EJBCA is an enterprise class PKI Certificate Authority built on J2EE technology. It is a robust, high performance, platform independent, flexible, and component based CA to be used standalone or integrated in other J2EE applications.

Features

Built on the J2EE 1.3 (EJB 2.0) specification.

  • Flexible, component based architecture.
  • Using standard, high performance RDBMS for storage.
  • Multiple CAs and levels of CAs, build a complete infrastructure (or several) within one instance of EJBCA.
  • Unlimited number of Root CAs and SubCAs. Request cross certificates and bridge certificates from other CAs and Bridge CAs. Issue cross certificates to other CAs.
  • Supports RSA key algorithm up to 4096 bits.
  • Supports ECDSA key algorithm with named curves or implicitlyCA.
  • Support multiple hash algorithms for signatures, MD5, SHA-1, SHA-256.
  • Support for X.509 certificates and Card Verifiable certificates (CVC used by EU EAC ePassports).
  • Standalone or integrated in any J2EE application.
  • Simple installation and configuration.
  • Powerful Web based administration GUI using strong authentication.
  • Administration GUI available in several languages – Chinese, English, French, German, Italian, Portuguese, Spanish and Swedish.
  • Internal log messages are localizable for different languages.
  • Command line administration for scripts etc.
  • Web service interface for remote administration and integration.
  • Modular API for HSMs. Built in support for nCipher, PrimeCardHSM, Eracom (now SafeNet), SafeNet Luna, Utimaco CryptoServer, AEP Keyper, ARX CoSign and other HSMs with a good PKCS#11 library.
  • Supports different architectures; all-in-one, clustered, external RA, external OCSP, etc.
  • Individual enrollment or batch production of certificates.
  • Server and client certificates can be exported as PKCS12, JKS or PEM.
  • Browser enrollment with Netscape, Mozilla, IE, etc.
  • Enrollment for other applications through open APIs and tools.
  • Enrollment generating complete OpenVPN installers for VPN users.
  • Smart card logon certificates.
  • Notification system for e-mail notification to users and administrators when a user is added or certificates expire etc.
  • Random or manual password for initial user authentication.
  • Hard token module for integrating with hard token issuing system (smart cards).
  • Multiple levels of administrators with specified privileges and user groups.
  • Configurable certificate profiles for different types and contents of certificates.
  • Configurable entity profiles for different types of users.
  • Supports the Simple Certificate Enrollment Protocol (SCEP).
  • Follows X509 and PKIX (RFC3280) standards where applicable.
  • Qualified Certificate Statement (RFC3739) for issuing EU/ETSI qualified certificates.
  • Supports the Online Certificate Status Protocol (OCSP – RFC2560), including AIA-extension.
  • OCSP responder can run integrated with EJBCA or stand alone (clustered) for security, high-performance and high-availability.
  • External OCSP also works with any other CA than EJBCA and support large scale OCSP deployments.
  • Simple OCSP client in pure java.
  • Supports a subset of CMP (RFC4210 and RFC4211).
  • Supports synchronous XKMS version 2 requests.
  • Revocation and Certificate Revocation Lists (CRLs).
  • CRL creation and URL-based CRLDistribution Points according to RFC3280.
  • Stores Certificates and CRLs in SQL database, LDAP and/or other custom data source.
  • Optional multiple publishers for publishing certificates and CRLs in LDAP or legacy databases. Several flexible standard publishers exist to meet different demands.
  • Supports authentication and publishing of certificates to Microsoft Active Directory.
  • Autoenrollment for windows clients.
  • Component- and plug-in based architecture for publishing certificates and CRLs to different sources.
  • Key recovery module to store private keys for recovery for selected users and certificates.
  • Advanced log signing of PKI audit logs.
  • API for an external RA, restricting in-bound traffic to CA.
  • Optional approval mechanism so several admins are required to perform an action, a.k.a. dual-authentication.
  • Component based architecture for various authorization methods of entities when issuing certificates.
  • Possible to integrate into large java applications for optimal integration into bussiness process.
  • Deploys easily in a clustered, high availability environment.
  • Health check service to support efficient clustering and monitoring.
  • Supports multiple application servers: JBoss, Weblogic, Glassfish, OC4J, Websphere
  • Supports multiple databases: Hypersoniq, MySQL, PostgreSQL, Oracle, DB2, MS-SQL, Derby, Sybase, Informix.

Wikipedia Link

EJBCA Hope Page