• Home
  • Support
  • EJBCA – Interoperability and Certifications

EJBCA – Interoperability and Certifications

The following provides an overview of EJBCA’s capabilities and support, with relevant links to documentation and external standards.

Specifications #

Certificate Formats and Standards #

EJBCA supports the following formats and standards.

Supported Standard
External Reference
Documentation
X509 and PKIX. RFC 5280 Certificate Authority Overview

Card Verifiable Certificates (CVC ) used by EU EAC ePassports and eIDs.

BSI TR-03110 CVC CA

Qualified Certificate Statement for issuing EU/ETSI qualified certificates.

RFC 3739 Certificate Profile Fields
Certificate Transparency. RFC 6962 Certificate Transparency
DNS Certificate Authority Authorization (CAA). RFC 6844 Certificate Field Validators
eIDAS Regulation (EU) No 910/2014
EN 319 411, EN 319 412
Certificate Profile Fields
PSD2 ETSI TS 119 495 Certificate Profile Fields

FIPS 201-2 (PIV) compliant certificates including FASC-N subjectAltName.

FIPS 201-2 End Entity Profiles Fields
PEM: Textual Encodings of PKIX, PKCS, and CMS Structures RFC 7468
PKCS#10: Certification Request Syntax RFC 2986
PKCS#7: Cryptographic Message Syntax RFC 5652
PKCS#12: Personal Information Exchange Syntax RFC 7292

 

CRL, OCSP and Certificate Distribution #

EJBCA supports the following CRL formats and standards.

Supported Standard
External Reference
Documentation
CRL creation and URL based CRL Distribution Points. RFC 5280 CRL Generation
Online Certificate Status Protocol (OCSP), including AIA-extension and must-staple extension. RFC 2560RFC 6960RFC 5019 and RFC 8964 OCSP
Certificate Store, distribution of CA certificates and CRLs over HTTP. RFC 4387 Certificate and CRL Access over HTTP

The German Common PKI SigG CertHash OCSP extension.

Common PKI OCSP
LDAP Certificate Publishing. RFC 4523 LDAP Publisher/LDAP Search Publisher
SCP Publishing SCP Publisher

 

Algorithms and Key Types #

EJBCA supports the following algorithm types and key size/curves. When using HSMs, support is limited to a subset by the PKCS#11 provider and the specific HSM used.

Algorithm
Key Size/curve
External Reference
Documentation
RSA Keys up to and including 8192 bits.
DSA Keys up to and including 1024 bits.
ECDSA

Curves including named curves from Nist, SEC, Teletrust, and X9.62.

ECDSA Keys and Signatures
EdDSA Ed25519
Ed448
RFC8032
RFC8410
EdDSA Keys and Signatures
GOST GostR3410-2001-CryptoPro-A/GostR3410-2001-CryptoPro-XchA
GostR3410-2001-CryptoPro-B
GostR3410-2001-CryptoPro-C/GostR3410-2001-CryptoPro-XchB
Tc26-Gost-3410-12-256-paramSetA
Tc26-Gost-3410-12-512-paramSetA
Tc26-Gost-3410-12-512-paramSetB
Tc26-Gost-3410-12-512-paramSetC

 

Certificate Enrollment Protocols #

For specific features supported in each protocol, see the detailed documentation.

Protocol / Interface
External Reference
Documentation
EJBCA WS Soap API. Web Service Interface
EJBCA REST Certificate Management API. EJBCA REST Interface
Simple Certificate Enrollment Protocol (SCEP). SCEP draft 23 SCEP
X509 Public Key Infrastructure Certificate Management Protocol (CMP). RFC 4210 CMP
3GPP, i.e. LTE/4G, compatible PKI, using CMPv2 with multiple Vendor CAs and vendor certificate authentication. ETSI-3GPP CMP
X.509 Public Key Infrastructure Certificate Request Message Format (CRMF). RFC 4211
Enrollment over Secure Transport (EST). RFC 7030 EST
Automatic Certificate Management Environment (ACME). RFC 8555 ACME
Microsoft Auto-enrollment Integration. Auto-enrollment
Legacy Native auto-enrollment in Windows environment with add-on auto-enrollment proxy module. Auto-enrollment (legacy)

 

Certifications #

The following lists certifications.

Type
Version
External Reference
Documentation
Common Criteria: Issuing and Management Components (CIMC) Version 1.0, EAL4+ EJBCA 5.0.4 Certification Common Criteria
Common Criteria: Protection Profile for Certification Authorities Version 2.1 EJBCA 7.4.1.1 Certification Common Criteria

 

Interoperability #

Hardware Security Modules #

The following lists support for Hardware Security Modules (HSMs).

Vendor
Model
Documentation
Generic PKCS#11 Provider Generic PKCS#11 Provider
ARX CoSign ARX CoSign
AWS CloudHSM CloudHSM EJBCA Cloud AWS
AWS Key Management Service KMS EJBCA Cloud AWS
Azure Key Vault Key Vault EJBCA Cloud Azure
Bull Trustway PCI and Proteccio Bull Trustway PCI Crypto Card
Bull Trustway Proteccio
CardContact SmartCard-HSM SmartCard-HSM
i4p Trident HSM Trident HSM
nCipher nShield/netHSM nCipher nShield/netHSM
NitroKey NitroKey HSM Nitrokey HSM
SoftHSM SoftHSMv2 SoftHSM
Thales Thales Data Protection on Demand (DPoD) Thales DPoD
Thales Thales Luna HSM Thales Luna HSM
Thales ProtectServer Thales ProtectServer
Thales TCT Luna SA HSM Thales TCT Luna SA
Utimaco CryptoServer Utimaco CryptoServer
Utimaco CryptoServer CP5 Contact Sales
Ultra Electronics AEP Keyper AEP Keyper
Yubico YubiHSM 2 YubiHSM 2

For more information, visit here: https://doc.primekey.com/ejbca/ejbca-introduction/interoperability-and-certifications

Registration

Forgotten Password?