Interoperability and Certifications

The following provides an overview of EJBCA's capabilities and support, with relevant links to documentation and external standards. 

Certificate Formats and Standards

EJBCA supports the following formats and standards.

Supported StandardExternal ReferenceDocumentation
X509 and PKIX.RFC 5280Certificate Authority Overview

Card Verifiable Certificates (CVC ) used by EU EAC ePassports and eIDs.

BSI TR-03110CVC CA

Qualified Certificate Statement for issuing EU/ETSI qualified certificates.

RFC 3739Certificate Profile Fields
Certificate Transparency.RFC 6962Certificate Transparency
DNS Certificate Authority Authorization (CAA).RFC 6844Certificate Field Validators
eIDAS

Regulation (EU) No 910/2014
EN 319 411, EN 319 412

Certificate Profile Fields
PSD2ETSI TS 119 495Certificate Profile Fields

FIPS 201-2 (PIV) compliant certificates including FASC-N subjectAltName.

FIPS 201-2End Entity Profiles Fields
PEM: Textual Encodings of PKIX, PKCS, and CMS StructuresRFC 7468
PKCS#10: Certification Request SyntaxRFC 2986
PKCS#7: Cryptographic Message SyntaxRFC 5652
PKCS#12: Personal Information Exchange SyntaxRFC 7292

CRL, OCSP and Certificate Distribution

EJBCA supports the following CRL formats and standards.

Supported StandardExternal ReferenceDocumentation
CRL creation and URL based CRL Distribution Points.RFC 5280CRL Generation
Online Certificate Status Protocol (OCSP), including AIA-extension and must-staple extension.RFC 2560, RFC 6960 and RFC 5019OCSP
Certificate Store, distribution of CA certificates and CRLs over HTTP.RFC 4387Certificate Store Access via HTTP

The German Common PKI SigG CertHash OCSP extension.

Common PKIOCSP
LDAP Certificate Publishing.RFC 4523LDAP Publisher/LDAP Search Publisher
SCP Publishing
SCP Publisher

Algorithms and Key Types

EJBCA supports the following algorithm types and key size/curves. When using HSMs, support is limited to a subset by the PKCS#11 provider and the specific HSM used.

AlgorithmKey Size/curve
RSAKeys up to and including 8192 bits.

DSA

Keys up to and including 1024 bits.
ECDSA

Curves including named curves from Nist, SEC, Teletrust, and X9.62.

 View curves...

FRP256v1
brainpoolP224r1
brainpoolP224t1
brainpoolP256r1
brainpoolP256t1
brainpoolP320r1
brainpoolP320t1
brainpoolP384r1
brainpoolP384t1
brainpoolP512r1
brainpoolP512t1
c2pnb272w1
c2pnb304w1
c2pnb368w1
c2tnb239v1
c2tnb239v2
c2tnb239v3
c2tnb359v1
c2tnb431r1
prime239v1
prime239v2
prime239v3
prime256v1/secp256r1P-256
secp224k1
secp224r1/P-224
secp256k1
secp384r1/P-384
secp521r1/P-521
sect233k1/K-233
sect233r1/B-233
sect239k1
sect283k1/K-283
sect283r1/B-283
sect409k1/K-409
sect409r1/B-409
sect571k1/K-571
sect571r1/B-571

GOST

GostR3410-2001-CryptoPro-A/GostR3410-2001-CryptoPro-XchA
GostR3410-2001-CryptoPro-B
GostR3410-2001-CryptoPro-C/GostR3410-2001-CryptoPro-XchB
Tc26-Gost-3410-12-256-paramSetA
Tc26-Gost-3410-12-512-paramSetA
Tc26-Gost-3410-12-512-paramSetB
Tc26-Gost-3410-12-512-paramSetC

SM2sm2p256v1

Certificate Enrollment Protocols

For specific features supported in each protocol, see the detailed documentation.

Protocol / InterfaceExternal ReferenceDocumentation
EJBCA WS Soap API.
Web Service Interface
EJBCA REST Certificate Management API.
EJBCA REST Interface
Simple Certificate Enrollment Protocol (SCEP).SCEP draft 23SCEP
X509 Public Key Infrastructure Certificate Management Protocol (CMP).RFC 4210CMP
3GPP, i.e. LTE/4G, compatible PKI, using CMPv2 with multiple Vendor CAs and vendor certificate authentication.ETSI-3GPPCMP
X.509 Public Key Infrastructure Certificate Request Message Format (CRMF).RFC 4211
Enrollment over Secure Transport (EST).RFC 7030EST
Automatic Certificate Management Environment (ACME).RFC 8555ACME
Native auto enrollment in Windows environment with add-on auto enrollment proxy module.
Autoenrollment

Certifications

The following lists certifications.

TypeVersionLink
Common Criteria: CIMC Protection Profile EAL4+EJBCA 5.0.4Certification
Common Criteria: Protection Profile for Certification Authorities Version 2.1PendingCSEC Progress Page

Third-party Hardware

Hardware Security Modules

The following lists support for Hardware Security Modules (HSMs).

VendorModelDocumentation
Generic PKCS#11 Provider
Generic PKCS#11 Provider
ARXCoSignARX CoSign
AWS CloudHSMCloudHSMEJBCA Cloud AWS
Azure Key VaultKey VaultEJBCA Cloud Azure
BullTrustway PCI and ProteccioBull Trustway PCI Crypto Card
Bull Trustway Proteccio
CardContactSmartCard-HSMSmartCard-HSM
nChiphernShield/netHSMnCipher nShield/netHSM
NitroKeyNitroKey HSMNitrokey HSM
SafeNetAT Luna SASafeNet AT Luna
SafeNetLunaSafeNet Luna
SafeNetProtectServerSafeNet ProtectServer
SoftHSMSoftHSMv2SoftHSM
UtimacoCryptoServerUtimaco CryptoServer
UtimacoCryptoServer CP5Contact Sales
Ultra Electronics AEPKeyperAEP Keyper
YubicoYubiHSM 2YubiHSM 2