Demands for higher performance and/or availability can not be escaped when the number of use cases that require certificates increases. EJBCA can offer scalable database-level clustering and standard high availability configurations. This is an area where the Microsoft PKI solution struggle to perform well.
Outgrowing the Microsoft PKI
Active Directory Certificate Services (ADCS), sometimes also just called the Microsoft CA, has been an easy choice for many organizations as it is well integrated in the Microsoft infrastructure. However, PrimeKey’s experience is that many organizations that have been using ADCS for a while get stuck. Organizational changes, operational challenges and new business opportunities can no longer be supported in an effective way. Three of the most common reasons for outgrowing a Microsoft PKI are listed below.
In the Microsoft environment only one CA can be installed per server, there is only limited multi domain/forest support. Thus, most organizations will have to maintain multiple CA servers.
The Microsoft CA has limitations when it comes to scaling – it doesn’t handle large volumes of certificates well.
Lack of compliance
The support for standards and protocols in ADCS is focused on the Microsoft environment. Other use cases are out of scope and not in focus for Microsoft.
Features of PrimeKey's PKI migration
Combine the ease and simplicity of Microsoft Autoenrollment with the proven power and performance of EJBCA.
When using EJBCA the MS clients and servers are configured to send certificate requests to EJBCA, instead of multiple Active Directory Services instance, and EJBCA talks directly to Active Directory. The integration is seamless and not visible for end-users.
PKI and security is an important aspect of many solutions today regardless if the solution involves devices, servers or external/internal users. EJBCA is a multi-tenant solution and offers you as an organization the possibility to host multiple use cases (CAs), logically separated, in one single installation. This means that you will be able to grow your PKI solution with your business and sustain long-term cost-effective management and operational flexibility.
High availability and Performance
Ensure regulatory compliance
EJBCA is Common criteria certified and has been deployed in numerous WebTrust and eIDAS audited installations. In addition, EJBCA supports integration interfaces and standard protocols such as CMP, EST, SCEP, REST, ACME and Web Services.
Full integrated into the Microsoft eco-system
The auto-enrollment support in combination with integral support for Azure as host, for user authentication and publishing, a comprehensive support for HSMs, including Azure Key Vault and the FIPS 140-2 Level 3 Managed HSM and natural support for device enrollment using Microsoft Intune makes EJBCA fully integrated into the Microsoft eco system.
Step-by-step PKI migration
Are you using Microsoft ADCS and consider migrating? No problem, PrimeKey has done this before. Depending on your existing use cases and new requirements the PKI migration strategy might look different. However, for a typical migration from your existing Microsoft ADCS installation to EJBCA, see this step-by-step guide:
For more details, see Tutorials on how to migrate from other CAs to EJBCA.
Comparison - Microsoft PKI and EJBCA Enterprise
With this table we strive to give you a clear picture of important areas where PrimeKey PKI and Microsoft PKI differ. If you have any specific questions about features or functionality, don’t hesitate to contact us.
Unreliable support via JET database when certificate issuance gets into the millions
High availability at the database level via Oracle RAC cluster, MariaDB, PostgreSQL, Microsoft SQL Server
Custom certificate extensions
Custom extensions are easily added using the UI or CLI
Limited to Active Directory certificate templates available
Certificate profiles are flexible and easily implemented. New profiles can be added via the UI or CLI. EJBCA supports export and import of profiles.
Multitenant CA solution
No limit on the number of tenant CA that can be installed on an EJBCA instance
Windows Server only
Any operating system is supported
Rich Rest API available
SOAP Web Services
Rich WS API available
Certificate Management Protocol (CMP)
Supported complying with RFC 4210 and RFC 6712
External, independent OCSP Responder
Supported based on the CRL
Fully supported including whitelisting of certificates and the support of configurable response options i.e. GOOD or UNKNOWN for certificates not issued by the CA
Supported. PrimeKey provides a Certificate Enrollment Policy (CEP) and Certificate Enrollment Service (CES) for a native integration for certificate enrollment.
Web GUI-based RA
Flexible support with simple or partitioned workflows
Must be custom-built
Available out of the box
Supported complying with RFC 6962
Supported complying with RFC 8555
Supported complying with RFC 7030
Available via third parties
Delivered directly by the vendor
Available via third parties
PrimeKey can deliver custom versions of the product and add specific customer enhancements
Supported complying with BSI TR-03110
ICAO standards (Travel documents)
Available. PrimeKey is commited to supporting the latest standards in a reasonable time frame.
PrimeKey products provide peer connectors* for inter-component communication between a CA and an RA or a CA and a VA
Azure Intune integration
Supported for certificate issuance and revocation
Azure Key Vault
Supported for Key Vault and managed HSM
Azure storage blobs
EJBCA can publish certificates, CRLs, and CA certificates to Azure storage blobs
Azure machine identities
Azure OAuth integration
Available for authtication to EJBCA adminweb, RA web, and Rest/Web service APIs
* Read more about PrimeKey Peer connectors here: Peer Systems.
Deploy EJBCA as it suits you
Complete public key infrastructure (PKI) and certificate management
EJBCA® Hardware Appliance
Turn-key PKI hardware and software solution with integrated HSM
Complete EJBCA PKI as a service
Complete PKI software solution on AWS and Azure cloud