Certificate Management for large scale of business
Simply the best PKI
The certificate management in EJBCA Enterprise is realized through rich Certificate Authority services. The CA services implemented in EJBCA cover all to us known areas of use of PKI today, and PrimeKey intends to keep this state of the art position. Almost certainly, EJBCA is the best PKI in the world.
Internet-of-Things scale of business
EJBCA runs on the Java EE platform and is designed to be platform independent, flexible and robust. Essentially, your EJBCA is ready for Internet-of-Things scale of business, or simply put, large scale of business. The scalability as well as performance grows as you add nodes, add or upgrade your hardware. Our customers run their business critical, round-the-clock, worldwide, complex PKI that grows as their business grows, with no downtime. We are very proud of that.
One CA, to several CAs or even to several PKIs
Typically, our customers reach to us having one or a few specific business cases that require the use of PKI. EJBCA supports import of an external root and over ordinate certificates, allowing for dedicated issuance services when/if needed. However, after a while you will see the real strength of EJBCA – within a single deployment of EJBCA, your organization can run multiple CAs, and in fact multiple PKI hierarchies with multiple associated Certificate Authorities. Certainly, each CA can have its own administrator groups. Not only will you achieve centralized and streamlined management, but also reduction in resource needs and reuse of your investment.
Traditional Registration Authority services were provided through some fat client, locking on specific licensed machines and particular platforms. EJBCA does this in a much better way. The RA services in EJBCA are accessible through browser interface, allowing you to be flexible in the way your RA administrators perform their work functions. Moreover, EJBCA implements a variety of security protocols that deliver automated RA functions. If you need a specialized and integrated RA that is tied to your business processes, with EJBCA you will use WS API to, for instance, have your subscribers or customers registered as a part of the business process. Automation is the key, and the traditional approach does not work for modern environments.
There are two profile types (or templates): the certificate profile and the end-entity profile. The certificate profile is primarily used for policy enforcement, while the end-entity profile is used to control what user- or device specific information goes into the certificates. These two profiles manage all possible types of certificates you can issue from EJBCA. An additional benefit is that you get simplified workflows for enforced policies. EJBCA comes with built-in profiles for typical cases, such as SSL, authentication and code-signing.
Fine tuned privileges
Different human administrators of EJBCA are granted according privileges to access and operate EJBCA, including the typical ones such as CA and RA operators, but you can also fine-tune these on specific event levels. All administrators are issued a certificate by the built-in Management CA, and must use this certificate to authenticate towards the EJBCA installation.
Log and Audit
All security events are stored in a cryptographically protected audit log. This is a feature we brought in for the Common Criteria EAL 4+ certification, but with EJBCA it comes handy in some additional ways. For instance, you can have an administrator that only has privileges to see the logs; you can export and file logs to create a foundation for your billing system, or to analyze performance or other metrics.
HSMs and management
The Hardware Security Modules are dedicated hardware devices used to protect the issuing keys for CA. EJBCA can talk to any HSM with decent PKCS#11 support, and all leading manufacturers provide this interface. EJBCA has a Token Management that is used for key life cycle management, but also lets you, say, add more HSMs to scale up the performance, or get redundancy for your business critical deployment.
Built-in or external validation service
With EJBCA Enterprise, the certificate validation is handled either through CRLs or online validation. Both services run from your EJBCA deployment, and you can naturally publish CRLs to other distribution points. For situations where the validation service needs to be placed in a separate network, additional instances of EJBCA can run as validation-service-only.
Protocols and integration
PrimeKey continuously adds new features to EJBCA Enterprise, including support for various protocols that make use of CA services such as CMP or SCEP. Our customers integrate EJBCA in all types of businesses – financial institutions, cloud providers, telecom operators, and governmental institutions.
The Peer Connectors is a powerful feature that brings next level of control of complex PKI deployments from the central EJBCA deployment. For instance, running through a secure encrypted tunnel, real time revocation info is pushed out to external validation instances. In a similar fashion, certificate life cycle of external validation authorities is controlled.