Friday, May 11, 2012

Enterprise EJBCA features vs Community

EJBCA version 6 with EJBCA Enterprise and EJBCA Community is released by now. Instead of this blog post, that are getting aged, you should head over to the newer pages.

This is a continuation of the blog post EJBCA will always be Open Source.

Here we will describe the feature difference between EJBCA 5 (Enterprise) and EJBCA 4 (Community). For a high level overview you should first read EJBCA will always be Open Source.
For a list of all the features in EJBCA, visit

The freshest, most up to date, description of EJBCA Enterprise features will be available at PrimeKey.

EJBCA Enterprise Edition vs Community

EJBCA 5 has features required for high trust environments:
  • Common Criteria EAL4+ and CWA 14167 certified.
  • Certified access control and authorization module, for assurance and high trust role separation.
  • Integrity protected security audit log, with digital signature or HMAC protection.
  • Improved security audit log messages, complete information that is auditable.
  • Full database integrity protection of all tables, to detect database manipulation.
  • Authentication of local CLI users enabling role separation also for local CLI.
  • Penetration tested with improved security.
Users requiring certified operations, Common Criteria, CWA, ETSI or WebTrust will benefit greatly from EJBCA 5.
In addition to that there are other minor changes that are unique to EJBCA 5. These changes are the result of the majority of development resources now focusing on future versions of EJBCA, and will eventually water down to Community EJBCA.
  • Smaller release ZIP file.
  • Minor CLI improvements with new methods and parameters.
  • New database CLI for database export, import and verification.
  • Support for Permanent Identifiers (RFC 4043) and authorityInformationAccess in CRLs.
  • Support for SIP and Kerberos extended key usages.
  • Improved memory efficiency in certain use cases.
  • Optimized database usage.
  • Other minor improvements and bugfixes.

Normal users will be satisfied with the feature set, and the record breaking performance, of EJBCA 4.

Feature comparison table

The freshest, most up to date, description of EJBCA Enterprise features will be available at PrimeKey.
This is a snapshot at the time this blog post was written.

License Open Source LGPL v2.1 or later Open Source LGPL v2.1 or later
PKI features Full, including all protocols Full, including all protocols
Recommended for EJBCA Enterprise is recommended for Corporations, Governments and other organizations looking for an enterprise scale, production-ready, certified, open source PKI solution without any upfront license fees. EJBCA Community is recommended for developers and technical PKI users in non-mission critical environments. As this version is unsupported it is intended to be used by those prepared to spend time and resource solving issues independently.
Suitable for EJBCA is suitable for small to huge scale PKI deployments ranging from 1000 to over 100 million issued certificates. EJBCA is suitable for small to huge scale PKI deployments ranging from 1000 to over 100 million issued certificates.
Security Certifications EJBCA Enterprise has been certified under Common Criteria EAL 4+ (CIMC Protection Profile) and CWA 14167-1 (at customer locations). None
Commercial support PrimeKey provides commercial support with Service Level Agreements (SLA) for issue tracking, problem resolution, patches and fixes. None provided, community support through forums and mailing lists.
Integrity protected security audit EJBCA Enterprise features a Common Criteria certified security audit mechanism using HMAC or digital signatures for integrity protection. No
Database integrity protection EJBCA Enterprise features a Common Criteria certified database protection protecting the database from malicious DBAs. No
Penetration tested EJBCA Enterprise has been penetration tested as part of Common Criteria evaluation, and by independent security testers. No
Role separation Full role separation including local command line interface. Role separation for remote access users.
Security flaw remediation process PrimeKey have a Common Criteria evaluated tracking process for security, and other, bug reports. EJBCA Community follows an open development and issue tracking process, without guaranteed response times.
License Price / Subscription No software license fee – Provided as part of an annual subscription for commercial level support. No software license fee – free to download, free to use.
Additional features Emergency hot fixes, security alerts, best practice advice, private issue tracking portal, additional guides and tools. Most feature complete and most flexible PKI, with highest performance, compared to most open source and commercial PKIs.
Training Customers and Partners get training on latest certified PKI from PrimeKey (additional cost depending on your contract). Contact PrimeKey.

No comments: