EJBCA Software Appliance offers the complete feature set needed to operate a comprehensive, highly available PKI. It is based on EJBCA Enterprise, with easy-to-use management functions and the self-contained software package that allows you to leverage your existing virtualization environment and Hardware Security Module infrastructure. 

To meet your needs, we offer different EJBCA Software Appliance models. The models differ when it comes to the number of certificates that they can support but there are also Validation Authority (VA) and Registration Authority (RA) models that can be deployed as standalone units.

Software Appliance Models

All models include EJBCA Enterprise with a core library for Certificate Authority (CA), Registration Authority (RA), and Validation Authority (VA) functionality, capable of hosting an unlimited number of CAs.

Extra Small (XS)

Model Extra Small is the smallest software appliance with support for up to 10 thousand active certificates. This model is ideal for an offline Root CA in a PKI deployment.

Small (S)

This is your PKI start environment - EJBCA with everything you need. The Small model supports the operation of multiple, independent PKI hierarchies with one installation. In addition, this model includes Registration Authority (RA) functionality and highly flexible integration interfaces based on web services, REST API, and support for ACME, CMP v2 RFC 4210, SCEP, and EST. This model supports up to 100 thousand active certificates. Many customers are utilizing the Small model for test or lab environments.

Medium (M)

Model Medium is the right choice if you already know that you need to issue and manage more certificates. This model supports up to 500 thousand active certificates.

Large (L)

The model size Large can manage even more certificates. If you have one or a couple of use cases that require a high number of certificates, and you soon expect to add additional use cases on top, then you should choose this model. This model supports up to 1 million active certificates.

Extra Large (XL)

Model XL is suited for extremely large PKI deployments with the need for up to 2,5 million active certificates.

Validation Authority (VA) Appliance

Validation Authority (VA) appliance is a standalone, turn-key solution that brings all components needed to deploy and operate a Validation Authority. It includes a complete OCSP responder, serving an unlimited number of Certification Authorities (CAs), a CRL, and a CA certificate download service.

Registration Authority (RA) Appliance

Registration Authority (RA) appliance model is a standalone toolbox that provides enrollment of certificates for people, software, or things. It is often desirable to physically separate CA and RA, allowing the CA to reside in a secure environment with minimal access, while the RA can reside in a DMZ or even publicly. The standalone RA appliance enables an additional layer of security around the CA. 

Model Comparison Overview

The following provides a model comparison overview.

EJBCA Software Appliance

Extra Small




Extra Large



Technology stack: EJBCA Enterprise & Secure Foundation Platform
(tick) (tick) (tick) (tick)(tick)(tick)(tick)
Protocols & APIs
Certificate Validation (OCSP/CRL)CRL(tick)(tick)(tick)(tick)(tick)

WebServices API
Key Features
Certificate Capacity 
(Active Certificates *)
Up to 10 KUp to 100 KUp to 500 KUp to 1 MUp to 2.5 MNANA
Simplified Backup and restore routines using hypervisor provided functionality(tick)(tick)(tick)(tick)(tick)(tick)(tick)
Complete and tested software package for updates and upgrades (tick)(tick)(tick)(tick)(tick)(tick)(tick)

Flexible performance and architecture adaptation (redundancy support)

External HSM Support (tick)(tick)(tick)(tick)(tick)(tick)(tick)
SNMP, Syslog(tick)(tick)(tick)(tick)(tick)(tick)(tick)

*Active Certificates: The number of Active certificates, where Active Certificates is the number of Issued Certificates that are not Revoked and not Expired.