The Ultimate Guide to Keyfactor EJBCA
EJBCA (Enterprise JavaBeans Certificate Authority) is a mature, open-source PKI (Public Key Infrastructure) platform originally developed by PrimeKey and now maintained by Keyfactor. Released under the LGPL license, EJBCA Community is a flexible, standards-based solution that supports full Certificate Authority (CA), Registration Authority (RA), and Validation Authority (VA) functions. It enables secure certificate issuance, enrollment, revocation, validation, and lifecycle management across virtually any environment—from data centers and cloud infrastructure to IoT devices and mobile ecosystems.
EJBCA is designed with a modular architecture that supports scalable, high-availability deployments and role separation. It’s used globally in high-assurance environments including national identity systems (eID and ePassport), industrial automation, financial services, and enterprise IT.
Keyfactor offers EJBCA in two editions:
- EJBCA Community – A free and open-source version suitable for development, testing, and non-critical internal use.
- EJBCA Enterprise – A fully featured, commercial offering designed for regulated, high-scale, and security-sensitive deployments. It includes enhanced compliance, automation, monitoring, clustering, and support for post-quantum cryptography (PQC).
With platform-agnostic deployment options and extensive integration capabilities, EJBCA provides a future-ready foundation for organizations looking to modernize and scale their certificate infrastructure without vendor lock-in.
Keyfactor EJBCA vs Open‑Source EJBCA (Community Edition)
Keyfactor provides both the basic open source EJBCA Community Edition and the full-featured EJBCA Enterprise. Here is a breakdown of the two:
|
Capability |
EJBCA Community Edition |
EJBCA Enterprise Edition |
|---|---|---|
|
Cost |
Free and open-source (LGPL) |
Commercial license with SLA-backed support |
|
Use Case Fit |
Labs, development, non-critical internal use |
Regulated, production-grade PKI environments |
|
Support |
Community forums only |
24/7 expert support and professional services from Keyfactor |
|
Deployment Options |
Manual or Docker-based install |
SaaS, Cloud (AWS/Azure), Appliance, Software, Container |
|
Security Hardening |
Basic configurations only |
HSM integration, OAuth authentication, key archival, role separation |
|
Scalability & HA |
Limited |
Full clustering, high availability, and geographic redundancy |
|
Audit & Compliance |
No compliance guarantees |
Signed audit logs, config import/export, eIDAS, Common Criteria, ICAO |
|
Enrollment Protocols |
REST, SCEP, CMP, EST (limited features) |
Extended protocol support with policy control and access restrictions |
|
Integration Options |
Limited |
Enterprise system connectors, directory publish, advanced REST/SOAP APIs |
|
Post-Quantum Readiness |
Experimental/Community contributions |
PQC algorithms like LMS/XMSS supported; aligned with NIST PQC guidance |
While EJBCA Community is suitable for basic use cases and non-critical environments, EJBCA Enterprise is purpose-built for organizations that require a scalable, resilient, and compliant PKI platform. Keyfactor’s Enterprise offering includes expert support, automated deployment options, and feature sets required to meet modern cryptographic, regulatory, and operational challenges.
As PKI experts for over 15 years, Accutive Security helps organizations evaluate and select the ideal PKI solution for your environment using our Accutive Security Innovation Lab.
EJBCA Real-World Use Cases
EJBCA Enterprise is deployed globally to secure critical infrastructure and digital ecosystems. It deployed across all industries, with some key use cases including:
- Financial services – Securing transactions, mobile apps, and internal communications with scalable certificate issuance.
- IoT and manufacturing – Enabling device identity and secure firmware updates for connected devices and industrial equipment.
- Enterprise IT – Managing internal TLS, user/device authentication, VPN access, and email security at scale.
- DevOps and cloud – Issuing ephemeral identities for workloads, containers, and service mesh environments.
- National security and identity systems – Powering eID, ePassport, and eGovernment projects with high assurance PKI.
The EJBCA family of solutions provides flexible options that are suitable for the majority of organizations – ranging from SMEs to large multinationals and government entities.
