The following provides an overview of EJBCA’s capabilities and support, with relevant links to documentation and external standards.
Specifications
Certificate Formats and Standards
EJBCA supports the following formats and standards.
Supported Standard | External Reference | Documentation |
|---|---|---|
| X509 and PKIX. | RFC 5280 | Certificate Authority Overview |
Card Verifiable Certificates (CVC ) used by EU EAC ePassports and eIDs. | BSI TR-03110 | CVC CA |
Qualified Certificate Statement for issuing EU/ETSI qualified certificates. | RFC 3739 | Certificate Profile Fields |
| Certificate Transparency. | RFC 6962 | Certificate Transparency |
| DNS Certificate Authority Authorization (CAA). | RFC 6844 | Certificate Field Validators |
| eIDAS | Regulation (EU) No 910/2014 EN 319 411, EN 319 412 | Certificate Profile Fields |
| PSD2 | ETSI TS 119 495 | Certificate Profile Fields |
FIPS 201-2 (PIV) compliant certificates including FASC-N subjectAltName. | FIPS 201-2 | End Entity Profiles Fields |
| PEM: Textual Encodings of PKIX, PKCS, and CMS Structures | RFC 7468 | |
| PKCS#10: Certification Request Syntax | RFC 2986 | |
| PKCS#7: Cryptographic Message Syntax | RFC 5652 | |
| PKCS#12: Personal Information Exchange Syntax | RFC 7292 |
CRL, OCSP and Certificate Distribution
EJBCA supports the following CRL formats and standards.
Supported Standard | External Reference | Documentation |
|---|---|---|
| CRL creation and URL based CRL Distribution Points. | RFC 5280 | CRL Generation |
| Online Certificate Status Protocol (OCSP), including AIA-extension and must-staple extension. | RFC 2560, RFC 6960, RFC 5019 and RFC 8964 | OCSP |
| Certificate Store, distribution of CA certificates and CRLs over HTTP. | RFC 4387 | Certificate and CRL Access over HTTP |
The German Common PKI SigG CertHash OCSP extension. | Common PKI | OCSP |
| LDAP Certificate Publishing. | RFC 4523 | LDAP Publisher/LDAP Search Publisher |
| SCP Publishing | SCP Publisher |
Algorithms and Key Types
EJBCA supports the following algorithm types and key size/curves. When using HSMs, support is limited to a subset by the PKCS#11 provider and the specific HSM used.
Algorithm | Key Size/curve | External Reference | Documentation |
|---|---|---|---|
| RSA | Keys up to and including 8192 bits. | ||
| DSA | Keys up to and including 1024 bits. | ||
| ECDSA | Curves including named curves from Nist, SEC, Teletrust, and X9.62. | ECDSA Keys and Signatures | |
| EdDSA | Ed25519 Ed448 | RFC8032 RFC8410 | EdDSA Keys and Signatures |
| GOST | GostR3410-2001-CryptoPro-A/GostR3410-2001-CryptoPro-XchA GostR3410-2001-CryptoPro-B GostR3410-2001-CryptoPro-C/GostR3410-2001-CryptoPro-XchB Tc26-Gost-3410-12-256-paramSetA Tc26-Gost-3410-12-512-paramSetA Tc26-Gost-3410-12-512-paramSetB Tc26-Gost-3410-12-512-paramSetC |
Certificate Enrollment Protocols
For specific features supported in each protocol, see the detailed documentation.
Protocol / Interface | External Reference | Documentation |
|---|---|---|
| EJBCA WS Soap API. | Web Service Interface | |
| EJBCA REST Certificate Management API. | EJBCA REST Interface | |
| Simple Certificate Enrollment Protocol (SCEP). | SCEP draft 23 | SCEP |
| X509 Public Key Infrastructure Certificate Management Protocol (CMP). | RFC 4210 | CMP |
| 3GPP, i.e. LTE/4G, compatible PKI, using CMPv2 with multiple Vendor CAs and vendor certificate authentication. | ETSI-3GPP | CMP |
| X.509 Public Key Infrastructure Certificate Request Message Format (CRMF). | RFC 4211 | |
| Enrollment over Secure Transport (EST). | RFC 7030 | EST |
| Automatic Certificate Management Environment (ACME). | RFC 8555 | ACME |
| Microsoft Auto-enrollment Integration. | Auto-enrollment | |
| Legacy Native auto-enrollment in Windows environment with add-on auto-enrollment proxy module. |
Certifications
The following lists certifications.
Type | Version | External Reference | Documentation |
|---|---|---|---|
| Common Criteria: Issuing and Management Components (CIMC) Version 1.0, EAL4+ | EJBCA 5.0.4 | Certification | Common Criteria |
| Common Criteria: Protection Profile for Certification Authorities Version 2.1 | EJBCA 7.4.1.1 | Certification | Common Criteria |
Interoperability
Hardware Security Modules
The following lists support for Hardware Security Modules (HSMs).
Vendor | Model | Documentation |
|---|---|---|
| Generic PKCS#11 Provider | Generic PKCS#11 Provider | |
| ARX | CoSign | ARX CoSign |
| AWS CloudHSM | CloudHSM | EJBCA Cloud AWS |
| AWS Key Management Service | KMS | EJBCA Cloud AWS |
| Azure Key Vault | Key Vault | EJBCA Cloud Azure |
| Bull | Trustway PCI and Proteccio | Bull Trustway PCI Crypto Card Bull Trustway Proteccio |
| CardContact | SmartCard-HSM | SmartCard-HSM |
| i4p | Trident HSM | Trident HSM |
| nCipher | nShield/netHSM | nCipher nShield/netHSM |
| NitroKey | NitroKey HSM | Nitrokey HSM |
| SoftHSM | SoftHSMv2 | SoftHSM |
| Thales | Thales Data Protection on Demand (DPoD) | Thales DPoD |
| Thales | Thales Luna HSM | Thales Luna HSM |
| Thales | ProtectServer | Thales ProtectServer |
| Thales TCT | Luna SA HSM | Thales TCT Luna SA |
| Utimaco | CryptoServer | Utimaco CryptoServer |
| Utimaco | CryptoServer CP5 | Contact Sales |
| Ultra Electronics AEP | Keyper | AEP Keyper |
| Yubico | YubiHSM 2 | YubiHSM 2 |
For more information, visit here: https://doc.primekey.com/ejbca/ejbca-introduction/interoperability-and-certifications
