Interoperability and Certifications
The following provides an overview of EJBCA's capabilities and support, with relevant links to documentation and external standards.
Specifications
Certificate Formats and Standards
EJBCA supports the following formats and standards.
Supported Standard |
External Reference |
Documentation |
X509 and PKIX. |
||
Card Verifiable Certificates (CVC) used by EU EAC ePassports and eIDs. |
ENTERPRISE |
|
Qualified Certificate Statement for issuing EU/ETSI qualified certificates. |
||
Certificate Transparency. |
ENTERPRISE |
|
DNS Certificate Authority Authorization (CAA). |
ENTERPRISE |
|
eIDAS |
ENTERPRISE |
|
PSD2 |
ENTERPRISE |
|
FIPS 201-2 (PIV) compliant certificates including FASC-N subjectAltName. |
ENTERPRISE |
|
PEM: Textual Encodings of PKIX, PKCS, and CMS Structures |
|
|
PKCS#10: Certification Request Syntax |
|
|
PKCS#7: Cryptographic Message Syntax |
|
|
PKCS#12: Personal Information Exchange Syntax |
|
CRL, OCSP and Certificate Distribution
EJBCA supports the following CRL formats and standards.
Supported Standard |
External Reference |
Documentation |
CRL creation and URL based CRL Distribution Points. |
||
Online Certificate Status Protocol (OCSP), including AIA-extension and must-staple extension. |
||
Certificate Store, distribution of CA certificates and CRLs over HTTP. |
||
The German Common PKI SigG CertHash OCSP extension. |
||
LDAP Certificate Publishing. |
||
SCP Publishing |
|
ENTERPRISE |
Algorithms and Key Types
EJBCA supports the following algorithm types and key size/curves. When using HSMs, support is limited to a subset by the PKCS#11 provider and the specific HSM used.
Algorithm |
Key Size/curve |
External Reference |
Documentation |
RSA |
Keys up to and including 8192 bits. |
|
|
DSA |
Keys up to and including 1024 bits. |
|
|
ECDSA |
Curves including named curves from Nist, SEC, Teletrust, and X9.62. |
|
|
EdDSA |
Ed25519 |
||
GOST |
GostR3410-2001-CryptoPro-A/GostR3410-2001-CryptoPro-XchA |
|
|
Certificate Enrollment Protocols
For specific features supported in each protocol, see the detailed documentation.
Protocol / Interface |
External Reference |
Documentation |
EJBCA WS Soap API. |
|
|
EJBCA Enrollment REST API. |
|
|
EJBCA Management REST API. |
|
ENTERPRISE |
Simple Certificate Enrollment Protocol (SCEP). |
||
X509 Public Key Infrastructure Certificate Management Protocol (CMP). |
||
3GPP, i.e. LTE/4G, compatible PKI, using CMPv2 with multiple Vendor CAs and vendor certificate authentication. |
ENTERPRISE |
|
X.509 Public Key Infrastructure Certificate Request Message Format (CRMF). |
|
|
Enrollment over Secure Transport (EST). |
ENTERPRISE |
|
Automatic Certificate Management Environment (ACME). |
ENTERPRISE |
|
Microsoft Auto-enrollment Integration. |
|
ENTERPRISE |
Legacy Native auto-enrollment in Windows environment with add-on auto-enrollment proxy module. |
|
ENTERPRISE |
Certifications
The following lists certifications.
Type |
Version |
External Reference |
Documentation |
Common Criteria: Issuing and Management Components (CIMC) Version 1.0, EAL4+ |
EJBCA 5.0.4 |
ENTERPRISE |
|
Common Criteria: Protection Profile for Certification Authorities Version 2.1 |
EJBCA 7.4.1.1 |
ENTERPRISE |
Interoperability
Hardware Security Modules
The following lists support for Hardware Security Modules (HSMs).
Vendor |
Model |
Documentation |
Generic PKCS#11 Provider |
|
|
ARX |
CoSign |
|
AWS CloudHSM |
CloudHSM |
|
AWS Key Management Service |
KMS |
|
Azure Key Vault |
Key Vault |
|
Bull |
Trustway PCI and Proteccio |
|
CardContact |
SmartCard-HSM |
|
Engage Black |
BlackVault HSM |
|
Fortanix |
Fortanix Data Security Manager (DSM) |
|
i4p |
Trident HSM |
|
nCipher |
nShield/netHSM |
|
NitroKey |
NitroKey HSM |
|
SoftHSM |
SoftHSMv2 |
|
Securosys |
Securosys Primus HSM and CloudsHSM Service |
|
Thales |
Thales Data Protection on Demand (DPoD) |
|
Thales |
Thales Luna HSM |
|
Thales |
ProtectServer |
|
Thales TCT |
Luna SA HSM |
|
Utimaco |
CryptoServer |
|
Utimaco |
CryptoServer CP5 |
|
Ultra Electronics AEP |
Keyper |
|
Yubico |
YubiHSM 2 |