EJBCA Robust, high performance, platform independent, flexible, and component based CA
Download

EJBCA Ranking & Summary

EJBCA Tags

issue certificate issue certificate request certificate Certificate Authority

EJBCA Description

Robust, high performance, platform independent, flexible, and component based CA EJBCA is an enterprise class PKI Certificate Authority built on J2EE technology. It is a robust, high performance, platform independent, flexible, and component based CA to be used stand-alone or integrated in other J2EE applications. EJBCA is an enterprise class PKI, meaning that you can use EJBCA to build a complete PKI infrastructure for your organization.If you only want to issue a few single certificates for testing, there are probably options that will get you started quicker, but if you want a serious PKI we recommend EJBCA. Here are some key features of "EJBCA": · Flexible, component based architecture. · Using standard, high performance RDBMS for storage. · Multiple CAs and levels of CAs, build a complete infrastructure (or several) within one instance of EJBCA. · Unlimited number of Root CAs and SubCAs. Request cross certificates and bridge certificates from other CAs and Bridge CAs. Issue cross certificates to other CAs. · Supports RSA key algorithm up to 4096 bits. · Supports ECDSA key algorithm with named curves or implicitlyCA. · Support multiple hash algorithms for signatures, MD5, SHA-1, SHA-256. · Support for X.509 certificates and Card Verifiable certificates (CVC used by EU EAC ePassports). · Standalone or integrated in any J2EE application. · Simple installation and configuration. · Powerful Web based administration GUI using strong authentication. · Administration GUI available in several languages - Chinese, English, French, German, Italian, Portuguese, Spanish and Swedish. · Internal log messages are localizable for different languages. · Command line administration for scripts etc. · Web service interface for remote administration and integration. · Modular API for HSMs. Built in support for nCipher, PrimeCardHSM, Eracom (now SafeNet), SafeNet Luna, Utimaco CryptoServer, AEP Keyper, ARX CoSign and other HSMs with a good PKCS#11 library. · Supports different architectures; all-in-one, clustered, external RA, external OCSP, etc. · Individual enrollment or batch production of certificates. · Server and client certificates can be exported as PKCS12, JKS or PEM. · Browser enrollment with Netscape, Mozilla, IE, etc. · Enrollment for other applications through open APIs and tools. · Enrollment generating complete OpenVPN installers for VPN users. · Smart card logon certificates. · Notification system for e-mail notification to users and administrators when a user is added or certificates expire etc. · Random or manual password for initial user authentication. · Hard token module for integrating with hard token issuing system (smart cards). · Multiple levels of administrators with specified privileges and user groups. · Configurable certificate profiles for different types and contents of certificates. · Configurable entity profiles for different types of users. · Supports the Simple Certificate Enrollment Protocol (SCEP). · Follows X509 and PKIX (RFC3280) standards where applicable. · Qualified Certificate Statement (RFC3739) for issuing EU/ETSI qualified certificates. · Supports the Online Certificate Status Protocol (OCSP - RFC2560), including AIA-extension. · OCSP responder can run integrated with EJBCA or stand alone (clustered) for security, high-performance and high-availability. · External OCSP also works with any other CA than EJBCA and support large scale OCSP deployments. · Simple OCSP client in pure java. · Supports a subset of CMP (RFC4210 and RFC4211). · Supports synchronous XKMS version 2 requests. · Revocation and Certificate Revocation Lists (CRLs). · CRL creation and URL-based CRLDistribution Points according to RFC3280. · Stores Certificates and CRLs in SQL database, LDAP and/or other custom data source. · Optional multiple publishers for publishing certificates and CRLs in LDAP or legacy databases. Several flexible standard publishers exist to meet different demands. · Supports authentication and publishing of certificates to Microsoft Active Directory. · Autoenrollment for windows clients. · Component- and plug-in based architecture for publishing certificates and CRLs to different sources. · Key recovery module to store private keys for recovery for selected users and certificates. · Advanced log signing of PKI audit logs. · API for an external RA, restricting in-bound traffic to CA. · Optional approval mechanism so several admins are required to perform an action, a.k.a. dual-authentication. · Component based architecture for various authorization methods of entities when issuing certificates. · Possible to integrate into large java applications for optimal integration into bussiness process. · Deploys easily in a clustered, high availability environment. · Health check service to support efficient clustering and monitoring. · Supports multiple application servers: JBoss, Weblogic, Glassfish, OC4J, Websphere · Supports multiple databases: Hypersoniq, MySQL, PostgreSQL, Oracle, DB2, MS-SQL, Derby, Sybase, Informix. What's New in This Release: · Add street and pseudonym DN attributes. · OCSP improvements, RFC 5019, nextUpdate, support for requests using GET, improved configuration and error handling. · Correct coding of optional Issuing Distribution Point in CRLs. · Possible to publish userPassword in LDAP. · A few minor fixes. · - Add support for nextUpdate, thisUpdate and producedAt in OCSP responses · - Configurable to use HTTP headers for standalone OCSP · - Pseudonym as a subject DN attribute · - Configurable in ExternalOCSPPublisher to only publish certificates with and OCSP URI extension. · - Create dummy object for TransactionLogger and AuditLogger · - Default public exponent for lunaHSM.sh should be 65537 (0x1001) · - Support OCSP by HTTP GET · - Use info instead of error messages in Standalone OCSP Responder. · - Add "userPassword" attribute in LDAP publisher · - Add street DN component · - Improve handling of invalid requests and streams in OCSP responder · - Stress Test does not print out no of failed tests · - Order certificates in view certificates with newest first · - Unnecessary signing operations · - CA-certificate, but no signing key from a CA on the external OCSP generates an Exception · - CRL Distribution Point in CRLs must be encapsulated into an Issuing Distribution Point · - Code not thread-safe in certificate-request Servlet · - Concurrency issue when reloading soft keys for external OCSP responder · - JCE error on JBoss 5 on some platforms · - ServiceData cached in bean making synchronization between cluster nodes fail. · - Wrong encoding of issuer DN on retrieval public web pages · - Wrong language tag for "Certificate Validity End Time" in viewendentity.jsp · - Allow comma in directoryName subject alt names · - CvcRequestMessage not serializable · - Freshest CRL is lost when creating a new CA

EJBCA Related Software