ENTERPRISE EDITION This is an EJBCA Enterprise Edition (EE) feature.

The following sections cover information on Card Verifiable Certificate (CVC) CAs:


    EJBCA Enterprise has full support for Card Verifiable Certificates (CVC BSI TR-03110) used by EU EAC ePassports and eIDs.

    Using EJBCA you can set up a complete PKI infrastructure for CVC CAs with:

    • Country CVCCA

    • Domestic DVs (document verifier)

    • Foreign DVs

    • Inspection systems (IS)

    • Authentication Terminals (AT)

    • Signature Terminals (ST)

    EJBCA supports RSA and ECC keys in CV certificates with the following algorithms:

    • SHA1WithRSA - id-TA-RSA-v1-5-SHA-1

    • SHA256WithRSA - id-TA-RSA-v1-5-SHA-256

    • SHA1WithRSAAndMGF1 - id-TA-RSA-PSS-SHA-1

    • SHA256WithRSAAndMGF1 - id-TA-RSA-PSS-SHA-256

    • SHA1WithECDSA - id-TA-ECDSA_SHA_1

    • SHA224WithECDSA - id-TA-ECDSA_SHA_224

    • SHA256WithECDSA - id-TA-ECDSA_SHA_256

    Using SignServer you can set up a clustered Document Signer. For more information, see

    Terminal Types

    In addition to Inspection Systems (IS), EJBCA supports certificate hierarchies for Authentication Terminal (AT) and Signature Terminal (ST) end-entities as of EAC 2.10.

    To use AT or ST certificates, create certificate profiles with the Terminal Type configured for your CAs and end entities. For more information, see Inspection Systems.