Thursday, October 25, 2012

EJBCA 5 receives Common Criteria, EAL4+, certificate

We are pleased to announce that PrimeKey Solutions AB has successfully completed Common Criteria EAL4+ Certification of EJBCA version 5. The much awaited Common Criteria certificate, issued by ANSSI (Agence nationale de la sécurité des systèmes d’information), is an important milestone in EJBCAs 10+ years rich history of achievements.
With this formal evidence that EJBCA confirms to the rigorous security standards for Certificate Issuance and Management Systems, this Common Criteria certification benefits Primekey’s customers and partners, as well as the community, and strengthens EJBCA’s position as the top pick of secure Certificate Authority software around the world.

EJBCA is certified based on the CIMC Protection Profile (v1.0) at security level 3. The assurance level is EAL4+ (EAL4 augmented with ALC_FLR.2).

Beyond a Shadow of a Doubt

Due to regulations and legislations, the Common Criteria EAL4+ Certification is often mandatory to reach the highest level of security requirements in computer software. The proof of achieved CC certification is a neccessity for EJBCA users who need to run mission critical PKI, and who will have their own software, solution or service, certified and audited for standards compliance, such as CWA and WebTrust. PrimeKey welcomes, of course, the certification as an additional proof that our EJBCA development adheres to the strictest security practices and enables us to reach out to customers that require formal certification.

Our clients' projects often have to undergo own strict security certification and audit processes. This official proof of EJBCA's Common Criteria Certification will help them reach positive outcome, which sometimes is crucial for us in order to sign a new contract”, says CEO Konstantin Papaxanthis.

From now on, no organisation has to refrain from using EJBCA because of any particular security requirements. PrimeKey's customers can go straight ahead having their EJBCA based projects security evaluated and formally certified as audit compliant to the most demanding standards.
For more info on “EJBCA v.5” please visit

The EJBCA community can also be assured that the development of EJBCA Community Edition follows the same certified development process.

About Common Criteria

The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard for computer security certification. Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard manner.
For more info on “Common Criteria” please visit


A serious enterprise class PKI, EJBCA is utilized as a Certification Authority, to build complete PKI infrastructures within organizations who issue certificates for different purposes, such as:
  • Strong authentication for users accessing your intranet/extranet/internet resources.
  • Secure communication with SSL servers and SSL clients.
  • Smart card logon.
  • Signing and encrypting email.
  • VPN connections by issuing certificates to your VPN routers.
  • Client VPN access with certificates in users VPN clients.
  • Secure logon to web applications (Single sign-on).
  • Creating signed documents.
  • Mobile PKI, like enrolling iOS.
  • Secure mobile networks, i.e. 3GPP/LTE/4G using the CMP protocol.
  • Counterfeit prevention.
  • Issue national eIDs.
  • Issue and inspect electronic passports, including EU EAC ePassports.
  • ... and many many more ...
For more info on “EJBCA” please visit


Unknown said...
This comment has been removed by the author.
Unknown said...

I wanted to check which version of EJBCA Enterprise is CC certified?
On the blog and the website you say version 5 (or 5.0.x) but according to ANSSI the version evaluated was 5.0.4.
I was actually looking for an answer whether version 5.0.3 is CC certified?

Best Regards,
Alexandra Rosenblatt

tomas said...

The short answer is no.
Since EJBCA 5.0.4 contains security fixes, use of EJBCA 5.0.3 is discouraged, and it is definitely not certified.

I usually do not like to answer seemingly simple questions about CC, since CC is a very complex topic. Looking for simple answers without thoroughly understanding CC is not good, and may leed to wrong decisions. In this case, since the answer is clearly no however, this should not lead to any bad decisions.

For more information about EJBCA and CC certification, please contact PrimeKey.


Unknown said...

Much thanks