Demands for higher performance and/or availability can not be escaped when the number of use cases that require certificates increases. EJBCA can offer scalable database-level clustering and standard high availability configurations. This is an area where the Microsoft PKI solution struggle to perform well.
Migrate your Microsoft CA to EJBCA
Draw benefit from a flexible and future-proof CA solution to cover all your PKI use cases in one central solution.
Contact us Download guide - Modernize your PKI when migrating to Azure
Outgrowing the Microsoft PKI
Active Directory Certificate Services (ADCS), sometimes also just called the Microsoft CA, has been an easy choice for many organizations as it is well integrated in the Microsoft infrastructure. However, PrimeKey’s experience is that many organizations that have been using ADCS for a while get stuck. Organizational changes, operational challenges and new business opportunities can no longer be supported in an effective way. Three of the most common reasons for outgrowing a Microsoft PKI are listed below.
Operational drawbacks
In the Microsoft environment only one CA can be installed per server, there is only limited multi domain/forest support. Thus, most organizations will have to maintain multiple CA servers.
Scalability limitations
The Microsoft CA has limitations when it comes to scaling – it doesn’t handle large volumes of certificates well.
Lack of compliance
The support for standards and protocols in ADCS is focused on the Microsoft environment. Other use cases are out of scope and not in focus for Microsoft.
Features of PrimeKey's PKI migration
Combine the ease and simplicity of Microsoft Autoenrollment with the proven power and performance of EJBCA.
When using EJBCA the MS clients and servers are configured to send certificate requests to EJBCA, instead of multiple Active Directory Services instance, and EJBCA talks directly to Active Directory. The integration is seamless and not visible for end-users.
Multitenancy
PKI and security is an important aspect of many solutions today regardless if the solution involves devices, servers or external/internal users. EJBCA is a multi-tenant solution and offers you as an organization the possibility to host multiple use cases (CAs), logically separated, in one single installation. This means that you will be able to grow your PKI solution with your business and sustain long-term cost-effective management and operational flexibility.
High availability and Performance
Ensure regulatory compliance
EJBCA is Common criteria certified and has been deployed in numerous WebTrust and eIDAS audited installations. In addition, EJBCA supports integration interfaces and standard protocols such as CMP, EST, SCEP, REST, ACME and Web Services.
Fully integrated into the Microsoft eco-system
The auto-enrollment support in combination with integral support for Azure as host, for user authentication and publishing, a comprehensive support for HSMs, including Azure Key Vault and the FIPS 140-2 Level 3 Managed HSM and natural support for device enrollment using Microsoft Intune makes EJBCA fully integrated into the Microsoft eco system. For more information, see our documentation on Securing Your Microsoft Environment with EJBCA.
Step-by-step PKI migration
Are you using Microsoft ADCS and consider migrating? No problem, PrimeKey has done this before. Depending on your existing use cases and new requirements the PKI migration strategy might look different. However, for a typical migration from your existing Microsoft ADCS installation to EJBCA, see this step-by-step guide:
For more details, see Tutorials on how to migrate from other CAs to EJBCA.
Comparison - Microsoft PKI and EJBCA Enterprise
With this table we strive to give you a clear picture of important areas where PrimeKey PKI and Microsoft PKI differ. If you have any specific questions about features or functionality, don’t hesitate to contact us.
Microsoft ADCS
EJBCA Enterprise
High availability
Unreliable support via JET database when certificate issuance gets into the millions
High availability at the database level via Oracle RAC cluster, MariaDB, PostgreSQL, Microsoft SQL Server
Custom certificate extensions
Not supported
Custom extensions are easily added using the UI or CLI
Certificate profiles
Limited to Active Directory certificate templates available
Certificate profiles are flexible and easily implemented. New profiles can be added via the UI or CLI. EJBCA supports export and import of profiles.
Multitenant CA solution
Not supported
No limit on the number of tenant CA that can be installed on an EJBCA instance
OS support
Windows Server only
Any operating system is supported
Rest API
Not available
Rich Rest API available
SOAP Web Services
Not available
Rich WS API available
Certificate Management Protocol (CMP)
Not available
Supported complying with RFC 4210 and RFC 6712
External, independent OCSP Responder
Supported based on the CRL
Fully supported including whitelisting of certificates and the support of configurable response options i.e. GOOD or UNKNOWN for certificates not issued by the CA
Microsoft auto-enrollment
Supported
Supported. PrimeKey provides a Certificate Enrollment Policy (CEP) and Certificate Enrollment Service (CES) for a native integration for certificate enrollment.
Web GUI-based RA
Limited support
Full support
Certificate approvals
Limited support
Flexible support with simple or partitioned workflows
External RA
Must be custom-built
Available out of the box
Certificate transparency
Not supported
Supported complying with RFC 6962
ACME
Not supported
Supported complying with RFC 8555
EST
Not supported
Supported complying with RFC 7030
Fully Supported
Available via third parties
Delivered directly by the vendor
Custom Development
Available via third parties
PrimeKey can deliver custom versions of the product and add specific customer enhancements
CVC
Not available
Supported complying with BSI TR-03110
ICAO standards (Travel documents)
Not available
Available. PrimeKey is commited to supporting the latest standards in a reasonable time frame.
Peer connectors
Not available
PrimeKey products provide peer connectors* for inter-component communication between a CA and an RA or a CA and a VA
Azure Intune integration
Supported
Supported for certificate issuance and revocation
Azure Key Vault
Not supported
Supported for Key Vault and managed HSM
Azure storage blobs
Not available
EJBCA can publish certificates, CRLs, and CA certificates to Azure storage blobs
Azure machine identities
Not available
Supported
Azure OAuth integration
Not available
Available for authtication to EJBCA adminweb, RA web, and Rest/Web service APIs
* Read more about PrimeKey Peer connectors here: Peer Systems.
Deploy EJBCA as it suits you
EJBCA® Enterprise
Complete public key infrastructure (PKI) and certificate management
EJBCA® Hardware Appliance
Turn-key PKI hardware and software solution with integrated HSM
More information
See the links for more information:
Contact us
Fill in your contact information below and we will get in touch with you.