ENTERPRISE This is an EJBCA Enterprise feature.

For general information about handling Card Verifiable Certificates (CVC) CAs, see CA Operations and for CVC specific operations, see CVC Operations.

The following covers a feature overview and sections providing information on Card Verifiable Certificates (CVC) CAs.


EJBCA Enterprise has full support for Card Verifiable Certificates (CVC BSI TR-03110) used by EU Extended Access Control (EAC) ePassports and eIDs. Additionally, the document BSI TR-03139 Common Certificate Policy for the Extended Access Control Infrastructure for Passports and Travel Documents issued by EU Member States defines common policy elements for EU member states.

Using EJBCA you can set up a complete PKI infrastructure for CVC CAs with:

  • CVCA (Country Verifying CA)

  • Domestic DVs (Document Verifier CA)

  • Foreign DVs

  • Inspection systems (IS)

  • Authentication Terminals (AT)

  • Signature Terminals (ST)

EJBCA supports RSA and ECC keys in CV certificates with the following algorithms:

  • SHA1WithRSA - id-TA-RSA-v1-5-SHA-1

  • SHA256WithRSA - id-TA-RSA-v1-5-SHA-256

  • SHA1WithRSAAndMGF1 - id-TA-RSA-PSS-SHA-1

  • SHA256WithRSAAndMGF1 - id-TA-RSA-PSS-SHA-256


  • SHA224WithECDSA - id-TA-ECDSA-SHA-224

  • SHA256WithECDSA - id-TA-ECDSA-SHA-256

  • SHA384WithECDSA - id-TA-ECDSA-SHA-384

  • SHA512WithECDSA - id-TA-ECDSA-SHA-512

Using SignServer you can set up a clustered Document Signer. For more information, see

Terminal Types

In addition to Inspection Systems (IS), EJBCA supports certificate hierarchies for Authentication Terminal (AT) and Signature Terminal (ST) end-entities as of EAC 2.10.

To use AT or ST certificates, create certificate profiles with the Terminal Type configured for your CAs and end entities. For more information, see Inspection Systems.

For more information on Card Verifiable Certificates (CVC) CAs, see the following sections.