Migrate your Microsoft CA to EJBCA

Draw benefit from a flexible and future-proof CA solution to cover all your PKI use cases in one central solution. 

Contact us Download guide - Modernize your PKI when migrating to Azure 


Outgrowing the Microsoft PKI

Active Directory Certificate Services (ADCS), sometimes also just called the Microsoft CA, has been an easy choice for many organizations as it is well integrated in the Microsoft infrastructure. However, PrimeKey’s experience is that many organizations that have been using ADCS for a while get stuck. Organizational changes, operational challenges and new business opportunities can no longer be supported in an effective way. Three of the most common reasons for outgrowing a Microsoft PKI are listed below.

Operational drawbacks

In the Microsoft environment only one CA can be installed per server, there is only limited multi domain/forest support. Thus, most organizations will have to maintain multiple CA servers.

Scalability limitations

The Microsoft CA has limitations when it comes to scaling – it doesn’t handle large volumes of certificates well.

Lack of compliance

The support for standards and protocols in ADCS is focused on the Microsoft environment. Other use cases are out of scope and not in focus for Microsoft.

Features of PrimeKey's PKI migration

Combine the ease and simplicity of Microsoft Autoenrollment with the proven power and performance of EJBCA.

When using EJBCA the MS clients and servers are configured to send certificate requests to EJBCA, instead of multiple Active Directory Services instance, and EJBCA talks directly to Active Directory. The integration is seamless and not visible for end-users.


PKI and security is an important aspect of many solutions today regardless if the solution involves devices, servers or external/internal users. EJBCA is a multi-tenant solution and offers you as an organization the possibility to host multiple use cases (CAs), logically separated, in one single installation. This means that you will be able to grow your PKI solution with your business and sustain long-term cost-effective management and operational flexibility.

High availability and Performance

Demands for higher performance and/or availability can not be escaped when the number of use cases that require certificates increases. EJBCA can offer scalable database-level clustering and standard high availability configurations. This is an area where the Microsoft PKI solution struggle to perform well.

Ensure regulatory compliance 

EJBCA is Common criteria certified and has been deployed in numerous WebTrust and eIDAS audited installations. In addition, EJBCA supports integration interfaces and standard protocols such as CMP, EST, SCEP, REST, ACME and Web Services.

Fully integrated into the Microsoft eco-system

The auto-enrollment support in combination with integral support for Azure as host, for user authentication and publishing, a comprehensive support for HSMs, including Azure Key Vault and the FIPS 140-2 Level 3 Managed HSM and natural support for device enrollment using Microsoft Intune makes EJBCA fully integrated into the Microsoft eco system. For more information, see our documentation on Securing Your Microsoft Environment with EJBCA

Step-by-step PKI migration

Are you using Microsoft ADCS and consider migrating? No problem, PrimeKey has done this before. Depending on your existing use cases and new requirements the PKI migration strategy might look different. However, for a typical migration from your existing Microsoft ADCS installation to EJBCA, see this step-by-step guide:

Step-by-step migration 

For more details, see Tutorials on how to migrate from other CAs to EJBCA

Comparison - Microsoft PKI and EJBCA Enterprise

With this table we strive to give you a clear picture of  important areas where PrimeKey PKI and Microsoft PKI differ. If you have any specific questions about features or functionality, don’t hesitate to contact us.

Read more about EJBCA Enterprise

Microsoft ADCS

EJBCA Enterprise

High availability

Unreliable support via JET database when certificate issuance gets into the millions

High availability at the database level via Oracle RAC cluster, MariaDB, PostgreSQL, Microsoft SQL Server

Custom certificate extensions

Not supported

Custom extensions are easily added using the UI or CLI

Certificate profiles

Limited to Active Directory certificate templates available

Certificate profiles are flexible and easily implemented. New profiles can be added via the UI or CLI. EJBCA supports export and import of profiles.

Multitenant CA solution

Not supported

No limit on the number of tenant CA that can be installed on an EJBCA instance

OS support

Windows Server only

Any operating system is supported

Rest API

Not available

Rich Rest API available

SOAP Web Services

Not available

Rich WS API available

Certificate Management Protocol (CMP)

Not available

Supported complying with RFC 4210 and RFC 6712

External, independent OCSP Responder

Supported based on the CRL

Fully supported including whitelisting of certificates and the support of configurable response options i.e. GOOD or UNKNOWN for certificates not issued by the CA

Microsoft auto-enrollment


Supported. PrimeKey provides a Certificate Enrollment Policy (CEP) and Certificate Enrollment Service (CES) for a native integration for certificate enrollment.

Web GUI-based RA

Limited support

Full support

Certificate approvals

Limited support

Flexible support with simple or partitioned workflows

External RA

Must be custom-built

Available out of the box

Certificate transparency

Not supported

Supported complying with RFC 6962


Not supported

Supported complying with RFC 8555


Not supported

Supported complying with RFC 7030

Fully Supported

Available via third parties

Delivered directly by the vendor

Custom Development

Available via third parties

PrimeKey can deliver custom versions of the product and add specific customer enhancements


Not available

Supported complying with BSI TR-03110

ICAO standards (Travel documents)

Not available

Available. PrimeKey is commited to supporting the latest standards in a reasonable time frame.

Peer connectors

Not available

PrimeKey products provide peer connectors* for inter-component communication between a CA and an RA or a CA and a VA

Azure Intune integration


Supported for certificate issuance and revocation

Azure Key Vault

Not supported

Supported for Key Vault and managed HSM

Azure storage blobs

Not available

EJBCA can publish certificates, CRLs, and CA certificates to Azure storage blobs

Azure machine identities

Not available


Azure OAuth integration

Not available

Available for authtication to EJBCA adminweb, RA web, and Rest/Web service APIs

* Read more about PrimeKey Peer connectors here: Peer Systems.

Deploy EJBCA as it suits you

EJBCA® Enterprise

Complete public key infrastructure (PKI) and certificate management

EJBCA® Hardware Appliance

Turn-key PKI hardware and software solution with integrated HSM


Complete EJBCA PKI as a service

EJBCA® Cloud

Complete PKI software solution on AWS and Azure cloud 

Contact us

Fill in your contact information below and we will get in touch with you.