EJBCA Enterprise
Overview
EJBCA Enterprise is a full-featured, highly scalable certificate authority and registration authority platform for building enterprise or IoT PKI. Originally developed by PrimeKey and now part of the Keyfactor portfolio, EJBCA can be deployed on-premises or in cloud environments and supports large-scale deployments requiring certificate issuance for users, servers, devices, and services. It provides the CA infrastructure that organisations need to establish and operate their own trust hierarchies.
Unsung is a Keyfactor Silver Partner with over five years of experience designing and implementing EJBCA environments. We have delivered EJBCA deployments into UK Central Government and enterprise customers, including greenfield PKI design and build projects and migrations from other CA platforms.
The Challenge
Organisations that need to operate their own certificate authority face a fundamental platform decision. Some rely on Microsoft Active Directory Certificate Services, which provides basic CA capabilities but can become limiting as requirements grow beyond standard Windows-integrated use cases. Others need a CA platform that supports high-volume IoT certificate issuance, operates on Linux infrastructure, integrates with non-Microsoft environments, or provides the flexibility to support diverse certificate profiles and enrolment protocols.
Selecting and implementing a CA platform is a significant architectural decision with long-term implications. The chosen platform must support current requirements whilst providing the scalability and flexibility to accommodate future needs, including potential post-quantum cryptography algorithm support and integration with certificate lifecycle management tools.
What It Does
EJBCA Enterprise provides a comprehensive CA and RA platform that supports the full range of PKI use cases. It can operate as root CA, subordinate CA, or registration authority, supporting multiple CA hierarchies within a single installation. The platform supports a broad range of certificate profiles, enrolment protocols including ACME, SCEP, EST, CMP, and REST API, and integrates with HSMs for CA key protection.
EJBCA’s scalability makes it suitable for IoT deployments requiring high-volume certificate issuance, whilst its flexibility supports complex enterprise PKI requirements including custom certificate extensions, validation authority services (OCSP and CRL), and integration with external registration authorities. The platform can be deployed on Linux, in containers, or on cloud infrastructure, and integrates with Keyfactor Command for certificate lifecycle management and Keyfactor SignServer for signing services.
How Unsung Helps
Unsung’s five-year partnership with Keyfactor has given us deep practical experience with EJBCA across a range of deployment scenarios. Our consultants design and build EJBCA environments from initial architecture through to operational handover, including CA hierarchy design, HSM integration, certificate profile configuration, and integration with lifecycle management tooling. Our PKI Design & Build service covers the full implementation lifecycle, whilst our PKI Health Check can assess existing environments to inform migration planning.
Related Unsung Services
PKI Design & Build — End-to-end design and implementation of EJBCA-based PKI environments.
PKI Consultancy — Independent advisory on CA platform selection and PKI architecture.
Hardware Security Modules — HSM deployment and integration for CA key protection.
PKI Management & Hosting — Managed CA operations and ongoing PKI support.
PKI Health Check — Assessment of existing CA environments to inform migration or upgrade.
