Interoperability and Certifications

The following provides an overview of EJBCA's capabilities and support, with relevant links to documentation and external standards.

Specifications

Certificate Formats and Standards

EJBCA supports the following formats and standards.

Supported Standard

External Reference

Documentation

X509 and PKIX.

RFC 5280

Certificate Authority Overview

Card Verifiable Certificates (CVC) used by EU EAC ePassports and eIDs.

BSI TR-03110

ENTERPRISE

CVC CA

Qualified Certificate Statement for issuing EU/ETSI qualified certificates.

RFC 3739

Certificate Profile Fields

Certificate Transparency.

RFC 6962

ENTERPRISE

Certificate Transparency

DNS Certificate Authority Authorization (CAA).

RFC 6844

ENTERPRISE

Certificate Field Validators

eIDAS

Regulation (EU) No 910/2014
EN 319 411, EN 319 412

ENTERPRISE

Certificate Profile Fields

PSD2

ETSI TS 119 495

ENTERPRISE

Certificate Profile Fields

FIPS 201-2 (PIV) compliant certificates including FASC-N subjectAltName.

FIPS 201-2

ENTERPRISE

End Entity Profiles Fields

PEM: Textual Encodings of PKIX, PKCS, and CMS Structures

RFC 7468


PKCS#10: Certification Request Syntax

RFC 2986


PKCS#7: Cryptographic Message Syntax

RFC 5652


PKCS#12: Personal Information Exchange Syntax

RFC 7292


CRL, OCSP and Certificate Distribution

EJBCA supports the following CRL formats and standards.

Supported Standard

External Reference

Documentation

CRL creation and URL based CRL Distribution Points.

RFC 5280

CRL Generation

Online Certificate Status Protocol (OCSP), including AIA-extension and must-staple extension.

RFC 2560, RFC 6960, RFC 5019 and RFC 8964

OCSP

Certificate Store, distribution of CA certificates and CRLs over HTTP.

RFC 4387

Certificate and CRL Access over HTTP

The German Common PKI SigG CertHash OCSP extension.

Common PKI

OCSP

LDAP Certificate Publishing.

RFC 4523

LDAP Publisher/LDAP Search Publisher

SCP Publishing


ENTERPRISE

SCP Publisher

Algorithms and Key Types

EJBCA supports the following algorithm types and key size/curves. When using HSMs, support is limited to a subset by the PKCS#11 provider and the specific HSM used.

Algorithm

Key Size/curve

External Reference

Documentation

RSA

Keys up to and including 8192 bits.



DSA

Keys up to and including 1024 bits.



ECDSA

Curves including named curves from Nist, SEC, Teletrust, and X9.62.


ECDSA Keys and Signatures

EdDSA

Ed25519
Ed448

RFC8032
RFC8410

EdDSA Keys and Signatures

GOST

GostR3410-2001-CryptoPro-A/GostR3410-2001-CryptoPro-XchA
GostR3410-2001-CryptoPro-B
GostR3410-2001-CryptoPro-C/GostR3410-2001-CryptoPro-XchB
Tc26-Gost-3410-12-256-paramSetA
Tc26-Gost-3410-12-512-paramSetA
Tc26-Gost-3410-12-512-paramSetB
Tc26-Gost-3410-12-512-paramSetC



Certificate Enrollment Protocols

For specific features supported in each protocol, see the detailed documentation.

Protocol / Interface

External Reference

Documentation

EJBCA WS Soap API.


Web Service Interface

EJBCA Enrollment REST API.


EJBCA REST Interface

EJBCA Management REST API.


ENTERPRISE

EJBCA REST Interface

Simple Certificate Enrollment Protocol (SCEP).

SCEP draft 23

SCEP

X509 Public Key Infrastructure Certificate Management Protocol (CMP).

RFC 4210

CMP

3GPP, i.e. LTE/4G, compatible PKI, using CMPv2 with multiple Vendor CAs and vendor certificate authentication.

ETSI-3GPP

ENTERPRISE

CMP

X.509 Public Key Infrastructure Certificate Request Message Format (CRMF).

RFC 4211


Enrollment over Secure Transport (EST).

RFC 7030

ENTERPRISE

EST

Automatic Certificate Management Environment (ACME).

RFC 8555

ENTERPRISE

ACME

Microsoft Auto-enrollment Integration.


ENTERPRISE

Auto-enrollment

Legacy Native auto-enrollment in Windows environment with add-on auto-enrollment proxy module.


ENTERPRISE

Auto-enrollment (legacy)

Certifications

The following lists certifications.

Type

Version

External Reference

Documentation

Common Criteria: Issuing and Management Components (CIMC) Version 1.0, EAL4+

EJBCA 5.0.4

Certification

ENTERPRISE

Common Criteria

Common Criteria: Protection Profile for Certification Authorities Version 2.1

EJBCA 7.4.1.1

Certification

ENTERPRISE

Common Criteria

Interoperability

Hardware Security Modules

The following lists support for Hardware Security Modules (HSMs).

Vendor

Model

Documentation

Generic PKCS#11 Provider


Generic PKCS#11 Provider

ARX

CoSign

ARX CoSign

AWS CloudHSM

CloudHSM

EJBCA Cloud AWS

AWS Key Management Service

KMS

EJBCA Cloud AWS

Azure Key Vault

Key Vault

EJBCA Cloud Azure

Bull

Trustway PCI and Proteccio

Bull Trustway PCI Crypto Card
Bull Trustway Proteccio

CardContact

SmartCard-HSM

SmartCard-HSM

Engage Black

BlackVault HSM

BlackVault HSM

Fortanix

Fortanix Data Security Manager (DSM)

Fortanix Data Security Manager

i4p

Trident HSM

Trident HSM

nCipher

nShield/netHSM

nCipher nShield/netHSM

NitroKey

NitroKey HSM

Nitrokey HSM

SoftHSM

SoftHSMv2

SoftHSM

Securosys

Securosys Primus HSM and CloudsHSM Service

Securosys Primus HSM and CloudsHSM Service

Thales

Thales Data Protection on Demand (DPoD)

Thales DPoD

Thales

Thales Luna HSM

Thales Luna HSM

Thales

ProtectServer

Thales ProtectServer

Thales TCT

Luna SA HSM

Thales TCT Luna SA

Utimaco

CryptoServer

Utimaco CryptoServer

Utimaco

CryptoServer CP5

Contact Sales

Ultra Electronics AEP

Keyper

AEP Keyper

Yubico

YubiHSM 2

YubiHSM 2