Interoperability and Certifications
The following provides an overview of EJBCA's capabilities and support, with relevant links to documentation and external standards.
This is a selection of the most important standards and does not cover every specification EJBCA supports.
Specifications
Certificate Formats and Standards
EJBCA supports the following formats and standards.
| Supported Standard | External Reference | Documentation |
|---|---|---|
| X509 and PKIX. | RFC 5280 | Certificate Authority Overview |
Card Verifiable Certificates (CVC) used by EU EAC ePassports and eIDs. | BSI TR-03110 | ENTERPRISE |
Qualified Certificate Statement for issuing EU/ETSI qualified certificates. | RFC 3739 | Certificate Profile Fields |
| Certificate Transparency. | RFC 6962 | ENTERPRISE |
| DNS Certificate Authority Authorization (CAA). | RFC 6844 | ENTERPRISE |
| eIDAS | ENTERPRISE | |
| PSD2 | ETSI TS 119 495 | ENTERPRISE |
FIPS 201-2 (PIV) compliant certificates including FASC-N subjectAltName. | FIPS 201-2 | ENTERPRISE |
| PEM: Textual Encodings of PKIX, PKCS, and CMS Structures | RFC 7468 | |
| PKCS#10: Certification Request Syntax | RFC 2986 | |
| PKCS#7: Cryptographic Message Syntax | RFC 5652 | |
| PKCS#12: Personal Information Exchange Syntax | RFC 7292 |
CRL, OCSP and Certificate Distribution
EJBCA supports the following CRL formats and standards.
| Supported Standard | External Reference | Documentation |
|---|---|---|
| CRL creation and URL based CRL Distribution Points. | RFC 5280 | CRL Generation |
| Online Certificate Status Protocol (OCSP), including AIA-extension and must-staple extension. | RFC 2560, RFC 6960, RFC 5019 and RFC 8964 | OCSP |
| Certificate Store, distribution of CA certificates and CRLs over HTTP. | RFC 4387 | Certificate and CRL Access over HTTP |
The German Common PKI SigG CertHash OCSP extension. | Common PKI | OCSP |
| LDAP Certificate Publishing. | RFC 4523 | LDAP Publisher/LDAP Search Publisher |
| SCP Publishing |
Algorithms and Key Types
EJBCA supports the following algorithm types and key size/curves. When using HSMs, support is limited to a subset by the PKCS#11 provider and the specific HSM used.
| Algorithm | Key Size/curve | External Reference | Documentation |
|---|---|---|---|
| RSA | Keys up to and including 8192 bits. | ||
DSA | Keys up to and including 1024 bits. Use of DSA is deprecated as of EJBCA 8.2. | ||
| ECDSA | Curves including named curves from Nist, SEC, Teletrust, and X9.62. 
For long term stability we recommend to use the most commonly FRP256v1 | ECDSA Keys and Signatures | |
| EdDSA | Ed25519 | RFC8032 RFC8410 | EdDSA Keys and Signatures |
GOST | GostR3410-2001-CryptoPro-A/GostR3410-2001-CryptoPro-XchA |
Certificate Enrollment Protocols
For specific features supported in each protocol, see the detailed documentation.
| Protocol / Interface | External Reference | Documentation |
|---|---|---|
| EJBCA WS Soap API. | Web Service Interface | |
EJBCA Enrollment REST API. | EJBCA REST Interface | |
| EJBCA Management REST API. | ENTERPRISE | |
| Simple Certificate Enrollment Protocol (SCEP). | SCEP draft 23 | SCEP |
| X509 Public Key Infrastructure Certificate Management Protocol (CMP). | RFC 4210 and RFC 6712 | CMP |
| 3GPP, i.e. LTE/4G, compatible PKI, using CMPv2 with multiple Vendor CAs and vendor certificate authentication. | ETSI-3GPP | ENTERPRISE |
| X.509 Public Key Infrastructure Certificate Request Message Format (CRMF). | RFC 4211 | |
| Enrollment over Secure Transport (EST). | RFC 7030 | ENTERPRISE |
| Automatic Certificate Management Environment (ACME). | RFC 8555 | ENTERPRISE |
| Microsoft Auto-enrollment Integration. | ENTERPRISE | |
| Legacy Native auto-enrollment in Windows environment with add-on auto-enrollment proxy module. | ENTERPRISE |
Certifications
The following lists certifications.
| Type | Version | External Reference | Documentation |
|---|---|---|---|
| Common Criteria: Issuing and Management Components (CIMC) Version 1.0, EAL4+ | EJBCA 5.0.4 | Certification | ENTERPRISE |
| Common Criteria: Protection Profile for Certification Authorities Version 2.1 | EJBCA 7.4.1.1 | Certification | ENTERPRISE |
Interoperability
Hardware Security Modules
The following lists support for Hardware Security Modules (HSMs). There are different APIs supporting HSMs, Java P11 Provider (legacy), P11NG, and REST APIs for some HSMs.
| Vendor | Model | Documentation |
|---|---|---|
| Generic PKCS#11 Provider | Generic PKCS#11 Provider | |
| ARX | CoSign | ARX CoSign |
| AWS CloudHSM | CloudHSM | ENTERPRISE |
| AWS Key Management Service | KMS | ENTERPRISE |
| Azure Key Vault | Key Vault and Managed HSM | Azure Key Vault and Managed HSM |
| Bull | Trustway PCI and Proteccio | Bull Trustway PCI Crypto Card Bull Trustway Proteccio |
| CardContact | SmartCard-HSM | SmartCard-HSM |
| Engage Black | BlackVault HSM | BlackVault HSM |
| Fortanix | Data Security Manager (DSM) | ENTERPRISE |
| i4p | Trident HSM | Trident HSM |
| Entrust/nCipher | nShield/netHSM | nCipher nShield/netHSM |
| NitroKey | NitroKey HSM | Nitrokey HSM |
| SoftHSM | SoftHSMv2 | SoftHSM |
| Securosys | Securosys Primus HSM and CloudsHSM Service | Securosys Primus HSM and CloudsHSM Service |
| Thales | Thales Data Protection on Demand (DPoD) | Thales DPoD |
| Thales | Thales Luna HSM | Thales Luna HSM |
| Thales | ProtectServer | Thales ProtectServer |
| Thales TCT | Luna SA HSM | Thales TCT Luna SA |
| Utimaco | CryptoServer | Utimaco CryptoServer |
| Utimaco | CryptoServer CP5 | Contact Sales |
| Ultra Electronics AEP | Keyper | AEP Keyper |
| Yubico | YubiHSM 2 | YubiHSM 2 |
| KMS | ENTERPRISE | |
| IBM | HPCS | IBM HPCS |