Model Specifications

PrimeKey EJBCA Hardware Appliance offers the complete feature set needed to operate a comprehensive, highly available PKI. It is based on PrimeKey EJBCA Enterprise, with easy-to-use management functions, high-performance hardware and a built-in FIPS 140-2 Level 3, certified Hardware Security Module (HSM).

Depending on your requirements, we offer different Hardware Appliance models to address your needs.

Hardware Appliance Models

All models include EJBCA Enterprise with a core library for Certificate Authority (CA), Registration Authority (RA), and Validation Authority (VA) functionality capable of hosting an unlimited number of CAs.

Extra Small (XS)

Model Extra Small is the smallest Hardware Appliance with support for up to 1,000 certificates. This model is ideal for an offline Root CA in a PKI deployment.

The model Extra Small includes an entry-level performance Hardware Security Module (HSM). If standard or high-speed performance is required, refer to the models Medium, Large, or Extra Large, see the Model Comparison Overview below.

Small (S)

This is your PKI start environment - EJBCA with everything you need. The Small model supports the operation of multiple, independent PKI hierarchies with one installation. In addition, this model includes Registration Authority (RA) functionality and highly flexible integration interfaces based on web services, REST API, and support for ACME, CMP v2 RFC 4210, SCEP, and EST. This model supports up to 1 M certificates. Many customers are utilizing the Small model for test or lab environments.

The model Small includes an entry-level performance Hardware Security Module (HSM). If standard or high-speed performance is required, refer to the models Medium, Large, or Extra Large, see the Model Comparison Overview below.

Medium (M)

Model Medium is the right choice if you already know that you need more certificates and better certificate issuing performance. This model supports up to 15 million certificates.

The model Medium includes a standard performance Hardware Security Module (HSM). If high-speed performance is required, refer to the models Large or Extra Large, see the Model Comparison Overview below.

Large (L)

Model Large has an increased certificate issuing performance and can manage even more certificates. If you have one or a couple of use cases that require a high number of certificates, and you soon expect to add additional use cases on top, then you should choose this model. This model supports up to 60 million certificates.

Extra Large (XL)

Model XL is suited for extremely large PKI deployments with the need for more than 100 million certificates. It has the same certificate issuing performance as model Large, but supports up to 160 million certificates and has upgraded storage.

Validation Authority (VA) Appliance

Validation Authority (VA) Hardware Appliance is a standalone, turn-key solution that brings all components needed to deploy and operate a Validation Authority (VA). It includes a complete OCSP responder, serving an unlimited number of Certification Authorities (CAs), and a CRL and CA certificate download service and an integrated HSM. The VA Hardware Appliance is available as a standard level performance model and as a high-speed performance model. 

Registration Authority (RA) Appliance

Registration Authority (RA) Hardware Appliance model is a standalone toolbox that provides for enrollment of certificates for people, software, or things.  It is often desirable to physically separate CA and RA, allowing the CA to reside in a secure environment with minimal access, while the RA can reside in a DMZ or even publicly. The standalone RA Hardware Appliance enables an additional layer of security around the CA. 

Model Comparison Overview

The following provides a model comparison overview.

EJBCA Hardware ApplianceExtra SmallSmallMediumLargeExtra LargeVA StandardVA High-speedRA
Software stack: EJBCA Enterprise & PrimeKey Secure Linux (Prime LFS)(tick)(tick)(tick)(tick)(tick)(tick)(tick)(tick)
Protocols & API’s
Certificate Validation (OCSP/CRL)CRLCRL(tick)(tick)(tick)(tick)(tick)




WebServices API


Key Features
Certificate Capacity *Up to 1 KUp to 1 MUp to 15 MUp to 60 MUp to 160 MNANANA
Secure & Automated Backup Mechanism(tick)(tick)(tick)(tick)(tick)(tick)(tick)(tick)
2 Factor Authentication(tick)(tick)(tick)(tick)(tick)(tick)(tick)(tick)
FIPS 140-2 Level 3 validated HSM inside(tick)(tick)(tick)(tick)(tick)(tick)(tick)(tick)
Entry-level performance HSM inside(tick)(tick)

Standard performance HSM inside



High-speed performance HSM inside

Dedicated Mng & App Interfaces(tick)(tick)(tick)(tick)(tick)(tick)(tick)(tick)
SNMP, Syslog, Audit Log(tick)(tick)(tick)(tick)(tick)(tick)(tick)(tick)
SmartCardsNot included10101010101010
PinPad ReaderNot included1111111
External Battery adapter(tick)(tick)(tick)(tick)(tick)(tick)(tick)(tick)

For testing purposes, it is possible to run CA, VA, and RA on one single instance of the Hardware Appliance.

*Based on EJBCA Version 7.3.x, audit log on, typical key sizes (RSA 3072 SHA 384 with RSA), typical subject DN length: 100 characters. Synthetic benchmark with a certificate revoked once a second and no further system usage.