over HTTP.
Validation Authority service serving OCSP responses (RFC2560/5019), CA certificates and CRLS (RFC4387).
Supports the German
Common PKI SigG CertHash OCSP extension. Supports
CMP (RFC4210 and RFC4211). Key recovery to store private keys for recovery for selected users and certificates.
ePassport PKI features
Support for BAC PKI, Country Signing CA (CSCA) and Document Signer (DS) certificates.
SignServer as Document Signer creating Security Objects (SOD). Support for EAC PKI (EJBCA Enterprise only).
Integration with PrimeKey SPOC for a Single Point of Contact between countries.
Publisher for ICAO PKD, publishing DS certificates and CSCA CRLs to ICAO PKD LDAP directory.
Built on the JEE 5 (EJB 3.0) specification.
Flexible, component based architecture.
Run standalone or integrated in any JEE application.
External Validation Authority and OCSP responder also works with any other CA than EJBCA and support large scale OCSP deployments.
Validation Authority and OCSP responder can run integrated with EJBCA or stand alone (clustered) for security, high-performance and high-availability.
Simple OCSP client in pure java.
Plug-in functionality allowing you to enhance with your own functionality and work flows. Web service (WS) interface for remote administration and integration.
Command line interface for scripts etc.
Administration GUI localizable and available in several languages - Japaneese, English, French, German, Italian, Portuguese, Spanish, Chinese, ...
Internal log messages are localizable for different languages.
Component- and plug-in based architecture for publishing certificates and CRLs to different sources.
API for an external RA, restricting in-bound traffic to CA.
Hard token module for integrating with hard token issuing system (smart cards).
Simple installation and configuration.
Administration thrugh Web GUI, command line or Web Services.
Powerful Web based administration GUI using strong authentication.
Configurable entity profiles for different types of users.
Notification system for e-mail notification to users and administrators when a user is added or certificates expire etc.
Random or manual password for initial user authentication.
Multiple levels of administrators with specified privileges and roles.
Authentication of local CLI users enabling role separation also for local CLI.
Stores Certificates and CRLs in SQL database, LDAP and/or other custom data source.
OCSP transaction logging suitable for statistics and billing.
Optional multiple publishers for publishing certificates and CRLs in LDAP or legacy databases. Several flexible standard publishers exist to meet different demands.
Supports authentication and publishing of certificates to Microsoft Active Directory.
Optional approval mechanism so several admins are required to perform an action, a.k.a. dual-authentication.
Component based architecture for various authorization methods of entities when issuing certificates.
batch enrollment GUI for CSRs (webservice RA). Possibility for autoenrollment (albeit not using windows standard autoenroll).
Easy upgrade paths when new versions are released.
Written in pure Java, running in a JEE application server. Interfaces with Hardware Security Modules using standard PKCS#11 interface.
High performance and capacity, issue hundreds of certificates per second, store hundreds of millions of certificates.
Stress test and performance measuring tools in
client toolbox. Using standard, high performance RDBMS for storage. Easy to understand and manage.
Supports different architectures; all-in-one, clustered, external RA, external OCSP, etc.
Possible to integrate into large java applications for optimal integration into business process.
Deploys easily in a clustered, high availability environment.
Health check monitoring service to support efficient clustering and monitoring.
Supports multiple application servers: JBoss and Glassfish
Supports multiple databases: Hypersoniq, MySQL, PostgreSQL, Oracle, DB2, MS SQL Server, Derby, Sybase, Informix.
Unique possibility to configure either as fully audited CA or as high speed
certificate factory, with the same level of management features.
Enterprise Edition features
Support and maintenance from PrimeKey, world renowned PKI experts.
Maintenance and security releases.
Common Criteria EAL4+ and CWA 14167 certified.
audit log (log signing), with digital signature or HMAC protection. Full database integrity protection of all tables, to detect database manipulation.
Command line tool for verification of audit and database integrity protection.
Validation tool for conformance checking of certificates and OCSP responders.
EAC PKI (EAC 1.11 and 2.10) for ePassports and eIDs, Country Verifying CA (CVCA) and Document Verifiers (DV) issuing Inspection System (IS) certificates.
Certified access control and authorization module, for assurance and high trust role separation.
3GPP, i.e. LTE/4G, compatible PKI, using CMP with multiple Vendor CAs and vendor certificate authentication.
CMP Proxy to add an additional network layer, with message check, between the CA and CMP clients.
SCEP RA mode, using SCEP controlling entity creation from an RA.
SCEP Client Certificate Renewal, allowing client certificate renewal using SCEP
Certificate Transparency, RFC6962.
CertSafe publisher to send, and revoke, certificates from a CertSafe server.
Peer Connectors for managing Peer Systems, such as OCSP Responders. Direct Validation Authority (OCSP responder) updates from CA to VA. Ideal for low latency revocation and white listing.
External RA with a polling model for RA to CA communication, for high security environments. Create Crypto Tokens and CAs, generate keys and add and remove administrators through the Web Service API.
EV Certificate specific DN components as defined in CABForum guidelines (jurisdictionLocality State and Country).
Additional algorithms using HSMs through PKCS#11,
RSASSA-PSS (SHA256WithRSAAndMGF1). Available through patches for Java. Support for Windows Autoenrollment with add-on autoenrollment proxy module.
Support for GOST and DSTU algorithms (Russian and Ukrainian algorithms).
Penetration tested with improved security.
© 2002-2015 PrimeKey Solutions AB. EJBCA
® is a registered trademark of PrimeKey Solutions AB.