EJBCA Software Appliance offers the complete feature set needed to operate a comprehensive, highly available PKI. It is based on EJBCA Enterprise, with easy-to-use management functions, and packaged as an OVA that allows you to leverage your existing virtualization environment and Hardware Security Module infrastructure. 

Depending on your requirements, we offer 7 software appliance models. The models mainly differ, when it comes to the number of certificates that they can support, but there are also Validation Authority (VA) and Registration Authority (RA) models, that can be deployed as standalone units.

Software Appliance Models

All models include EJBCA Enterprise with a core library for Certificate Authority (CA), Registration Authority (RA), and Validation Authority (VA) functionality, capable of hosting an unlimited number of CAs.

Extra Small (XS)

Model Extra Small is the smallest software appliance with support for up to 1,000 certificates. This model is ideal for an offline Root CA in a PKI deployment.

Small (S)

This is your PKI start environment - EJBCA with everything you need. The Small model supports the operation of multiple, independent PKI hierarchies with one installation. In addition, this model includes Registration Authority (RA) functionality and highly flexible integration interfaces based on web services, REST API, and support for ACME, CMP v2 RFC 4210, SCEP, and EST. This model supports up to 1 M certificates. Many customers are utilizing the Small model for test or lab environments.

Medium (M)

Model Medium is the right choice if you already know that you need to issue and manage more certificates. This model supports up to 15 million certificates.

Large (L)

The model size Large can manage even more certificates. If you have one or a couple of use cases that require a high number of certificates, and you soon expect to add additional use cases on top, then you should choose this model. This model supports up to 60 million certificates.

Extra Large (XL)

Model XL is suited for extremely large PKI deployments with the need for up to 160 million certificates.

Validation Authority (VA) Appliance

Validation Authority (VA) hardware appliance is a standalone, turn-key solution that brings all components needed to deploy and operate a Validation Authority (VA). It includes a complete OCSP responder, serving an unlimited number of Certification Authorities (CAs), a CRL, a CA certificate download service and an integrated HSM.

Registration Authority (RA) Appliance

Registration Authority (RA) hardware appliance model is a standalone toolbox that provides enrollment of certificates for people, software, or things. It is often desirable to physically separate CA and RA, allowing the CA to reside in a secure environment with minimal access, while the RA can reside in a DMZ or even publicly. The standalone RA hardware appliance enables an additional layer of security around the CA. 

Model Comparison Overview

The following provides a model comparison overview.

To view the table in full screen, click the expand icon below.

EJBCA Hardware Appliance

Extra Small




Extra Large



Technology stack: EJBCA Enterprise & Secure Foundation Platform
Protocols & API’s
Certificate Validation (OCSP/CRL)CRL(tick)(tick)(tick)(tick)(tick)
WebServices API
Key Features
Certificate Capacity Up to 1 KUp to 1 MUp to 15 MUp to 60 MUp to 160 MNANA
Simplified Backup and restore routines using hypervisor provided functionality(tick)(tick)(tick)(tick)(tick)(tick)(tick)
Complete and tested software package for updates and upgrades (tick)(tick)(tick)(tick)(tick)(tick)(tick)

Flexible performance and architecture adaptation (redundancy support)

External HSM Support (tick)(tick)(tick)(tick)(tick)(tick)(tick)
SNMP, Syslog(tick)(tick)(tick)(tick)(tick)(tick)(tick)