EJBCA

From Wikipedia, the free encyclopedia
Jump to: navigation, search
EJBCA
Banner ejbca-public.png
EJBCA 6.5.0 en - Administration - Home.png
EJBCA 6.5.0 in English – Administration
Developer(s) PrimeKey Solutions AB
Initial release December 5, 2001 (2001-12-05)
Stable release
6.6.1 / November 23, 2016 (2016-11-23)
Written in Java on Java EE
Operating system Cross-platform
Available in Bosnian, Chinese, Czech, English, French, German, Japanese, Portuguese, Swedish, Ukrainian
Type PKI Software
License LGPL v2.1
Website www.ejbca.org

Enterprise Java Beans Certificate Authority, or EJBCA, is a free software public key infrastructure (PKI) certificate authority software package maintained and sponsored by the Swedish for-profit company PrimeKey Solutions AB, which holds the copyright to most of the codebase. The project's source code is available under terms of the Lesser GNU General Public License.

Design[edit]

The system is implemented in Java EE and designed to be platform independent and fully clusterable,[1] to permit a greater degree of scalability than is typical of similar software packages. Multiple instances of EJBCA are run simultaneously, sharing a database containing the current certificate authorities (CAs). This permits each instance of the software to access any CA. The software also supports the use of a Hardware Security Module (HSM), which provides additional security. Larger-scale installations would use multiple instances of EJBCA running on a cluster, a fully distributed database on a separate cluster and a third cluster with HSMs keeping the different CA keys.

EJBCA supports many common PKI Architectures[2] such as all in a single server, distributed RAs and external validation authority. An example architecture is illustrated below.

Example PKI architecture with external validation authority

Key features[edit]

Multiple CA instances[edit]

EJBCA supports running unlimited number of CAs and levels of CAs in a single installation. Build a complete infrastructure, or several, within one instance of EJBCA.

Online Certificate Status Protocol[edit]

For certificate validation your have the choice of using X.509 CRLs and OCSP (RFC6960).

Multiple algorithms[edit]

You can use all common, and some uncommon algorithms in your PKI. RSA, ECDSA and DSA, SHA-1 and SHA-2. Compliant with NSA Suite B Cryptography.

Different certificate formats[edit]

EJBCA support both X.509v3 certificates and Card Verifiable certificates (CVC BSI TR-03110). Certificates are compliant with all standards such as RFC5280, CA/Browser Forum, eIDAS, ICAO 9303, EAC 2.10 and ISO 18013 Amendment 2 eDL.

PKCS#11 HSMs[edit]

Using the standard PKCS 11 API you can use most PKCS#11 compliant HSMs to protect the CAs, and OCSP Responders, private keys.

Many integration protocols and APIs[edit]

EJBCA was designed with integration in mind. Most standard protocols are supported, CMP and SCEP, as well as web services. Using integration APIs it is possible to integrate EJBCA as a certificate factory, not exposing it's native user interfaces.

High performance and capacity[edit]

You can build a PKI with capacity of issuing billions of certificates at a rate of several hundreds per second.

References[edit]

Further reading[edit]

External links[edit]