EJBCA® Validation Authority

The EJBCA Validation Authority (VA) software component enables certificate validation using OCSP or CRLs.

Real-time certificate validation

Certificate validation server

Online certificate validation is efficiently achieved through the use of the EJBCA Validation Authority — PrimeKey’s high performance, scalable Validation Authority server, based upon the OCSP standard. Unlike some other responders, EJBCA Validation Authority is capable of providing real time certificate validation. In addition, EJBCA Validation Authority also supports the usage of CRLs.

True online certificate validation

You don’t have to wait for issuance of CRLs when working with a true online certificate validation system like the EJBCA Validation Authority using OCSP. Using a relational database as back-end storage, EJBCA Validation Authority can immediately update certificates information upon certificates revocation.  One can even issue millions of inactive certificates that can later on be activated – something virtually impossible using traditional methods.

NPKD, National Public Key Directory, person explaining

Validation Authority for EJBCA Enterprise Certificate

Validation is conveniently performed with PrimeKey’s open source EJBCA Validation Authority (VA). EJBCA VA offers several advantages through its use of both an OCSP Responder and a Certificate and CRL distribution feature. Preventing vendor lock-in, featuring instant real-time revocation, easy extending and customizing. EJBCA VA smoothly accommodates to every organization’s requirement.

VA Deployment options – Software, Appliance, Cloud or Hybrid

PrimeKey understands that organizations have unique business challenges, including security requirements, budgets and the availability of internal resources. We give you the choice to combine software, hardware Appliance and Cloud deployments for your PKI solution. This means the infrastructure can be deployed in the manner best suited to your business needs and can grow flexibly and expand over time.

Your deployment options

Rich functionality

CRL versus OCSP

Deploying certificate infrastructures, users have to be provided the right means to verify certificate validity. This is usually done by means of Certificate Revocation Lists. However, where the use of CRLs are inconvenient or inadequate, organizations may opt to use the EJBCA Validation Authority OCSP responder.

PKI independent

The EJBCA Validation Authority can provide certificate validation services for any PKI, including EJBCA. The PKI independence arises from the fact that the EJBCA Validation Authority is a stand-alone component, fed and updated with certificate status information from the Certificate Authority.

Platform independent, flexible and robust

Based on the same Java EE platform as EJBCA Enterprise PKI, the EJBCA Validation Authority features the same platform independence, flexibility and robustness as EJBCA Enterprise.

Enterprise scalability

EJBCA Validation Authority has support for the leading HSMs and allows easy and reliable clustering. This ensures linear scalability – thus achieving breathtaking performance. It is even possible to shut down a node for maintenance, while other nodes continue to answer requests. 

The EJBCA Validation Authority responder contains a built-in monitoring facility, ensuring that the responder is functioning properly at all times.

Audit and logging

In order to support a wide range of business models, the Validation Authority has highly configurable audit and transaction logging capabilities. If there is a need to charge your customers making requests or to keep requests and responses for audit –  EJBCA Validation Authority will satisfy your demands.

Contact us

Fill in your contact information below and we will get in touch with you.


EJBCA Enterprise VA

  • Implements RFC 2560, RFC 6960 and RFC 5019
  • Independent of CA software used
  • One responder can respond for any number of CAs
  • Status information stored in SQL database
  • Not depending on CRLs. Status information can be updated in real-time
  • Plug-in mechanism for custom OCSP extensions
  • Highly configurable audit and transaction logging
  • Suitable for invoicing
  • Supports PKCS#11 HSMs
  • Built in health check used by load balancers and for monitoring
  • Configurable for requiring signed requests, authorized signers, etc.
  • Linear scalability for performance and high availability by adding multiple nodes
  • High performance, >500 request per second can be achieved on a single server
  • OCSP client in java

How can we help?

  • Hidden
    I accept that PrimeKey stores my information, and I accept cookies for analysis and business identification. Read more about cookies and privacy policy here.
Contact us