The following provides an overview of EJBCA’s capabilities and support, with relevant links to documentation and external standards.
Specifications #
Certificate Formats and Standards #
EJBCA supports the following formats and standards.
|
Supported Standard
|
External Reference
|
Documentation
|
|---|---|---|
| X509 and PKIX. | RFC 5280 | Certificate Authority Overview |
|
Card Verifiable Certificates (CVC ) used by EU EAC ePassports and eIDs. |
BSI TR-03110 | CVC CA |
|
Qualified Certificate Statement for issuing EU/ETSI qualified certificates. |
RFC 3739 | Certificate Profile Fields |
| Certificate Transparency. | RFC 6962 | Certificate Transparency |
| DNS Certificate Authority Authorization (CAA). | RFC 6844 | Certificate Field Validators |
| eIDAS | Regulation (EU) No 910/2014 EN 319 411, EN 319 412 |
Certificate Profile Fields |
| PSD2 | ETSI TS 119 495 | Certificate Profile Fields |
|
FIPS 201-2 (PIV) compliant certificates including FASC-N subjectAltName. |
FIPS 201-2 | End Entity Profiles Fields |
| PEM: Textual Encodings of PKIX, PKCS, and CMS Structures | RFC 7468 | |
| PKCS#10: Certification Request Syntax | RFC 2986 | |
| PKCS#7: Cryptographic Message Syntax | RFC 5652 | |
| PKCS#12: Personal Information Exchange Syntax | RFC 7292 |
CRL, OCSP and Certificate Distribution #
EJBCA supports the following CRL formats and standards.
|
Supported Standard
|
External Reference
|
Documentation
|
|---|---|---|
| CRL creation and URL based CRL Distribution Points. | RFC 5280 | CRL Generation |
| Online Certificate Status Protocol (OCSP), including AIA-extension and must-staple extension. | RFC 2560, RFC 6960, RFC 5019 and RFC 8964 | OCSP |
| Certificate Store, distribution of CA certificates and CRLs over HTTP. | RFC 4387 | Certificate and CRL Access over HTTP |
|
The German Common PKI SigG CertHash OCSP extension. |
Common PKI | OCSP |
| LDAP Certificate Publishing. | RFC 4523 | LDAP Publisher/LDAP Search Publisher |
| SCP Publishing | SCP Publisher |
Algorithms and Key Types #
EJBCA supports the following algorithm types and key size/curves. When using HSMs, support is limited to a subset by the PKCS#11 provider and the specific HSM used.
|
Algorithm
|
Key Size/curve
|
External Reference
|
Documentation
|
|---|---|---|---|
| RSA | Keys up to and including 8192 bits. | ||
| DSA | Keys up to and including 1024 bits. | ||
| ECDSA |
Curves including named curves from Nist, SEC, Teletrust, and X9.62. |
ECDSA Keys and Signatures | |
| EdDSA | Ed25519 Ed448 |
RFC8032 RFC8410 |
EdDSA Keys and Signatures |
| GOST | GostR3410-2001-CryptoPro-A/GostR3410-2001-CryptoPro-XchA GostR3410-2001-CryptoPro-B GostR3410-2001-CryptoPro-C/GostR3410-2001-CryptoPro-XchB Tc26-Gost-3410-12-256-paramSetA Tc26-Gost-3410-12-512-paramSetA Tc26-Gost-3410-12-512-paramSetB Tc26-Gost-3410-12-512-paramSetC |
Certificate Enrollment Protocols #
For specific features supported in each protocol, see the detailed documentation.
|
Protocol / Interface
|
External Reference
|
Documentation
|
|---|---|---|
| EJBCA WS Soap API. | Web Service Interface | |
| EJBCA REST Certificate Management API. | EJBCA REST Interface | |
| Simple Certificate Enrollment Protocol (SCEP). | SCEP draft 23 | SCEP |
| X509 Public Key Infrastructure Certificate Management Protocol (CMP). | RFC 4210 | CMP |
| 3GPP, i.e. LTE/4G, compatible PKI, using CMPv2 with multiple Vendor CAs and vendor certificate authentication. | ETSI-3GPP | CMP |
| X.509 Public Key Infrastructure Certificate Request Message Format (CRMF). | RFC 4211 | |
| Enrollment over Secure Transport (EST). | RFC 7030 | EST |
| Automatic Certificate Management Environment (ACME). | RFC 8555 | ACME |
| Microsoft Auto-enrollment Integration. | Auto-enrollment | |
| Legacy Native auto-enrollment in Windows environment with add-on auto-enrollment proxy module. | Auto-enrollment (legacy) |
Certifications #
The following lists certifications.
|
Type
|
Version
|
External Reference
|
Documentation
|
|---|---|---|---|
| Common Criteria: Issuing and Management Components (CIMC) Version 1.0, EAL4+ | EJBCA 5.0.4 | Certification | Common Criteria |
| Common Criteria: Protection Profile for Certification Authorities Version 2.1 | EJBCA 7.4.1.1 | Certification | Common Criteria |
Interoperability #
Hardware Security Modules #
The following lists support for Hardware Security Modules (HSMs).
|
Vendor
|
Model
|
Documentation
|
|---|---|---|
| Generic PKCS#11 Provider | Generic PKCS#11 Provider | |
| ARX | CoSign | ARX CoSign |
| AWS CloudHSM | CloudHSM | EJBCA Cloud AWS |
| AWS Key Management Service | KMS | EJBCA Cloud AWS |
| Azure Key Vault | Key Vault | EJBCA Cloud Azure |
| Bull | Trustway PCI and Proteccio | Bull Trustway PCI Crypto Card Bull Trustway Proteccio |
| CardContact | SmartCard-HSM | SmartCard-HSM |
| i4p | Trident HSM | Trident HSM |
| nCipher | nShield/netHSM | nCipher nShield/netHSM |
| NitroKey | NitroKey HSM | Nitrokey HSM |
| SoftHSM | SoftHSMv2 | SoftHSM |
| Thales | Thales Data Protection on Demand (DPoD) | Thales DPoD |
| Thales | Thales Luna HSM | Thales Luna HSM |
| Thales | ProtectServer | Thales ProtectServer |
| Thales TCT | Luna SA HSM | Thales TCT Luna SA |
| Utimaco | CryptoServer | Utimaco CryptoServer |
| Utimaco | CryptoServer CP5 | Contact Sales |
| Ultra Electronics AEP | Keyper | AEP Keyper |
| Yubico | YubiHSM 2 | YubiHSM 2 |
For more information, visit here: https://doc.primekey.com/ejbca/ejbca-introduction/interoperability-and-certifications
