EJBCA SaaS is available in different sizes and contract options to meet customer needs and allow you to scale as you grow. 

Contract Options Overview

The following provides a contract option and size comparison overview.

Abbreviations:

  • AKV = Azure Key Vault
  • CloudHSM = AWS PKCS11 CloudHSM
  • KMS = AWS Key Management Service
  • MHSM = Azure Key Vault Managed HSM

To view the table in full screen, click the expand icon  below.

EJBCA SaaSExtra SmallSmallMediumLargeExtra Large
Use case
  • SMB production
  • Enterprise Test/Lab environments
  • Small production workloads
  • Enterprise IT workloads
  • Typical production workloads
  • Manufacturing
  • Large Enterprise IT workloads
Available Upon RequestAvailable Upon Request
Service Level Agreement
Service Level Agreement (SLA)99%99.95%99.95%


Certificate capacity10 K250 K2.5 M

Certificate performance capacity with KMS or AKV*10 Certificates per second25 Certificates per second80 Certificates per second

Certificate performance capacity with CloudHSM or MHSM*25 Certificates per second50 Certificates per second125 Certificates per second

OCSP performance capacity with KMS or AKV*25 OCSP responses per second50 OCSP responses per second100 OCSP responses per second

OCSP performance capacity with CloudHSM or MHSM*50 OCSP responses per second100 OCSP responses per second150 OCSP responses per second

On demand performance and capacity upgrades(tick)(tick)(tick)

Geographic availability
  • 1 Region - US or EU or AP
  • 1 Availability zone
  • 1 Region - US or EU or AP
  • 2 Availability zones
  • 1 Region - US or EU or AP
  • 2 Availability zones


HSM
  • AWS KMS
  • AWS CloudHSM
  • Azure Key Vault
  • Azure Key Vault Managed HSM
  • AWS KMS
  • AWS CloudHSM
  • Azure Key Vault
  • Azure Key Vault Managed HSM
  • AWS KMS
  • AWS CloudHSM
  • Azure Key Vault
  • Azure Key Vault Managed HSM



CP/CPS templates(tick)(tick)(tick)

Dedicated offline root EJBCA Instance(tick)(tick)(tick)

Fully controlled, self service root CA(tick)(tick)(tick)

Custom user configurable domain name(tick)(tick)(tick)

Dedicated, load balanced Issuing Instances(tick)(tick)(tick)

Fully controlled, self service keystore and truststore changes(tick)(tick)(tick)

Full EJBCA administrator access(tick)(tick)(tick)

Fully controlled, self service source IP access to PKI(tick)(tick)(tick)

Fully controlled, self service syslog export to external servers(tick)(tick)(tick)

On Command Provisioning**(tick)(tick)(tick)

PKI intelligence dashboard(tick)(tick)(tick)

2 Factor Authentication

(tick)

(tick)

(tick)



Key Recovery(tick)
CloudHSM, AKV, or MHSM Only
(tick)
CloudHSM, AKV, or MHSM Only
(tick)
CloudHSM, AKV, or MHSM Only


Protocols & APIs
SCEP(tick)
CloudHSM, AKV, or MHSM Only
(tick)
CloudHSM, AKV, or MHSM Only
(tick)
CloudHSM, AKV, or MHSM Only


CMP(tick)(tick)(tick)

EST(tick)(tick)(tick)

ACME(tick)(tick)(tick)

WebServices API(tick)(tick)(tick)

REST API(tick)(tick)(tick)

Integration
Microsoft Intune Integration(tick)
CloudHSM, AKV, or MHSM Only
(tick)
CloudHSM, AKV, or MHSM Only
(tick)
CloudHSM, AKV, or MHSM Only


Hashicorp Vault Integration

(tick)(tick)(tick)

Microsoft Windows Autoenrollment integration(tick)(tick)(tick)

Upcoming Features
Free Extra Small (non-production) instance of EJBCA includedN/AN/AAvailable Upon Request

Upgrade scheduler

Coming Soon

Coming Soon

Coming Soon



*Certificate generation performance limited by latency and connectivity to the EJBCA SaaS platform.

**On Command Provisioning means that everything is uniquely configured for you upon startup without any pre-provisioned infrastructure.

Notes on AWS Key Management Service (KMS)

AWS KMS supports two different asymmetric key types: encryption keys and signing keys. AWS KMS does however not support keys having both functionalities at the same time. For more information, refer to the AWS documentation on Selecting the key usage. Due to this design decision, the following functions within EJBCA cannot be used when using AWS KMS:

  • SCEP: Per the RFC, SCEP uses the CAs private key to encrypt the SCEP message. Since there is no way to have a key be an encrypt key and a signing key at the same time, the signing key type must be chosen to ensure that the CA can sign certificates and CRLS. For more information on SCEP, see the EJBCA Documentation on SCEP.
  • Key Recovery: EJBCA uses the CAs keyEncryptKey which is an RSA key used to wrap/unwrap keys in a CMS structure (RFC 5652) for stored key recovery data. Currently, using KMS asymmetric keys for decryption does not work with EJBCA. For more information on Key Recovery, see the EJBCA Documentation on Key Recovery.

Any features that use an encryption key usage (such as Microsoft Intune, SCEP, or Key Recovery) will not work with AWS KMS-based solutions. If these features are needed, please pick AWS CloudHSM, Azure Key Vault, or Azure Key Vault Managed HSM-backed solutions.