Keyfactor EJBCA Enterprise Deployment Variants
Within Keyfactor Enterprise, there are a wide range of deployment modes, depending on your infrastructure, security, and use cases:
EJBCA SaaS
Fully managed PKI delivered as a service with no infrastructure to manage. Hosted by Keyfactor in secure environments on AWS or Microsoft Azure, this option is ideal for organizations seeking a hands-off PKI experience with high availability, elastic scalability, and strict uptime SLAs.
Key benefits include:
- Self-service administration portal with role-based access
- Automatic scaling and updates with zero downtime
- Bring Your Own Root (BYOR) and dedicated offline root CA support
- Built-in monitoring, logging, and secure segmentation
- SOC 2-compliant infrastructure
Keyfactor SaaS is suitable for fast-growing enterprises, startups / early stage organizations, hybrid IT environments, and organizations without in-house PKI expertise
EJBCA Cloud
Enterprise-grade PKI that you host and manage yourself within your own cloud environment. This deployment model provides full administrative control while taking advantage of the agility and elasticity of AWS or Azure. It allows organizations to align with cloud-first strategies while maintaining PKI sovereignty.
Key benefits include:
- Rapid deployment templates via AWS CloudFormation and Azure ARM
- Seamless integration with cloud-native services (e.g., Azure AD, AWS KMS)
- High availability and fault tolerance through cloud-native tools
- Scalable infrastructure without hardware procurement
EJBCA Cloud is ideal for security-conscious enterprises with existing DevOps teams or cloud-first mandates
EJBCA Appliance (Hardware Appliance)
A fully integrated hardware appliance for high-assurance PKI in regulated or air-gapped environments. The EJBCA Appliance is a plug-and-play solution with pre-installed software, hardened OS, and built-in HSM support. It’s ideal for organizations that need physical control over their PKI and compliance with FIPS 140-2 Level 3, eIDAS, or Common Criteria requirements.
Key benefits include:
- Dedicated physical appliance with embedded HSM (e.g., Thales, Utimaco)
- Tamper-proof enclosure and audit logging
- Easy initial configuration via secure management interface
- Minimal maintenance with long lifecycle support
EJBCA Appliance excels in high security, stringent compliance environments such as the public sector, military, manufacturing, and critical infrastructure providers.
EJBCA Software Appliance
A virtualized, OS-hardened software appliance for turnkey deployment in virtualized data centers. Ideal for organizations that want the benefits of an appliance without the hardware dependency. This form factor delivers the same secure PKI capabilities as the physical appliance but can be deployed on VMware, Hyper-V, or KVM.
Key benefits include:
- Rapid deployment and scalability without physical shipping delays
- Lower total cost of ownership compared to hardware appliances
- Full EJBCA Enterprise feature set, including HSM integration
- Works in both online and offline root/subordinate CA topologies
EJBCA Software is an excellent choice for enterprises standardizing on virtual infrastructure with strict security requirements
EJBCA Container
A DevOps-friendly, containerized deployment model optimized for Kubernetes orchestration. This modern, microservices-based option provides modular components for CA, RA, and VA, each running in its own container and deployable via Helm charts or infrastructure-as-code pipelines.
Key benefits include:
- Scalable and flexible PKI services for modern application stacks
- Seamless integration with CI/CD workflows
- HSM access via sidecar pattern (PKCS#11, REST API)
- Easily combines with other variants—e.g., container-based RA with a SaaS CA
EJBCA Container is ideal for organizations that operate containerized applications, including digital-native companies, DevSecOps teams, and complex hybrid/cloud-native PKI topologies.
Quick Reference Guide to EJBCA Enterprise Options
|
Variant |
Key Advantage |
|---|---|
|
SaaS |
Fully managed, low operational overhead |
|
Cloud |
Complete control with cloud scalability |
|
Hardware Appliance |
Hardened, turnkey PKI with built‑in HSM |
|
Software Appliance |
Flexible, on‑prem turnkey deployment |
|
Container |
DevOps‑friendly, scalable, Kubernetes‑ready |
EJBCA vs Microsoft Certificate Authority (MSCA)
While Microsoft Certificate Services (MSCA) remains widely deployed in enterprise environments, its limitations have become increasingly apparent as organizations face evolving requirements around scalability, automation, cloud adoption, and post-quantum cryptography. In contrast, EJBCA Enterprise provides a modern, standards-based, and cloud-ready PKI platform designed to meet today’s demands.
