Welcome to EverybodyWiki 😃 ! Nuvola apps kgpg.png Log in or ➕👤 create an account to improve, watchlist or create an article like a 🏭 company page or a 👨👩 bio (yours ?)...


From EverybodyWiki Bios & Wiki

Banner ejbca-public.png
EJBCA 6.5.0 in English – Administration
EJBCA 6.5.0 in English – Administration
Developer(s)PrimeKey Solutions AB
Initial releaseDecember 5, 2001 (2001-12-05)
Stable release / March 29, 2021 (2021-03-29)
Written inJava on Java EE
    Operating systemCross-platform
    Available inBosnian, Chinese, Czech, English, French, German, Japanese, Portuguese, Swedish, Ukrainian, Vietnamese
    TypePKI Software

    Amazon.com Logo.png Search EJBCA on Amazon.

    EJBCA, is a free software public key infrastructure (PKI) certificate authority software package maintained and sponsored by the Swedish for-profit company PrimeKey Solutions AB, which holds the copyright to most of the codebase. The project's source code is available under terms of the Lesser GNU General Public License.


    The system is implemented in Java EE and designed to be platform independent and fully clusterable,[1] to permit a greater degree of scalability than is typical of similar software packages. Multiple instances of EJBCA are run simultaneously, sharing a database containing the current certificate authorities (CAs). This permits each instance of the software to access any CA. The software also supports the use of a hardware security module (HSM), which provides additional security. Larger-scale installations would use multiple instances of EJBCA running on a cluster, a fully distributed database on a separate cluster and a third cluster with HSMs keeping the different CA keys.

    EJBCA supports many common PKI architectures[2] such as all in a single server, distributed RAs and external validation authority. An example architecture is illustrated below.

    Example PKI architecture with external validation authority

    EJBCA can be used by small and large organizations alike and EJBCA Community can be deployed as pure software installation (Do_it_yourself) or as easy to test Docker_(software) container.


    A certificate authority system typically consist of the logical components

    • Certification Authority (CA): issues certificates, signing them using the CA's private signing key.
    • Registration Authority (RA): registers entities in the system and approves issuance from the CA. Validation and policy controls are usually divided between the CA and the RA and can vary depending on use case and installation, from a model where the RA does everything and the CA simply issues on order from the RA, to a model where the CA performs all validation and controls and the RA acts as a simply proxy front-end.
    • Validation Authority (VA): servers relying parties with data needed to validate certificates as they are used by the relying parties. The VA typically offers an OCSP services and download of CRLs.

    These logical components can be deployed ether as discrete components, physically separated, or bundled into a single physical deployment.

    Key features[edit]

    Multiple CA instances[edit]

    EJBCA supports running unlimited number of CAs and levels of CAs in a single installation. Build a complete infrastructure, or several, within one instance of EJBCA.

    Online Certificate Status Protocol[edit]

    For certificate validation you have the choice of using X.509 CRLs and OCSP (RFC6960).

    Registration authority[edit]

    The EJBCA software includes a separate registration authority (RA) front end that can run on the same instance as the CA or distributed as external RAs. Communication between the CA and the RA is only using outgoing network connections to insulate the CA from less trusted networks, where the RA is typically placed.

    Multiple algorithms[edit]

    You can use all common, and some uncommon algorithms in your PKI. RSA, ECDSA, EdDSA, and DSA, SHA-1, SHA-2, and SHA-3. Compliant with NSA Suite B Cryptography.

    Different certificate formats[edit]

    EJBCA support both X.509v3 certificates and Card Verifiable certificates (CVC BSI TR-03110). Certificates are compliant with all standards such as RFC5280, CA/Browser Forum, eIDAS, ICAO 9303, EAC 2.10 and ISO 18013 Amendment 2 eDL.

    PKCS#11 HSMs[edit]

    Using the standard PKCS 11 API you can use most PKCS#11 compliant HSMs to protect the CAs’ and OCSP responders’ private keys.

    Many integration protocols and APIs[edit]

    EJBCA was designed with integration in mind. Most standard protocols are supported, CMP, SCEP, EST, and ACME as well as web services. Using integration APIs it is possible to integrate EJBCA as a certificate factory, not exposing its native user interfaces.

    High performance and capacity[edit]

    You can build a PKI with capacity of issuing billions of certificates at a rate of several hundreds per second.

    See also[edit]

    • Public key infrastructure
    • Public-key cryptography (asymmetric cryptography)
    • Public key certificate (digital certificate)
    • X.509 (public key certificate format)
    • Certificate authority
    • Common Criteria
    • ETSI
    • eIDAS
    • Let’s Encrypt


    1. "Automated and large scale operations".
    2. "PKI Architectures".

    Further reading[edit]

    External links[edit]

    Others articles of the Topic Free and open-source software : Collabora Office, Home Assistant, MiaCMS, Project Kenai, Moleculer, VSXu, Collabora Online

    This article "EJBCA" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:EJBCA. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.