This "see also" section may contain an excessive number of entries. Please ensure that only the most relevant links are given, that they are not red links, and that any links are not already in this article. (April 2021) (Learn how and when to remove this message)
The system is implemented in Java EE and designed to be platform independent and fully clusterable, to permit a greater degree of scalability than is typical of similar software packages. Multiple instances of EJBCA are run simultaneously, sharing a database containing the current certificate authorities (CAs). This permits each instance of the software to access any CA. The software also supports the use of a hardware security module (HSM), which provides additional security. Larger-scale installations would use multiple instances of EJBCA running on a cluster, a fully distributed database on a separate cluster and a third cluster with HSMs keeping the different CA keys.
EJBCA supports many common PKI architectures such as all in a single server, distributed RAs and external validation authority. An example architecture is illustrated below.
EJBCA can be used by small and large organizations alike and EJBCA Community can be deployed as pure software installation (Do it yourself) or as an easy to test Docker container.
Components
A certificate authority system typically consists of the logical components:
Certification Authority (CA): issues certificates, signing them using the CA's private signing key.
Registration Authority (RA): registers entities in the system and approves issuance from the CA. Validation and policy controls are usually divided between the CA and the RA and can vary depending on use case and installation, from a model where the RA does everything and the CA simply issues on order from the RA, to a model where the CA performs all validation and controls and the RA acts as a simply proxy front-end.
Validation Authority (VA): servers relying parties with data needed to validate certificates as they are used by the relying parties. The VA typically offers an OCSP services and download of CRLs.
These logical components can be deployed ether as discrete components, physically separated, or bundled into a single physical deployment.
Notable features
Multiple CA instances: EJBCA supports running unlimited number of CAs and levels of CAs in a single installation. Build a complete infrastructure, or several, within one instance of EJBCA.
Online Certificate Status Protocol: certificate validation options include X.509 CRLs and OCSP (RFC6960).
Registration authority: The EJBCA software includes a separate registration authority (RA) front end that can run on the same instance as the CA or distributed as external RAs. Communication between the CA and the RA is only using outgoing network connections to insulate the CA from less trusted networks, where the RA is typically placed.
Different certificate formats: EJBCA support both X.509v3 certificates and Card Verifiable certificates (CVC BSI TR-03110). Certificates are compliant with all standards such as RFC5280, CA/Browser Forum, eIDAS, ICAO 9303, EAC 2.10 and ISO 18013 Amendment 2 eDL.
PKCS#11 HSMs: Standard PKCS 11 compliant hardware security modules are used to protect the CAs’ and OCSP responders’ private keys.
Many integration protocols and APIs: EJBCA was designed with integration in mind. Most standard protocols are supported, CMP, SCEP, EST, and ACME as well as web services. Using integration APIs it is possible to integrate EJBCA as a certificate factory, not exposing its native user interfaces.
High capacity: Using a standard RDBMS the system have a capacity to store large amounts of issued certificates.
Research and application of EJBCA based on J2EE; Liyi Zhang, Qihua Liu and Min Xu; IFIP International Federation for Information Processing Volume 251/2008; ISBN978-0-387-75465-9
Chapter "Securing Connections and Remote Administration" in Hardening Linux; James Turnbull; ISBN978-1-59059-444-5
Exception-Handling Bugs in Java and a Language Extension to Avoid Them; Westley Weimer; Advanced Topics in Exception Handling Techniques Volume 4119/2006; ISBN978-3-540-37443-5
