EJBCA Registration Authority

As the EJBCA CA’s face to the world, the EJBCA RA not only provides an attractive user experience and endpoints for enrollment protocols and EJBCA’s APIs, but also adds another layer of security both against external threats and separation between tenants. 

Contact sales Download Product Sheet

A sophisticated toolbox for certificate enrollment


Being adaptable and dynamic are basic elements of the EJBCA RA design, with deployment options that can be tailored to any use case and delegation of authority to where it’s needed. 

Infinitely scalable

The EJBCA RA is deployed and used worldwide, and like the rest of the EJBCA ecosystem is best-in-breed in terms of volumes and throughput. Its architecture is based on being deployable in multiple mediums and making the best use of geographic locality.



All the communication between EJBCA nodes is secured through mutually authenticated TLS. Additionally, EJBCA’s sophisticated system of access rules provides both complete segregation between tenants with dedicated RA instances but also damage mitigation in case of an external attack. 

Features of EJBCA Registration Authority

EJBCA allows enrollment of certificates through any means, either by submitting a client-generated public key as part of a Certificate Signing Request (CSR) or from key generation on the CA. In the latter case, EJBCA also supports key archiving and recovery, including generating and storing the key pair on the RA instead of the CA. 


Diverse enrollment methods

EJBCA supports the most commonly used enrollment protocols, including ACME, CMP (+3GPP), EST, SCEP, Intune and Microsoft Auto-Enrollment. In addition, EJBCA provides its own SOAP and REST APIs, and an intuitive and customizable user interface. All of these enrollment methods can be proxied through the EJBCA RA, limiting the CA’s surface to the outside world.


Sophisticated rights management and delegation

The EJBCA RA receives all authentication and authorization rules delegated to it by the CA, limiting the exposure of sensitive operations and information to a minimum. In addition, users trusted to operate on only the RA can be given limited autonomy to enroll, approve requests and even empower other users. 


Scalability and high availability

The EJBCA RA is stateless, meaning that once authenticated to the CA no data is stored locally unless specified. This allows the EJBCA RA to be clustered and scaled up on demand to adapt to any need, to handle any volume of traffic through load balancing parallel instances and provide minimum latency through locality.


Secure by Design

Using PrimeKey’s proprietary Peers Protocol, the CA is not only kept secluded from the outside world by the RA, but can also be placed behind a firewall allowing only outgoing connections. The connection between the CA and RA is protected by mutually authenticated TLS, to thwart any attempts at eavesdropping or malicious interference, the management of which is completely automated from within EJBCA. 

EJBCA deployment options

To account for the unique business challenges of your organization, including security, budget and the availability of internal resources, PrimeKey offers a combination of deployment options to suit your needs today and allow you to grow flexibly over time. 


Software Appliance

Deploy your PKI in your own data center using your native virtualization resources. Select the HSM and the appliance model that best suit your needs.

EJBCA Software Appliance


Hardware Appliance

Select the EJBCA Hardware Appliance when you are looking for an on-premises PKI-in-a-box solution. EJBCA Hardware Appliance is a hardened, high-performance server that comes with the complete hardware and software stack and an HSM. 

EJBCA Hardware Appliance



Enjoy rapid deployment with PKI in a public cloud, with no hardware to purchase and maintain or any upfront software license costs. Our cloud-based PKI solutions are available in AWS and Azure.



EJBCA Software as a Service

If you are looking for a fully hosted and managed PKI solution, then EJBCA SaaS is your choice. It helps limit deployment risks and increase your speed to market.


Do you need a hybrid deployment? 

Do you want to combine on-premises and cloud? Or do you need help to find the best deployment option for your use case? See our documentation on hybrid PKI deployments or get in touch with us. 

More information

See the links for more information on EJBCA Registration Authority and related products. 

Contact us

Fill in your contact information below and we will get in touch with you.