ENTERPRISE  This is an EJBCA Enterprise feature.

The following sections cover information on Card Verifiable Certificate (CVC) CAs:


EJBCA Enterprise has full support for Card Verifiable Certificates (CVC BSI TR-03110) used by EU EAC ePassports and eIDs.

Using EJBCA you can set up a complete PKI infrastructure for CVC CAs with:

  • Country CVCCA
  • Domestic DVs (document verifier)
  • Foreign DVs
  • Inspection systems (IS)
  • Authentication Terminals (AT)
  • Signature Terminals (ST)

EJBCA supports RSA and ECC keys in CV certificates with the following algorithms:

  • SHA1WithRSA - id-TA-RSA-v1-5-SHA-1
  • SHA256WithRSA - id-TA-RSA-v1-5-SHA-256
  • SHA1WithRSAAndMGF1 - id-TA-RSA-PSS-SHA-1
  • SHA256WithRSAAndMGF1 - id-TA-RSA-PSS-SHA-256
  • SHA224WithECDSA - id-TA-ECDSA_SHA_224
  • SHA256WithECDSA - id-TA-ECDSA_SHA_256

Using SignServer you can set up a clustered Document Signer. For more information, see

Terminal Types

In addition to Inspection Systems (IS), EJBCA supports certificate hierarchies for Authentication Terminal (AT) and Signature Terminal (ST) end-entities as of EAC 2.10.

To use AT or ST certificates, create certificate profiles with the Terminal Type configured for your CAs and end entities. For more information, see Inspection Systems.