Contract Subscription Options
EJBCA SaaS is available in different sizes and contract options to meet customer needs and allow you to scale as you grow.
Contract Options Overview
The following provides a contract option and size comparison overview.
Abbreviations:
- AKV = Azure Key Vault
- CloudHSM = AWS PKCS11 CloudHSM
- KMS = AWS Key Management Service
- MHSM = Azure Key Vault Managed HSM
To view the table in full screen, click the expand icon 
below.
| EJBCA SaaS | Extra Small | Small | Medium | Large | Extra Large |
|---|---|---|---|---|---|
| Use case |
|
|
| Available Upon Request | Available Upon Request |
| Service Level Agreement | |||||
| Service Level Agreement (SLA) | 99% | 99.95% | 99.95% | ||
| Key Features | |||||
| Certificate capacity | 10 K | 250 K | 2.5 M | ||
| Certificate performance capacity with KMS or AKV* | 10 Certificates per second | 25 Certificates per second | 80 Certificates per second | ||
| Certificate performance capacity with CloudHSM or MHSM* | 25 Certificates per second | 50 Certificates per second | 125 Certificates per second | ||
| OCSP performance capacity with KMS or AKV* | 25 OCSP responses per second | 50 OCSP responses per second | 100 OCSP responses per second | ||
| OCSP performance capacity with CloudHSM or MHSM* | 50 OCSP responses per second | 100 OCSP responses per second | 150 OCSP responses per second | ||
| On demand performance and capacity upgrades |  | | | ||
| Geographic availability |
|
|
| ||
| HSM |
|
|
| ||
| CP/CPS templates | | | | ||
| Dedicated offline root EJBCA Instance | | | | ||
| Fully controlled, self service root CA | | | | ||
| Custom user configurable domain name | | | | ||
| Dedicated, load balanced Issuing Instances | | | | ||
| Fully controlled, self service keystore and truststore changes | | | | ||
| Full EJBCA administrator access | | | | ||
| Fully controlled, self service source IP access to PKI | | | | ||
| Fully controlled, self service syslog export to external servers | | | | ||
| On Command Provisioning** | | | | ||
| PKI intelligence dashboard | | | | ||
| 2 Factor Authentication |
|
|
| ||
| Key Recovery | CloudHSM, AKV, or MHSM only | CloudHSM, AKV, or MHSM only | CloudHSM, AKV, or MHSM only | ||
| Protocols & APIs | |||||
| SCEP | CloudHSM, AKV, or MHSM only |
|
| ||
| CMP | | | | ||
| EST | | | | ||
| ACME | | | | ||
| WebServices API | | | | ||
| REST API | | | | ||
| Integration | |||||
| Microsoft Intune Integration | CloudHSM, AKV, or MHSM only | CloudHSM, AKV, or MHSM only | CloudHSM, AKV, or MHSM only | ||
Hashicorp Vault Integration | | | | ||
| Microsoft Windows Autoenrollment integration | | | | ||
| Upcoming Features | |||||
| Free Extra Small (non-production) instance of EJBCA included | N/A | N/A | Available Upon Request | ||
| Upgrade scheduler | Coming Soon | Coming Soon | Coming Soon | ||
*Certificate generation performance limited by latency and connectivity to the EJBCA SaaS platform.
**On Command Provisioning means that everything is uniquely configured for you upon startup without any pre-provisioned infrastructure.
Notes on AWS Key Management Service (KMS)
AWS KMS supports two different asymmetric key types: encryption keys and signing keys. AWS KMS does however not support keys having both functionalities at the same time. For more information, refer to the AWS documentation on Selecting the key usage. Due to this design decision, the following functions within EJBCA cannot be used when using AWS KMS:
- SCEP: Per the RFC, SCEP uses the CAs private key to encrypt the SCEP message. Since there is no way to have a key be an encrypt key and a signing key at the same time, the signing key type must be chosen to ensure that the CA can sign certificates and CRLS. For more information on SCEP, see the EJBCA Documentation on SCEP.
- Key Recovery: EJBCA uses the CAs keyEncryptKey which is an RSA key used to wrap/unwrap keys in a CMS structure (RFC 5652) for stored key recovery data. Currently, using KMS asymmetric keys for decryption does not work with EJBCA. For more information on Key Recovery, see the EJBCA Documentation on Key Recovery.
Any features that use an encryption key usage (such as Microsoft Intune, SCEP, or Key Recovery) will not work with AWS KMS-based solutions. If these features are needed, please pick AWS CloudHSM, Azure Key Vault, or Azure Key Vault Managed HSM-backed solutions.