Ensures the highest quality of PKI implementation

EJBCA covers all your needs - from certificate management, registration and enrollment to certificate validation

EJBCA is one of the longest running CA software projects, providing time-proven robustness and reliability. EJBCA is platform independent, and easily scalable to match the needs of your PKI requirements, whether you are setting up a national eID, securing your industrial IOT platform or managing your own internal PKI.

EJBCA is a free software public key infrastructure (PKI) certificate authority software package maintained and sponsored by PrimeKey Solutions AB.

EJBCA allows implementation and management of Public Key Infrastructure that provides certificate lifecycle management (request, creation, renewal, revocation). It allows defining a root certification authority, subordinate certification and registration authorities.

EJBCA issues encryption, authentication or signature certificates for various purposes, like:

  • Strong authentication for users accessing your intranet/extranet/internet resources;
  • Secure communication with SSL servers and SSL clients;
  • Smart card logon to Windows and/or Linux;
  • Signing and encrypting email;
  • VPN connections by issuing certificates to your VPN routers such as OpenVPN, Cisco, Juniper etc.;
  • Single sign-on by using a single certificate to secure logon to Web applications;
  • Creating signed documents;

EJBCA Design and Architecture

The system is developed in Java EE and designed to be platform independent. EJBCA implements Public Key Infrastructure (PKI) according to standards such as X.509, IETF-PKIX and CVC BSI TR-03110.

EJBCA PKI Architecture
Figure:  1 - EJBCA Architecture

The EJBCA component consists of a set of Java classes that provide such functionalities as:

  • Create digital certificates and CRLs;
  • OCSP support;
  • Certificate Authority management;
  • Key recovery;
  • Profile management;
  • User registration and management;
  • Certificate and CRL publishing;
  • Certificate and CRL retrieval;
  • Backup of Certificate data.

Certificate Lifecycle Management

EJBCA provides full capabilities for managing your certificate lifecycles using powerful and easily configurable profiles, automated validation of submitted cryptographic keys, and enrollment through Registration Authority UI.

EJBCA provides easy to use tools to allow administrators to easily revoke and renew certificates, ensuring that lost keys are immediately contained and that organization suffers no downtime.

EJBCA supports many common PKI architectures such as all in a single server, distributed RAs and external validation authority. The following are the key design components of the EJBCA:

  • Multiple CA Instances

EJBCA supports running unlimited number of CAs and levels of CAs in a single installation. Build a complete infrastructure, or several, within one instance of EJBCA.

EJBCA PKI Multiple CA Instances
Figure:  2 - Multiple CA Instances

  • Registration Authority

The EJBCA software includes a separate registration authority (RA) front end that can run on the same instance as the CA or distributed as external RAs.

Single CA/RA

A complete PKI can be deployed in a single instance. Since EJBCA has everything built-in there can be a single instance functioning as both CA and RA. This is a very efficient, easy to manage, and cost effective solution that is suitable for many SME enterprise deployments.

Figure:  3 - Single CA/RA

CA with Distributed RAs

To set up a PKI capable of enrolling a diverse set of users and devices, it is usually necessary introduce multiple types of RAs, for different purposes. Using EJBCA, one can connect an unlimited number of distributed RAs, communicating with the CA using standard protocols like CMP, SCEP and Web service.

EJBCA PKI CA with Distributed RAs
Figure:  4 - CA with Distributed RAs

CA with External RAs

Using this architecture an external RA server receives certificate (and revocation) requests, which are stored in a separate database. The request are periodically pulled by the CA and responses returned to the External RA database where they are picked up by the external RA server. No incoming network traffic is allowed from the CA, only outgoing connections are allowed through the CA firewall for polling.

EJBCA PKI CA with external RAs
Figure:  5 - CA with External RAs (This is an EJBCA Enterprise feature)

  • Certificate Validation

For certificate validation, there is the choice of using X.509 CRLs and OCSP. EJBCA has built-in Validation Authority as well as separate Validation Authority. Using a separate Validation Authority, one can serve multiple PKIs from a single VA.

EJBCA PKI Validation Authority
Figure:  6 - Validation Authority


Multiple Algorithms

RSA, ECDSA and DSA, SHA-1 and SHA-2. Compliant with the standards.

Different certificate formats

EJBCA support both X.509v3 certificates and Card Verifiable certificates (CVC BSI TR-03110). Certificates are compliant with all standards such as RFC5280, CA/Browser Forum, eIDAS, ICAO 9303, etc.

Standard Certificate Enrollment Protocols

EJBCA is designed with integration in mind. The standard protocols supported are

  • Certificate Management Protocol (CMP)
  • Enrollment over Secure Transport (EST)
  • Simple Certificate Enrollment Protocol (SCEP)
  • Automatic Certificate Management Environment (ACME)

EJBCA Integration

EJBCA supports integration with various third-party applications and Hardware Security Modules (HSMs).

  • Third-Party Applications
  • USB Tokens and Smart Cards
  • Card Management Systems (CMS)
  • Hardware Security Modules (HSMs)
  • Certificate Auto-Enrollment (example, EverTrust TAP)




  • 1-Hour Free Webinar
  • SCHEDULE: As per your availability
  • **Sessions will be conducted through Microsoft Teams



For further information, please contact us at sales@rn-trust.com, call +800-RNTrust (7687878) or whatsapp +971588831955.