Vendor‑neutral help to design, deploy, and run Keyfactor EJBCA (Enterprise, Cloud, or SaaS) for large‑scale PKI.
Why SafeCipher for EJBCA
- Protocol‑first: We implement ACME, EST, CMP, and SCEP for zero‑touch enrollment across apps, devices, and gateways.
- RA/VA separation: External RA in the DMZ, clustered VA/OCSP, and hardened peer links to the CA.
- HSM/KMS assurance: PKCS#11 HSMs, AWS CloudHSM, or Azure Key Vault with auditable key ceremonies.
- SaaS or self‑managed: We’ll help you choose between EJBCA SaaS (with SLAs) or Enterprise software/appliance.
What you’ll get
- Reference architecture: CA/RA/VA topology, tenant model, and issuance profiles for your estate.
- Automation plan: ACME for web/Kubernetes, EST/CMP for device onboarding, SCEP for brownfield.
- Revocation design: CRL/Delta CRL sizing and OCSP clustering with CDN and caching.
- Rollover playbook: Cross‑signs, staged AIA/OCSP updates, and trust‑store validation.
30‑day outcomes
- Live EJBCA (Enterprise or SaaS) with RA/VA split and HSM/KMS‑backed CA keys.
- cert‑manager integrated cluster + one MDM/NDES path issuing at scale.
- Unified CRL/OCSP reachable; monitoring and tidy schedules in place.
When EJBCA is ideal
- Mixed estate with device/IoT/MDM enrollment and telecom/OT requirements.
- Need for multitenancy and audited separation of duties.
- Preference for open standards and deployment flexibility (SW, Cloud, SaaS).
When to pair
- App‑only, developer‑led PKI → consider Vault PKI alongside EJBCA.
- Heavily cloud‑native L7 → complement with AWS Private CA or Google CAS for LB/service‑mesh integrations.
Our engagement model
- Discovery & design — assess protocols, tenants, and RA/VA topology.
- Pilot — enable ACME/EST/CMP/SCEP, RA in DMZ, VA clustering, cert‑manager + one MDM.
- Handover — docs and playbooks for ceremonies, rollover, and audits.
Keyfactor EJBCA Deep Dive
Talk to SafeCipher
Ready to operationalise EJBCA? Book a discovery call and we’ll design a right‑sized RA/VA‑first PKI.