Feature Comparison: EJBCA vs MSCA
|
Capability |
EJBCA Enterprise |
Microsoft CA (MSCA) |
|---|---|---|
|
Cross-Domain / Multi-Forest Support |
Full support for multiple domains and forests under one CA |
Requires complex trust configurations or multiple CAs |
|
Post-Quantum Cryptography (PQC) |
Supports LMS/XMSS (NIST candidates) for PQC readiness |
No native support for PQC algorithms |
|
Cloud Deployment Options |
SaaS, Cloud-native (AWS, Azure), Container, Appliance |
On-prem only; complex to adapt for cloud environments |
|
Enrollment Protocols |
REST, ACME, CMP, EST, SCEP |
SCEP only (limited and outdated) |
|
Automation & DevOps Integration |
API-first, container-ready, integrates with CI/CD pipelines |
Manual processes; no native DevOps support |
|
HSM & KMS Support |
Native integration with HSMs (PKCS#11), Cloud HSMs, and KMS APIs |
Supported via CSPs, but with limited flexibility |
|
Audit & Compliance |
Signed audit logs, role-based separation, standards compliance |
Basic Windows Event Logging; no signed audit trail |
|
Scalability & High Availability |
Clustering, distributed RA/VA architecture, stateless scaling |
Limited scalability; not HA by design |
Real-World Feedback
Feedback from PKI professionals reflects these limitations:
“EJBCA is a drop‑in replacement for Microsoft use cases … supports multiple forests with the same CA.”
“There are no PQC [post‑quantum cryptographic] features in MSCA … EJBCA has provided PQC with soft tokens in the community and enterprise versions.”
“EJBCA … is a lifetime ahead of Microsoft.”
— Source: r/PKI on Reddit
Why EJBCA is the Superior Long-Term Choice to MSCA
As enterprises modernize their infrastructure, embrace hybrid and multi-cloud environments, and prepare for the post-quantum era, the architectural limitations of MSCA become a liability. EJBCA is more advanced than Microsoft’s PKI in virtually all aspects including:
- Cryptographic agility and quantum readiness (PQC support, ECC, RSA)
- Cloud-native deployment options
- Protocol and automation support
- Cross-domain flexibility
- Compliance-ready audit logging
With over 15 years of PKI deployment and integration experience, Accutive Security helps organizations plan and execute seamless migrations from MSCA to EJBCA Enterprise. Our team ensures business continuity, policy alignment, and smooth integration with existing directories, systems, and HSMs—whether you’re operating on-prem, in the cloud, or in a hybrid environment.
Implementing EJBCA
Implementing EJBCA requires more than simply deploying certificate services—it demands strategic planning, secure architecture, policy alignment, and operational readiness. Accutive Security brings over 15 years of PKI experience to help organizations design and deploy EJBCA in a way that is scalable, compliant, and resilient.
Define Use Cases and Requirements
Begin by identifying your core objectives and use cases:
- Internal PKI for device, user, or server authentication
- TLS certificate issuance for public and internal services
- Code signing or document signing
- IoT or mobile device identity
- Service mesh/mTLS and DevOps pipelines
Select the Right Edition and Deployment Model
As highlighted above, EJBCA is offered in a basic open source edition and an advanced enterprise platform with a number of flexible deployment models based on your needs.
- EJBCA Community: Ideal for testing and internal non-critical applications.
- EJBCA Enterprise: Required for regulated, production-grade deployments with compliance, audit, and clustering needs.
- Deployment options: SaaS, cloud-hosted (AWS, Azure), hardware appliance, software appliance, or containerized via Kubernetes.
