Keyfactor EJBCA
Keyfactor EJBCA Enterprise is a comprehensive and scalable Public Key Infrastructure (PKI) solution designed for large organizations that require robust security, high availability, and compliance with industry standards like Common Criteria and FIPS. It offers extensive customization and integration options, making it suitable for a variety of use cases, including IoT, DevOps, and enterprise environments.
In contrast, EJBCA Community is an open-source version that provides core PKI functionalities for issuing, managing, and validating digital certificates.
Securosys HSMs & EJBCA
Securosys Primus HSMs and CloudHSM integrate seamlessly with both the Enterprise and Community editions of EJBCA, ensuring the confidentiality and integrity of sensitive cryptographic keys. Organizations seeking to enhance the security of their on-premises or hosted PKI environments can deploy EJBCA together with either Securosys’ on-premises Primus HSMs or the ready-to-use CloudHSM service. This integration can be established, first of all, using the legacy PKCS#11 API by installing the Primus PKCS#11 Provider.
In addition to the PKCS#11 API, EJBCA Enterprise (as of version 9.1) also supports the Securosys REST API. This modern integration method enables direct communication with Primus HSMs and the CloudHSM service, eliminating the need for PKCS#11 providers in SaaS and PaaS environments. The Securosys REST API offers a future-ready, streamlined approach to HSM integration, simplifying deployment and management while avoiding the complexity of the PKCS#11 API.
Furthermore, the Securosys REST API supports NIST-selected Post-Quantum Cryptographic (PQC) Algorithms ahead of PKCS#11 standardization — including ML-DSA, SLH-DSA, ML-KEM, HSS-LMS, and XMSS. It also introduces advanced key protection capabilities via Smart Key Attributes (SKA), which enable multi-party quorum approval mechanisms for enhanced control and governance over key usage.
There are several alternative deployment options available for EJBCA Enterprise, allowing organizations to tailor their PKI deployment to their specific infrastructure and security requirements. Options include, among others:
- EJBCA Cloud – A fully-featured PKI solution available on Azure and AWS, enabling quick and easy setup, configuration, and management directly from the cloud.
- EJBCA Hardware Appliance – A turnkey solution offering the most secure and efficient way to run PKI in your datacenter or at the edge.
- EJBCA Software Appliance – A flexible, software-based deployment that delivers the full capabilities of EJBCA for a wide range of enterprise environments.
Similarly, there are several deployment options available for EJBCA Community, offering flexibility for developers, testers, and organizations exploring open-source PKI solutions. Options include, among others:
- Docker Hub – A lightweight EJBCA Community Docker container available on Docker Hub, designed to simplify and accelerate deployment, allowing you to get up and running quickly.
- EJBCA Container from AWS – A secure, up-to-date, and ready-to-deploy containerized solution available on the AWS Marketplace, making it easy to integrate EJBCA Community into your cloud infrastructure.
- GitHub – Offers access to the latest EJBCA Community release or the full source code via GitHub, where you can report issues, join discussions, and contribute to the ongoing development of the project.
These are just a few of the EJBCA deployment options available. For the most comprehensive and current list, please refer to the Keyfactor website and the EJBCA Community website.
In this integration guide, we will cover both the legacy PKCS#11 API and Securosys REST API integration methods for the standard deployment of the Enterprise and Community editions of EJBCA. For information on integration options specific to other EJBCA deployment variants, please refer to the relevant documentation on the Keyfactor website and the EJBCA Community website.
Target Audience
This document is intended for Securosys Primus HSM or CloudHSM administrators and IT professionals in charge of the Keyfactor EJBCA. Installation of the Securosys Primus PKCS#11 Provider requires that you are already familiar with Server administration.
For on-premises HSMs deployed operation administrative skills are required for Securosys Primus HSMs.
Support Contact
If you encounter a problem while installing/configuring the provider or integrating the HSM with Keyfactor EJBCA, make sure that you have read the referenced documentation. If you cannot resolve the issue, please contact Securosys Customer Support. For specific requests regarding Keyfactor EJBCA, the Securosys Support Portal is reachable under https://support.securosys.com.
What's Next
For a smooth start integrating your Keyfactor EJBCA using the Primus PKCS#11 Provider or Securosys REST API:
- Consult the Quickstart section for a comprehensive task listing.
- For detailed instructions, read and follow the Installation section.