Keyfactor EJBCA Hardware Appliance offers the complete feature set needed to operate a comprehensive, highly available PKI. It is based on Keyfactor EJBCA Enterprise, with easy-to-use management functions, high-performance hardware and a built-in FIPS 140-2 Level 3, certified Hardware Security Module (HSM).

Depending on your requirements, we offer different Hardware Appliance models to address your needs.

Hardware Appliance Models

All models include EJBCA Enterprise with a core library for Certificate Authority (CA), Registration Authority (RA), and Validation Authority (VA) functionality capable of hosting an unlimited number of CAs.

Extra Small (XS)

Model Extra Small is the smallest Hardware Appliance with support for up to 10 thousand active certificates. This model is ideal for an offline Root CA in a PKI deployment.

The model Extra Small includes an entry-level performance Hardware Security Module (HSM). If standard or high-speed performance is required, refer to the models Medium, Large, or Extra Large, see the Model Comparison Overview below.

Small (S)

This is your PKI start environment - EJBCA with everything you need. The Small model supports the operation of multiple, independent PKI hierarchies with one installation. In addition, this model includes Registration Authority (RA) functionality and highly flexible integration interfaces based on web services, REST API, and support for ACME, CMP v2 RFC 4210, SCEP, and EST. This model supports up to 100 thousand active certificates. Many customers are utilizing the Small model for test or lab environments.

The model Small includes an entry-level performance Hardware Security Module (HSM). If standard or high-speed performance is required, refer to the models Medium, Large, or Extra Large, see the Model Comparison Overview below.

Medium (M)

Model Medium is the right choice if you already know that you need more certificates and better certificate issuing performance. This model supports up to 500 thousand active certificates.

The model Medium includes a standard performance Hardware Security Module (HSM). If high-speed performance is required, refer to the models Large or Extra Large, see the Model Comparison Overview below.

Large (L)

Model Large has an increased certificate issuing performance and can manage even more certificates. If you have one or a couple of use cases that require a high number of certificates, and you soon expect to add additional use cases on top, then you should choose this model. Model Large supports up to 1 million active certificates.

Extra Large (XL)

Model XL is suited for extremely large PKI deployments with the need for more than 100 million certificates. It has the same certificate issuing performance as model Large, but supports up to 2,5 million active certificates and has upgraded storage.

Validation Authority (VA) Appliance

Validation Authority (VA) Hardware Appliance is a standalone, turn-key solution that brings all components needed to deploy and operate a Validation Authority (VA). It includes a complete OCSP responder, serving an unlimited number of Certification Authorities (CAs), and a CRL and CA certificate download service and an integrated HSM. The VA Hardware Appliance is available as a standard level performance model and as a high-speed performance model. 

Registration Authority (RA) Appliance

Registration Authority (RA) Hardware Appliance model is a standalone toolbox that provides for enrollment of certificates for people, software, or things. It is often desirable to physically separate CA and RA, allowing the CA to reside in a secure environment with minimal access, while the RA can reside in a DMZ or even publicly. The standalone RA Hardware Appliance enables an additional layer of security around the CA. 

Model Comparison Overview

The following provides a model comparison overview.

EJBCA Hardware ApplianceExtra SmallSmallMediumLargeExtra LargeVA StandardVA High-speedRA
Software stack: EJBCA Enterprise & PrimeKey Secure Linux (Prime LFS)(tick)(tick)(tick)(tick)(tick)(tick)(tick)(tick)
Protocols & API’s
Certificate Validation (OCSP/CRL)CRL(tick)(tick)(tick)(tick)(tick)(tick)




WebServices API


Key Features
Certificate Capacity
(Active Certificates)*
Up to 10 KUp to 100 KUp to 500 KUp to 1 MUp to 2,5 MNANANA
Secure & Automated Backup Mechanism(tick)(tick)(tick)(tick)(tick)(tick)(tick)(tick)
2 Factor Authentication(tick)(tick)(tick)(tick)(tick)(tick)(tick)(tick)
FIPS 140-2 Level 3 validated HSM inside(tick)(tick)(tick)(tick)(tick)(tick)(tick)(tick)
Entry-level performance HSM inside(tick)(tick)

Standard performance HSM inside



High-speed performance HSM inside

Dedicated Mng & App Interfaces(tick)(tick)(tick)(tick)(tick)(tick)(tick)(tick)
SNMP, Syslog, Audit Log(tick)(tick)(tick)(tick)(tick)(tick)(tick)(tick)
PIN Pad Reader11111111
External Battery Adapter**(tick)(tick)(tick)(tick)(tick)(tick)(tick)(tick)
Performance (operations/sec)***

Certificate issuance (Audit log on / Audit log off)

OCSP Performance

RSA 1024 SHA 1 with RSA5/305/3024/10942/18642/186450634

RSA 2048 SHA 256 with RSA1/101/1023/7941/18841/18880607
RSA 4096 SHA 512 with RSA0,5/0,50,5/0,59/1139/15939/15911154
EC secp256r1 SHA256withECDSA5/435/4323/11041/18041/180490554
EC secp384r1 SHA384withECDSA4/214/2123/10740/17640/176380470
EC secp521r1 SHA512withECDSA3/93/923/8940/17040/170190334

For testing purposes, it is possible to run CA, VA, and RA on one single instance of the Hardware Appliance.

*Based on EJBCA Version 7.3.x, audit log on, typical key sizes (RSA 3072 SHA 384 with RSA), typical subject DN length: 100 characters. Synthetic benchmark with a certificate revoked once a second and no further system usage. Active Certificates: The number of Active certificates, where Active Certificates is the number of Issued Certificates that are not Revoked and not Expired.

**External Battery Adapter must be provided with a battery (battery is not included) and put into immediate operation! This is absolutely necessary to support the internal battery of the HSM, even if the Hardware Appliance has not yet been put into operation or has been switched off again! 

***The Performance overview shows the certificate issuance performance (certificates per second) with the Audit log enabled versus the Audit log disabled.