EJBCA is an enterprise class PKI Certificate Authority built on J2EE technology. It is a robust, high performance, platform independent, flexible, and component based CA to be used stand-alone or integrated in other J2EE applications.
EJBCA is an enterprise class PKI, meaning that you can use EJBCA to build a complete PKI infrastructure for your organization.
If you only want to issue a few single certificates for testing, there are probably options that will get you started quicker, but if you want a serious PKI we recommend EJBCA.
Here are some key features of "EJBCA":
· Flexible, component based architecture.
· Using standard, high performance RDBMS for storage.
· Multiple CAs and levels of CAs, build a complete infrastructure (or several) within one instance of EJBCA.
· Unlimited number of Root CAs and SubCAs. Request cross certificates and bridge certificates from other CAs and Bridge CAs. Issue cross certificates to other CAs.
· Supports RSA key algorithm up to 4096 bits.
· Supports ECDSA key algorithm with named curves or implicitlyCA.
· Support multiple hash algorithms for signatures, MD5, SHA-1, SHA-256.
· Support for X.509 certificates and Card Verifiable certificates (CVC used by EU EAC ePassports).
· Standalone or integrated in any J2EE application.
· Simple installation and configuration.
· Powerful Web based administration GUI using strong authentication.
· Administration GUI available in several languages - Chinese, English, French, German, Italian, Portuguese, Spanish and Swedish.
· Internal log messages are localizable for different languages.
· Command line administration for scripts etc.
· Web service interface for remote administration and integration.
· Modular API for HSMs. Built in support for nCipher, PrimeCardHSM, Eracom (now SafeNet), SafeNet Luna, Utimaco CryptoServer, AEP Keyper, ARX CoSign and other HSMs with a good PKCS#11 library.
· Supports different architectures; all-in-one, clustered, external RA, external OCSP, etc.
· Individual enrollment or batch production of certificates.
· Server and client certificates can be exported as PKCS12, JKS or PEM.
· Browser enrollment with Netscape, Mozilla, IE, etc.
· Enrollment for other applications through open APIs and tools.
· Enrollment generating complete OpenVPN installers for VPN users.
· Smart card logon certificates.
· Notification system for e-mail notification to users and administrators when a user is added or certificates expire etc.
· Random or manual password for initial user authentication.
· Hard token module for integrating with hard token issuing system (smart cards).
· Multiple levels of administrators with specified privileges and user groups.
· Configurable certificate profiles for different types and contents of certificates.
· Configurable entity profiles for different types of users.
· Supports the Simple Certificate Enrollment Protocol (SCEP).
· Follows X509 and PKIX (RFC3280) standards where applicable.
· Qualified Certificate Statement (RFC3739) for issuing EU/ETSI qualified certificates.
· Supports the Online Certificate Status Protocol (OCSP - RFC2560), including AIA-extension.
· OCSP responder can run integrated with EJBCA or stand alone (clustered) for security, high-performance and high-availability.
· External OCSP also works with any other CA than EJBCA and support large scale OCSP deployments.
· Simple OCSP client in pure java.
· Supports a subset of CMP (RFC4210 and RFC4211).
· Supports synchronous XKMS version 2 requests.
· Revocation and Certificate Revocation Lists (CRLs).
· CRL creation and URL-based CRLDistribution Points according to RFC3280.
· Stores Certificates and CRLs in SQL database, LDAP and/or other custom data source.
· Optional multiple publishers for publishing certificates and CRLs in LDAP or legacy databases. Several flexible standard publishers exist to meet different demands.
· Supports authentication and publishing of certificates to Microsoft Active Directory.
· Autoenrollment for windows clients.
· Component- and plug-in based architecture for publishing certificates and CRLs to different sources.
· Key recovery module to store private keys for recovery for selected users and certificates.
· Advanced log signing of PKI audit logs.
· API for an external RA, restricting in-bound traffic to CA.
· Optional approval mechanism so several admins are required to perform an action, a.k.a. dual-authentication.
· Component based architecture for various authorization methods of entities when issuing certificates.
· Possible to integrate into large java applications for optimal integration into bussiness process.
· Deploys easily in a clustered, high availability environment.
· Health check service to support efficient clustering and monitoring.
· Supports multiple application servers: JBoss, Weblogic, Glassfish, OC4J, Websphere
· Supports multiple databases: Hypersoniq, MySQL, PostgreSQL, Oracle, DB2, MS-SQL, Derby, Sybase, Informix.
What's New in This Release: [ read full changelog ]
New Feature:
· [ECA-2590] - Possibility to only publish revoked certificates to external VA DB
· [ECA-2603] - "unknown is good" changed for some URLs used in the OCSP request.
Bug:
· [ECA-2564] - CMP: Correct the CrmfKeyUpdateTest
· [ECA-2594] - XSS issues
Improvement:
· [ECA-2563] - CMP: clean up CMP tests
· [ECA-2575] - GUI: Administrator groups page headers improvement
· [ECA-2580] - GUI: Improve View CA table layout (rows: header, sections, footer)
· [ECA-2585] - GUI: Change Rename button in all Object lists
Find us on Google+
Universal Binary 
