 |
| ||||
Universal Binary EJBCA is an easy to use, unique PKI Certificate Authority built on J2EE technology. It is platform independent, component based, high performance and robust.
You can use it as standalone or easily integrate it within other applications. You can built a PKI infrastructure with ease just by using EJBCA.
Here are some key features of "EJBCA":
· Flexible, component based architecture.
· Using standard, high performance RDBMS for storage.
· Multiple CAs and levels of CAs, build a complete infrastructure (or several) within one instance of EJBCA.
· Unlimited number of Root CAs and SubCAs. Request cross certificates and bridge certificates from other CAs and Bridge CAs. Issue cross certificates to other CAs.
· Supports RSA key algorithm up to 4096 bits.
· Supports ECDSA key algorithm with named curves or implicitlyCA.
· Support multiple hash algorithms for signatures, MD5, SHA-1, SHA-256.
· Support for X.509 certificates and Card Verifiable certificates (CVC used by EU EAC ePassports).
· Standalone or integrated in any J2EE application.
· Simple installation and configuration.
· Powerful Web based administration GUI using strong authentication.
· Administration GUI available in several languages - Chinese, English, French, German, Italian, Portuguese, Spanish and Swedish.
· Internal log messages are localizable for different languages.
· Command line administration for scripts etc.
· Web service interface for remote administration and integration.
· Modular API for HSMs. Built in support for nCipher, PrimeCardHSM, Eracom (now SafeNet), SafeNet Luna, Utimaco CryptoServer, AEP Keyper, ARX CoSign and other HSMs with a good PKCS#11 library.
· Supports different architectures; all-in-one, clustered, external RA, external OCSP, etc.
· Individual enrollment or batch production of certificates.
· Server and client certificates can be exported as PKCS12, JKS or PEM.
· Browser enrollment with Netscape, Mozilla, IE, etc.
· Enrollment for other applications through open APIs and tools.
· Enrollment generating complete OpenVPN installers for VPN users.
· Smart card logon certificates.
· Notification system for e-mail notification to users and administrators when a user is added or certificates expire etc.
· Random or manual password for initial user authentication.
· Hard token module for integrating with hard token issuing system (smart cards).
· Multiple levels of administrators with specified privileges and user groups.
· Configurable certificate profiles for different types and contents of certificates.
· Configurable entity profiles for different types of users.
· Supports the Simple Certificate Enrollment Protocol (SCEP).
· Follows X509 and PKIX (RFC3280) standards where applicable.
· Qualified Certificate Statement (RFC3739) for issuing EU/ETSI qualified certificates.
· Supports the Online Certificate Status Protocol (OCSP - RFC2560), including AIA-extension.
· OCSP responder can run integrated with EJBCA or stand alone (clustered) for security, high-performance and high-availability.
· External OCSP also works with any other CA than EJBCA and support large scale OCSP deployments.
· Simple OCSP client in pure java.
· Supports a subset of CMP (RFC4210 and RFC4211).
· Supports synchronous XKMS version 2 requests.
· Revocation and Certificate Revocation Lists (CRLs).
· CRL creation and URL-based CRLDistribution Points according to RFC3280.
· Stores Certificates and CRLs in SQL database, LDAP and/or other custom data source.
· Optional multiple publishers for publishing certificates and CRLs in LDAP or legacy databases. Several flexible standard publishers exist to meet different demands.
· Supports authentication and publishing of certificates to Microsoft Active Directory.
· Autoenrollment for windows clients.
· Component- and plug-in based architecture for publishing certificates and CRLs to different sources.
· Key recovery module to store private keys for recovery for selected users and certificates.
· Advanced log signing of PKI audit logs.
· API for an external RA, restricting in-bound traffic to CA.
· Optional approval mechanism so several admins are required to perform an action, a.k.a. dual-authentication.
· Component based architecture for various authorization methods of entities when issuing certificates.
· Possible to integrate into large java applications for optimal integration into bussiness process.
· Deploys easily in a clustered, high availability environment.
· Health check service to support efficient clustering and monitoring.
· Supports multiple application servers: JBoss, Weblogic, Glassfish, OC4J, Websphere
· Supports multiple databases: Hypersoniq, MySQL, PostgreSQL, Oracle, DB2, MS-SQL, Derby, Sybase, Informix.
What's New in This Release: [ read full changelog ]
New Feature:
· [ECA-2705] - OCSP key renewal at absolute times
· [ECA-2706] - Allow Certificate Expiration Notification Service to specify Certificate Profiles
· [ECA-2709] - Publisher for sampling of issued certificates
Improvement:
· [ECA-2069] - Better log message when querying for not existing CA and default responder CA does not exist
· [ECA-2714] - Hide the HARDTOKEN profiles in "Certificate Expiration Checker" configuration if "Issue Hardware Tokens" hasn't been enabled
· [ECA-2724] - When deleting a Certificate Profile, list which end entities/end entity profiles that use it.
Bug:
· [ECA-2077] - OCSP rekeying does not work on JBoss 6.1.0 and JBoss EAP5
· [ECA-2719] - Download of certificates from Admin GUI fails in Chrome when using "strange" usernames
Task:
· [ECA-2625] - Language tool for developers and localizers
