Built on the J2EE 1.3 (EJB 2.0) specification.

• Flexible, component based architecture.


• Multiple CAs and levels of CAs, build a complete infrastructure (or several) within one instance of EJBCA.


• Supports RSA key algorithm up to 4096 bits.


• Supports ECDSA key algorithm with named curves or implicitlyCA.


• Support multiple hash algorithms for signatures, MD5, SHA-1, SHA-256.


• Standalone or integrated in any J2EE application.


• Simple installation and configuration.


• Powerful Web based administration GUI using strong authentication.


• Administration GUI available in several languages - english, french, italian, spanish, swedish and chinese.


• Internal log messages are localizable for different languages.


• Command line administration for scripts etc.


• Web service interface for remote administration and integration.


• Modular API for HSMs. Built in support for nCipher, PrimeCardHSM, Eracom (now SafeNet), SafeNet Luna, Utimaco CryptoServer and other HSMs with a good PKCS#11 library.


• Supports different architectures; all-in-one, clustered, external RA, external OCSP, etc.


• Individual enrollment or batch production of certificates.


• Server and client certificates can be exported as PKCS12, JKS or PEM.


• Browser enrollment with Netscape, Mozilla, IE, etc.


• Enrollment for other applications through open APIs and tools.


• Enrollment generating complete OpenVPN installers for VPN users.


• Smart card logon certificates.


• E-mail notification to new users added by RA.


• Random or manual password for initial user authentication.


• Hard token module for integrating with hard token issuing system (smart cards).


• Multiple levels of administrators with specified privileges and user groups.


• Configurable certificate profiles for different types and contents of certificates.


• Configurable entity profiles for different types of users.


• Supports the Simple Certificate Enrollment Protocol (SCEP).


• Follows X509 and PKIX (RFC3280) standards where applicable.


• Qualified Certificate Statement (RFC3739) for issuing EU/ETSI qualified certificates.


• Supports the Online Certificate Status Protocol (OCSP - RFC2560), including AIA-extension.


• OCSP responder can run integrated with EJBCA or stand alone (clustered) for security, high-performance and high-availability.


• Simple OCSP client in pure java.


• Supports a subset of CMP (RFC4210 and RFC4211).


• Supports synchronious XKMS version 2 requests.


• Revocation and Certificate Revocation Lists (CRLs).


• CRL creation and URL-based CRLDistribution Points according to RFC3280. Stores Certificates and CRLs in SQL database, LDAP and/or other custom data source.


• Optional multiple publishers for publishing certificates and CRLs in LDAP. Several flexible standard publishers exist to meet different demands.


• Supports authentication and publishing of certificates to Microsoft Active Directory.


• Component based architecture for publishing certificates and CRLs to different sources.


• Key recovery module to store private keys for recovery for selected users and certificates.


• API for an external RA, restricting inbound traffic to CA.


• Optional approval mechanism for RA so several admins are required to perform an action.


• Component based architecture for various authorization methods of entities when issuing certificates.


• Possible to integrate into large java applications for optimal integration into bussiness process.


• Deploys easily in a clustered high availability environment.


• Health check service to support efficient clustering and monitoring.


• Supports multiple application servers: JBoss, Weblogic, Glassfish


• Supports multiple databases: Hypersoniq, MySQL, PostgreSQL, Orcale, MS-SQL2000, Derby, Informix.