The following outlines the architecture of a standalone CA/RA/VA.
Standalone CA/RA/VA
You can deploy a complete PKI in a single instance. Since EJBCA has everything built-in you can have a single instance functioning as both CA and RA. This is a very efficient, easy to manage, and cost-effective solution that is suitable for many SME enterprise deployments.
eyJleHRTcnZJbnRlZ1R5cGUiOiIiLCJnQ2xpZW50SWQiOiIiLCJjcmVhdG9yTmFtZSI6IkFubmljYSBXYWx0ZXJzc29uIiwib3V0cHV0VHlwZSI6ImJsb2NrIiwibGFzdE1vZGlmaWVyTmFtZSI6IkFubmljYSBXYWx0ZXJzc29uIiwibGFuZ3VhZ2UiOiJlbiIsImRpYWdyYW1EaXNwbGF5TmFtZSI6IiIsInNGaWxlSWQiOiIiLCJhdHRJZCI6IjEwMTcxNSIsImRpYWdyYW1OYW1lIjoiU3RhbmRhbG9uZSBDQSIsImFzcGVjdCI6IiIsImxpbmtzIjoiYXV0byIsImNlb05hbWUiOiJVc2luZyBFSkJDQSBhcyBhIFN0YW5kYWxvbmUgQ0EvUkEvVkEiLCJ0YnN0eWxlIjoiaGlkZGVuIiwiY2FuQ29tbWVudCI6ZmFsc2UsImRpYWdyYW1VcmwiOiIiLCJjc3ZGaWxlVXJsIjoiIiwiYm9yZGVyIjpmYWxzZSwibWF4U2NhbGUiOiIxIiwib3duaW5nUGFnZUlkIjoxMDE3MTMsImVkaXRhYmxlIjpmYWxzZSwiY2VvSWQiOjEwMTcxMywicGFnZUlkIjoiIiwibGJveCI6ZmFsc2UsInNlcnZlckNvbmZpZyI6eyJlbWFpbHByZXZpZXciOiIxIn0sIm9kcml2ZUlkIjoiIiwicmV2aXNpb24iOjAsIm1hY3JvSWQiOiI3MWViMmY1Mi03ZTgxLTQ1ZWQtYmYxMy1kZTMwNmJiYWIxNTIiLCJwcmV2aWV3TmFtZSI6IlN0YW5kYWxvbmUgQ0EucG5nIiwibGljZW5zZVN0YXR1cyI6Ik9LIiwic2VydmljZSI6IiIsImlzVGVtcGxhdGUiOiIiLCJ3aWR0aCI6IjQwMCIsInNpbXBsZVZpZXdlciI6ZmFsc2UsImxhc3RNb2RpZmllZCI6MTY5OTk1ODAwMTEwNiwiZXhjZWVkUGFnZVdpZHRoIjpmYWxzZSwib0NsaWVudElkIjoiIn0=
Multiple CAs for different use-cases can co-exist in a single instance and security levels can be scaled with, for example:
- Administrators can use smart cards or soft tokens for accessing the administration interface.
- The CA can use an HSM or soft tokens for the CA signing keys.
- Users and machines can be issued with soft tokens or smart cards/USB tokens.
- Various filtering options can be deployed in firewalls.
For more information on creating a CA with EJBCA, see EJBCA Operations Guide.