EJBCA with distributed RA/VAs

To set up a PKI capable of enrolling a diverse set of users and devices, it is usually necessary to introduce multiple types of Registration Authorities (RAs), for different purposes.

draw.io

Source page access error: cannot display diagram

Using EJBCA you can connect an unlimited number of distributed RAs, communicating with the CA using standard protocols like CMP, SCEP and Web service. The RAs can be in the form of EJBCA components, custom-developed RAs, or standard products such as MdM or token management products. Security levels can be scaled up and down as in the previous example, and RAs can use different authentication means such as shared secrets, client certificate authentication, etc. The CA employs role-based access control to decide what each RA has access to perform. Multiple CAs can be easily configured to serve different purposes (VPN, MdM, TLS, etc).

Different protocols suitable for RA operations are: