1. Design

2. Key features
    Multiple CA instances  Online Certificate Status Protocol  Registration authority  Multiple algorithms  Different certificate formats  PKCS#11 HSMs  Many integration protocols and APIs  High performance and capacity 

3. References

4. Further reading

5. External links

EJBCA, is a free software public key infrastructure (PKI) certificate authority software package maintained and sponsored by the Swedish for-profit company PrimeKey Solutions AB, which holds the copyright to most of the codebase. The project's source code is available under terms of the Lesser GNU General Public License.

Design

The system is implemented in Java EE and designed to be platform independent and fully clusterable,^[1] to permit a greater degree of scalability than is typical of similar software packages. Multiple instances of EJBCA are run simultaneously, sharing a database containing the current certificate authorities (CAs). This permits each instance of the software to access any CA. The software also supports the use of a hardware security module (HSM), which provides additional security. Larger-scale installations would use multiple instances of EJBCA running on a cluster, a fully distributed database on a separate cluster and a third cluster with HSMs keeping the different CA keys.

EJBCA supports many common PKI architectures^[2] such as all in a single server, distributed RAs and external validation authority. An example architecture is illustrated below.

Key features

Multiple CA instances

EJBCA supports running unlimited number of CAs and levels of CAs in a single installation. Build a complete infrastructure, or several, within one instance of EJBCA.

Online Certificate Status Protocol

For certificate validation your have the choice of using X.509 CRLs and OCSP ([https://tools.ietf.org/rfc/rfc6960.txt RFC6960]).

Registration authority

The EJBCA software includes a separate registration authority (RA) front end that can run on the same instance as the CA or distributed as external RAs. Communication between the CA and the RA is only using outgoing network connections to insulate the CA from less trusted networks, where the RA is typically placed.

Multiple algorithms

You can use all common, and some uncommon algorithms in your PKI. RSA, ECDSA and DSA, SHA-1 and SHA-2. Compliant with NSA Suite B Cryptography.

Different certificate formats

EJBCA support both X.509v3 certificates and Card Verifiable certificates (CVC BSI TR-03110). Certificates are compliant with all standards such as [https://tools.ietf.org/rfc/rfc5280.txt RFC5280], CA/Browser Forum, eIDAS, ICAO 9303, EAC 2.10 and ISO 18013 Amendment 2 eDL.

PKCS#11 HSMs

Using the standard PKCS 11 API you can use most PKCS#11 compliant HSMs to protect the CAs’ and OCSP responders’ private keys.

Many integration protocols and APIs

EJBCA was designed with integration in mind. Most standard protocols are supported, CMP, SCEP, EST, and ACME as well as web services. Using integration APIs it is possible to integrate EJBCA as a certificate factory, not exposing its native user interfaces.

High performance and capacity

You can build a PKI with capacity of issuing billions of certificates at a rate of several hundreds per second.

References

Further reading

• Research and application of EJBCA based on J2EE; Liyi Zhang, Qihua Liu and Min Xu; IFIP International Federation for Information Processing Volume 251/2008; {{ISBN|978-0-387-75465-9}}
• Chapter "Securing Connections and Remote Administration" in Hardening Linux; James Turnbull; {{ISBN|978-1-59059-444-5}}
• Exception-Handling Bugs in Java and a Language Extension to Avoid Them; Westley Weimer; Advanced Topics in Exception Handling Techniques Volume 4119/2006; {{ISBN|978-3-540-37443-5}}
• A workflow based architecture for Public Key Infrastructure; Johan Eklund; TRITA-CSC-E 2010:047
• Secret Sharing Framework Based on Digital Certificates; Paul Crocker and Adolfo Peixinho; Proceedings of the 13th European Conference on Cyber Warfare and Security ECCWS-2014; {{ISBN|1910309249}}
• [https://www.sans.org/reading-room/whitepapers/certificates/building-managing-pki-solution-small-medium-size-business-34445 Building and Managing a PKI Solution for Small and Medium Size Business]; Wylie Shanks; SANS Institute InfoSec Reading Room; December 2013
• [https://www.primekey.com/wp-content/uploads/2017/08/post-quantum-algorithms-for-pki.pdf Post-quantum algorithms for digital signing in Public Key Infrastructures]; Mikael Sjöberb; Degree Project in Computer Science and Engineering at KTH, Stockholm, Sweden 2017

External links

• {{official website}}
• [https://sourceforge.net/projects/ejbca/ EJBCA at SourceForge]

• Jake Mason
• Jake Mason (musician)
• Jake Matthews
• Jake Matthews (disambiguation)
• Jake May
• Jake McCandless
• Jake McCarthy
• Jake McElfresh
• Jake McGuire
• Jake McInally
• Jake McIntyre
• Jake McLeod
• Jake McQuaide
• Jake Middleton
• Jake Miller discography
• Jake Miller (rapper)
• Jake Monaco
• Jake Morris
• Jake Morris (hurler)
• Jake Mulraney
• Jake Nerwinski
• Jake Newberry
• Jake Noll
• Jake O'Brien (basketball)
• Jake Oettinger