Open main menu

Wikipedia β

Enterprise Java Beans Certificate Authority, or EJBCA, is a free software public key infrastructure (PKI) certificate authority software package maintained and sponsored by the Swedish for-profit company PrimeKey Solutions AB, which holds the copyright to most of the codebase. The project's source code is available under terms of the Lesser GNU General Public License.

Banner ejbca-public.png
EJBCA 6.5.0 in English – Administration
EJBCA 6.5.0 in English – Administration
Developer(s) PrimeKey Solutions AB
Initial release December 5, 2001 (2001-12-05)
Stable release / January 11, 2018 (2018-01-11)
Written in Java on Java EE
Operating system Cross-platform
Available in Bosnian, Chinese, Czech, English, French, German, Japanese, Portuguese, Swedish, Ukrainian, Vietnamese
Type PKI Software
License LGPL-2.1



The system is implemented in Java EE and designed to be platform independent and fully clusterable,[1] to permit a greater degree of scalability than is typical of similar software packages. Multiple instances of EJBCA are run simultaneously, sharing a database containing the current certificate authorities (CAs). This permits each instance of the software to access any CA. The software also supports the use of a Hardware Security Module (HSM), which provides additional security. Larger-scale installations would use multiple instances of EJBCA running on a cluster, a fully distributed database on a separate cluster and a third cluster with HSMs keeping the different CA keys.

EJBCA supports many common PKI Architectures[2] such as all in a single server, distributed RAs and external validation authority. An example architecture is illustrated below.


Key featuresEdit

Multiple CA instancesEdit

EJBCA supports running unlimited number of CAs and levels of CAs in a single installation. Build a complete infrastructure, or several, within one instance of EJBCA.

Online Certificate Status ProtocolEdit

For certificate validation your have the choice of using X.509 CRLs and OCSP (RFC6960).

Multiple algorithmsEdit

You can use all common, and some uncommon algorithms in your PKI. RSA, ECDSA and DSA, SHA-1 and SHA-2. Compliant with NSA Suite B Cryptography.

Different certificate formatsEdit

EJBCA support both X.509v3 certificates and Card Verifiable certificates (CVC BSI TR-03110). Certificates are compliant with all standards such as RFC5280, CA/Browser Forum, eIDAS, ICAO 9303, EAC 2.10 and ISO 18013 Amendment 2 eDL.

PKCS#11 HSMsEdit

Using the standard PKCS 11 API you can use most PKCS#11 compliant HSMs to protect the CAs, and OCSP Responders, private keys.

Many integration protocols and APIsEdit

EJBCA was designed with integration in mind. Most standard protocols are supported, CMP and SCEP, as well as web services. Using integration APIs it is possible to integrate EJBCA as a certificate factory, not exposing it's native user interfaces.

High performance and capacityEdit

You can build a PKI with capacity of issuing billions of certificates at a rate of several hundreds per second.


Further readingEdit

External linksEdit