EJBCA Validation Authority

EJBCA Validation Authority (VA) enables on-line verification of authentication and digitally signed transactions.

On-line real time certificate validation

Certificate validation server

On-line certificate validation is efficiently achieved through the use of the EJBCA OCSP Responder — PrimeKey’s high performance, scalable Validation Server, based upon the OCSP standard. Unlike some other responders, EJBCA OCSP is capable of providing real time certificate validation.

True on-line certificate validation

You don’t have to wait for issuance of CRLs when working with a true on-line certificate validation system like the EJBCA OCSP Server. Using a relational database as back-end storage, EJBCA OCSP can immediately update certificates information upon certificates revocation.  One can even issue millions of inactive certificates that can later on be activated – something virtually impossible using traditional methods.

Meeting PKI

Rich functionality

CRL versus OCSP

Deploying certificate infrastructures, users have to be provided the right means to verify certificate validity. This is usually done by means of Certificate Revocation Lists. However, where the use of CRLs are inconvenient or inadequate, organizations may opt to use the EJBCA OCSP responders.

PKI independent

The EJBCA OCSP Responder can provide certificate validation services for any PKI, including EJBCA. The PKI independence arises from the fact that the OCSP responder is a stand-alone component, fed and updated with certificate status information from the Certificate Authority.

Platform independent, flexible and robust

Based on the same Java EE platform as EJBCA PKI, the OCSP responder features the same platform independence, flexibility and robustness as EJBCA PKI.

Enterprise scalability

EJBCA OCSP responder has support for the leading HSMs and allows easy and reliable clustering. This ensures linear scalability – thus achieving breathtaking performance. It is even possible to shut down a node for maintenance, while other nodes continue to answer requests.

The EJBCA OCSP responder contains a built-in monitoring facility, ensuring that the responder is functioning properly at all times.

Audit and logging

In order to support a wide range of business models, the OCSP responder has highly configurable audit and transaction logging capabilities. If there is a need to charge your customers making requests or to keep requests and responses for audit –  EJBCA OCSP responder will satisfy your demands!


EJBCA Enterprise VA

  • Implements RFC 2560, RFC 6960 and RFC 5019
  • Independent of CA software used
  • One responder can respond for any number of CAs
  • Status information stored in SQL database
  • Not depending on CRLs. Status information can be updated in real-time
  • Plug-in mechanism for custom OCSP extensions
  • Highly configurable audit and transaction logging
  • Suitable for invoicing
  • Supports PKCS#11 HSMs
  • Built in health check used by load balancers and for monitoring
  • Configurable for requiring signed requests, authorized signers, etc.
  • Linear scalability for performance and high availability by adding multiple nodes
  • High performance, >500 request per second can be achieved on a single server
  • OCSP client in java

Turn-Key VA Solution

EJBCA Enterprise VA is available in a turn-key hardware solution.  The PrimeKey VA Appliance is a standalone, turn-key solution for operating VA services based on OCSP and CRLs.

PrimeKey VA Appliance


PKI Appliance

Contact us

Fill in your contact information below and we will get in touch with you.

    I accept that PrimeKey stores my information, and I accept cookies for analysis and business identification. Read more about cookies and privacy policy here.