The following provides questions and answers about EJBCA SaaS. To view all questions and answers related to EJBCA SaaS, see EJBCA SaaS FAQ.


Can I create publicly trusted certificates in EJBCA SaaS?

EJBCA SaaS specializes in creating internally trusted certificates and is not designed for creating publicly trusted certificates (although many Public PKIs do use EJBCA as their engine).


Which HSM backed EJBCA SaaS product should I choose?

AWS

AWS Cloud HSM is the best way to protect your keys in your security environment but comes at a steeper cost. Cloud HSM is FIPS 140-2 Level 3 certified. AWS KMS (Key Management Service), on the other hand, is FIPS 140-2 Level 2 certified. The main difference between level 2 and level 3 is that additional requirements are added to level 3 for physical tamper-resistance and identity-based authentication.

Due to functionality constraints of AWS KMS, integrations of SCEP and Microsoft Intune are not currently supported. AWS CloudHSM, on the other hand, can support both a SCEP and/or Intune integration.

For more information on AWS Cloud HSM or AWS KMS, please refer to their documentation in the links provided.

Azure

Like AWS Cloud HSM, Azure Key Vault Managed HSM is the best way to protect your keys in your security environment, but comes at a steeper cost. The Azure Key Vault Managed HSM is FIPS 140-2 Level 3 certified. Azure Key Vault, on the other hand, is FIPS 140-2 Level 2 certified. The main difference between level 2 and level 3 is that additional requirements are added to level 3 for physical tamper-resistance and identity-based authentication.

Unlike AWS KMS, Azure Key Vault is fully functional and has no PKI limitations.

For more information on Azure Key Vault Managed HSM or Azure Key Vault, please refer to their documentation in the links provided.


Should I use an on-premise PKI or a SaaS based PKI?

When determining if you want to store your data in the cloud, ensure you evaluate the feasibility with regard to skills, cost, and available time to determine if you can realistically provide a secure and compliant solution. Keyfactor abides by criteria from SOC 2, ISO 27001, 27017, and CSA Star. For more information, see Compliance Frameworks.


What kind of certificates can be created in EJBCA SaaS?

EJBCA SaaS supports both X.509 v3 certificates and Card Verifiable Certificates (CVC BSI TR-03110). Certificates are compliant with standards such as RFC 5280, CA/Browser Forum, eIDAS, ICAO 9303, EAC 2.10, and ISO 18013 Amendment 2 eDL. For more information, refer to EJBCA documentation on Interoperability and Certifications.


What region is EJBCA SaaS hosted in?

The customer has the ability to select one of three AWS or Azure regions for their EJBCA SaaS instance: US, AP, or EU.


What kinds of data are collected and stored in EJBCA SaaS?

EJBCA SaaS collects and stores enrollment data, customer usernames/passwords, certificates, digital signatures, and private keys.


Will I have access to EJBCA source code?

No, customers will not have access to the source code to make modifications. However, the application is extremely customizable and can be configured to fit most PKI environments.


Where can I review the EJBCA SaaS Service Level Agreement (SLA), Terms and Conditions (T&C), and/or Privacy Policy?

The SLA, T&C, and Privacy Policy can all be found at Keyfactor's General terms and conditions at https://www.keyfactor.com/terms_and_conditions_of_use/


Does EJBCA SaaS have any compliance certifications?

EJBCA SaaS was designed and built with ISO 27001 and SOC 2 criteria in mind. We are currently ISO 27001, ISO 14001, and ISO 9001 certified. We also have started the process of becoming SOC 2 compliant. Additionally, EJBCA Enterprise is Common Criteria certified, see Common Criteria.


Is any software development for EJBCA SaaS performed outside the US?

Keyfactor is based in Sweden and the development of EJBCA is based there. As such, development of EJBCA will take place in Sweden but any other development for EJBCA SaaS takes place in the United States.


How does Keyfactor communicate with customers?

Customers can contact us by calling, sending an email, or submitting a ticket online.


How is one customer's information kept separate from another customer's information?

Customers' environments exist on their own dedicated AWS RDS or Azure Database instance in a private subnet. There is no crossover of VPCs or vNets between customers.


Can I migrate existing keys from my PKI environment into EJBCA SaaS?

No, only new keys are allowed into EJBCA SaaS. We do not migrate existing keys into the product. Please contact sales@Keyfactor.com about a managed PKI engagement where you can customize your PKI deployment for specific needs.


Can I export my log data to my own Syslog server/service?

Yes, Syslog data can be pushed to external servers and/or services. You have the option of using TCP – unencrypted, TLS – unauthenticated, or TLS – authenticated for root CA and/or issuing CA logs. We do warn that the use of TCP – unencrypted will send logs in plaintext and should only be used for testing purposes.


What happens if I want to leave EJBCA SaaS? Am I locked in?

If you choose to leave EJBCA SaaS, your keys can be provided to you. Neither Azure nor AWS does not allow keys to be exported from their HSMs and Keys are not created with an extractable flag in CloudHSM or MHSM. If customers decide to leave EJBCA SaaS, we can work with them to separate the AWS or Azure account containing those keys from our organization. This means your private keys will need to remain in the AWS or Azure eco-system, but you will own them.


What if I leave and want to take my keys with me?

At Keyfactor, we do not believe in vendor lock-in. However, if a customer leaves and wants to take their keys with them, they may do so as long as their account is in good standing. The customer cannot have any outstanding invoices with AWS or Azure for the Keyfactor EJBCA SaaS service.


How can I contact support if I have an issue?

If you have an issue you can contact support by emailing support@keyfactor.com or contacting us by going to https://www.keyfactor.com/contact-us/. To make it easy, we have added the ability to contact support in the EJBCA SaaS portal.


EJBCA SaaS really is not for me, do you have any other Keyfactor products?

Yes, Keyfactor offers many different products including EJBCA Enterprise and SignServer across many different mediums including our cloud options to deploy within your own VPC, on-prem appliances, software appliances, and source code licenses. We have done business across many industries and with many different use cases. Please contact us by emailing us at sales@keyfactor.com or by going to our website at https://www.keyfactor.com/contact-us/.


If I need additional help with EJBCA SaaS or choose a different Keyfactor product, can Keyfactor help me?

Yes, the Keyfactor Professional Services team are experts in PKI and some of the best in the industry. If you are interested, contact us by emailing us at sales@keyfactor.com.

Bonus Offerings 

Can I use my existing CP/CPS? Or can Keyfactor help me make one?

Customers can use an existing Certificate Policy and/or Certificate Practice Statement. Keyfactor also provides EJBCA SaaS-specific template packages to help customers create a Certificate Policy (CP) and a Certificate Practice Statement (CPS) to be successful in their PKI environment. To utilize the CP/CPS templates, you must subscribe to EJBCA SaaS.