Plan Secure Architecture
- Implement an offline root CA with one or more online issuing/subordinate CAs.
- Segment RA and VA services from the CA to isolate trust zones and limit exposure.
- Recommended: Integrate an HSM (on-prem or cloud-based) for secure key storage and FIPS-level compliance.
Configure Certificate Policies
- Define certificate profiles, end entity roles, validity periods, key lengths, and renewal rules.
- Enable protocol-specific enrollment paths (e.g., ACME for automation, SCEP or EST for devices).
- Enforce RBAC policies for administration and certificate issuance control.
Validate and Test
- Perform functional testing for certificate issuance, revocation, and renewal.
- Simulate failure recovery scenarios (e.g., CA or HSM outage).
- Review and validate audit logs and access controls before moving to production.
Monitor, Backup, and Optimize
- Enable clustering and high-availability configurations for CA/RA/VA.
- Establish robust backup, recovery, and key archival policies.
- Integrate monitoring tools and log forwarders to ensure ongoing visibility and performance.
Accutive Security provides complete implementation support: from initial assessment and design to configuration, testing, automation and ongoing managed services.
EJBCA Migration
Modernizing or scaling your PKI shouldn’t require starting from scratch. Whether you’re running EJBCA Community or a legacy certificate authority like Microsoft CA or Let’s Encrypt, migrating to EJBCA Enterprise is a well-documented and supported process.
Migration from EJBCA Community to EJBCA Enterprise
For organizations already using EJBCA Community, the transition to Enterprise is straightforward and virtually disruption-freee. Keyfactor has developed migration tools and guides that ensure a smooth upgrade path while preserving your existing:
- Certificate Authority (CA) hierarchy
- Certificate profiles and templates
- Certificate revocation lists (CRLs) and OCSP responders
- Identity and enrollment configurations
- Role-based access controls and administrative users
With EJBCA’s configuration export/import capabilities, the transition is as much about enhancing capabilities as it is about maintaining continuity. Once upgraded to Enterprise, organizations immediately gain access to:
- Advanced audit logging and reporting
- Enterprise-grade clustering and HA
- Secure CA/RA/VA segmentation
- Native HSM support and key archival
- Compliance with eIDAS, Common Criteria, and ICAO
- Support for post-quantum algorithms (e.g., LMS/XMSS)
Migration from Other PKI Solutions to EJBCA Enterprise
Organizations increasingly migrate to EJBCA Enterprise from legacy PKI systems such as Microsoft Certificate Services (MSCA), Let’s Encrypt, or custom OpenSSL-based toolchains to gain scalability, automation, and compliance.
Common drivers for migration that we see from our clients include:
- Limited automation and scalability in MSCA
- Lack of internal certificate support with Let’s Encrypt
- Manual processes and governance gaps in custom PKI stacks
- Costly licensing and vendor lock-in with legacy commercial CAs
When moving to EJBCA Enterprise, we built out your migration plan using a proven path that includes:
- Importing existing root and intermediate CAs
- Mapping certificate templates and policies
- Reissuing certificates using automated enrollment protocols (REST, EST, SCEP, ACME)
- Integrating HSMs and external systems via API
- Establishing secure OCSP/CRL validation and audit logging
Accutive Security provides EJBCA migration services, validating configurations in a sandbox environment before switching production systems with the goal of zero service disruption during your upgrade.
Integrating and Automating EJBCA
EJBCA is designed with integration and automation in mind, enabling organizations to embed PKI into their existing infrastructure, DevOps pipelines, and IT workflows with ease.
EJBCA Integration Capabilities
EJBCA integrates seamlessly into your existing IT ecosystem, enabling centralized PKI management across identity infrastructure, logging environments, key management systems, and service meshes.
- Identity systems: Integrate with Active Directory or LDAP to automate certificate issuance tied to user and device identities—supporting seamless onboarding and lifecycle control.
- SIEM and log aggregation: Forward signed logs to Splunk, ELK Stack, or cloud-native log services to support centralized security monitoring, forensic analysis, and compliance auditing.
