This guide shows an administrator of an EJBCA AWS instance how to integrate with AWS Key Management Service (KMS).

These directions are also supported on any EJBCA Enterprise installation as of version EJBCA 7.4.0.


AWS KMS supports two different asymmetric key types: encryption keys and signing keys. AWS KMS does however not support keys having both functionality at the same time. For more information, refer to the AWS documentation on Selecting the key usage. Due to this design decision, the following functions within EJBCA cannot be used when using AWS KMS:

  • SCEP: Per the RFC, SCEP uses the CAs private key to encrypt the SCEP message. Since there is no way to have a key be an encrypt key and a signing key at the same time, the signing key type must be chosen to ensure that the CA can sign certificates and CRLS. For more information on SCEP, see the EJBCA Documentation on SCEP.
  • Key Recovery: EJBCA uses the CAs keyEncryptKey which is an RSA key used to wrap/unwrap keys in a CMS structure (RFC 5652) for stored key recovery data. Currently, using KMS asymmetric keys for decryption does not work with EJBCA. For more information on Key Recovery, see the EJBCA Documentation on Key Recovery.

If you do not plan on using SCEP or Key Recovery within EJBCA, these limitations do not affect you and your CA will function as expected.