In short, the standard specifies the use of:
- X509v3, DER encoding certificates
- ECDSA using the NIST P256 (a.k.a. secp256r1) curve, uncompressed point format
- CN: USB:<vendor ID>:<product ID>
- O: organization name attribute shall contain the human-readable name of the organization that owns the private key
- DN Serial Number: lowercase hex-encoded value of the binary data (e.g. wafer number, lot number, production lot, etc.) necessary for uniqueness.
Custom certificate extension USB-IF ACD (OID 22.214.171.124.2): Seems to contain static data in an OCTET STRING, which can be added via EJBCA Admin GUI.
Conclusion: EJBCA should be able to issue such certificates.
 "USB Authentication Specification Rev. 1.0, March 25, 2016" http://www.usb.org/developers/docs/