- Key Management: Interface with on-prem or cloud HSMs (e.g., AWS CloudHSM, Azure Key Vault, Fortanix) via PKCS#11 or REST to securely generate, store, and manage cryptographic keys with FIPS-compliant protection.
- Service mesh support: Use EJBCA to issue short-lived certificates for mutual TLS in service meshes like Istio, Envoy, or Linkerd—enabling secure microservice communication in distributed environments.
EJBCA Automation Features
EJBCA’s protocol support and automation interfaces streamline certificate lifecycle operations across complex environments, reducing manual overhead and increasing scalability.
- REST and SOAP APIs: Automate all aspects of certificate lifecycle management—including issuance, revocation, renewal, and profile administration—through robust, standards-compliant APIs.
- Enrollment protocols: Support for ACME, EST, CMP, and SCEP enables automated provisioning for a broad range of clients, devices, and applications—ensuring cryptographic coverage across legacy and modern systems.
- Kubernetes integration: Use cert-manager with EJBCA to deliver automated TLS provisioning for Kubernetes workloads, enabling secure pod communication and dynamic service registration.
- Infrastructure as Code: Automate deployment and configuration of EJBCA using tools like Ansible, Terraform, or Helm to ensure consistent, repeatable builds in DevOps and hybrid environments.
DevOps and CI/CD Integration
Modern PKI must integrate with DevOps workflows to secure everything from build pipelines to container runtimes—EJBCA delivers on this with agility and control.
- CI/CD pipeline integration: Seamlessly embed certificate issuance and revocation into CI/CD pipelines using GitHub Actions, GitLab CI, or Jenkins—enabling secure automation for applications and infrastructure.
- Code signing automation: Automate code signing or secure software delivery processes using trusted enterprise policies to protect software integrity and prevent tampering.
- Ephemeral certificate provisioning: Provision short-lived certificates for containers, ephemeral workloads, and zero-trust architectures—enhancing security while minimizing operational risk.
With expert guidance, EJBCA is seamlessly integrated into your infrastructure as a powerful, automated foundation for enterprise-grade identity, authentication, and trust.
Choosing Your PKI Partner
Implementing PKI at enterprise scale requires expertise beyond software deployment. Accutive Security helps organizations maximize the value of EJBCA and other PKI platforms with services that include:
- PKI Assessments – Evaluating your current environment and identifying modernization opportunities.
- PKI Design & Implementation – Architecting secure root and issuing CA hierarchies, with HA and compliance built-in.
- PKI Migration Services – Moving from Microsoft CA, EJBCA Community, or other PKI solutions without disruption.
- PKI Automation & Integration – Embedding PKI into DevOps, Kubernetes, and ITSM workflows for hands-off lifecycle management.
- Managed Services for EJBCA and beyond– Ongoing PKI operations, monitoring, and compliance reporting to reduce operational burden.
With Accutive Security’s Innovation Lab, you can easily build proof of concepts (POCs) and demo various leading PKI solutions, including EJBCA Enterprise.
Kicking Off Your EJBCA Journey
As your organization faces challenges on multiple fronts including the need for digital transformation, capitalizing on the AI opportunity, meeting more stringent regulatory compliance demands, and the looming post-quantum cryptographic transition, the limitations of legacy PKI solutions become clear. Keyfactor EJBCA Enterprise provides the flexibility, scalability, and cryptographic agility required to meet these challenges head-on.
- Compared to open-source EJBCA Community, the Enterprise edition delivers the operational readiness, automation, and compliance features needed for mission-critical environments.
- Against Microsoft CA, EJBCA demonstrates clear advantages in scalability, DevOps integration, multi-cloud readiness, and PQC preparedness.
- With multiple deployment variants, including SaaS, Cloud, Appliance, Software, and Container, EJBCA adapts to virtually any IT strategy.
For organizations modernizing PKI or replacing outdated CA systems, EJBCA Enterprise represents a superior long-term choice. Leveraging Accutive Security as your team of PKI experts, you gain a trusted advisor with more than 15 years of experience delivering enterprise-grade PKI solutions.
Comment