ENTERPRISE This is an EJBCA Enterprise feature.

For general information about handling CVC CAs, see the CA Operations page for general operations and the CVC Operations page for CVC specific operations.

The following covers a feature overview and sections providing information on Card Verifiable Certificate (CVC) CAs.


    EJBCA Enterprise has full support for Card Verifiable Certificates (CVC BSI TR-03110) used by EU EAC ePassports and eIDs. Additionally, the document BSI TR-03139 Common Certificate Policy for the Extended Access Control Infrastructure for Passports and Travel Documents issued by EU Member States defines common policy elements for EU member states.

    Using EJBCA you can set up a complete PKI infrastructure for CVC CAs with:

    • CVCA (Country Verifying CA)

    • Domestic DVs (Document Verifier CA)

    • Foreign DVs

    • Inspection systems (IS)

    • Authentication Terminals (AT)

    • Signature Terminals (ST)

    EJBCA supports RSA and ECC keys in CV certificates with the following algorithms:

    • SHA1WithRSA - id-TA-RSA-v1-5-SHA-1

    • SHA256WithRSA - id-TA-RSA-v1-5-SHA-256

    • SHA1WithRSAAndMGF1 - id-TA-RSA-PSS-SHA-1

    • SHA256WithRSAAndMGF1 - id-TA-RSA-PSS-SHA-256

    • SHA1WithECDSA - id-TA-ECDSA-SHA-1

    • SHA224WithECDSA - id-TA-ECDSA-SHA-224

    • SHA256WithECDSA - id-TA-ECDSA-SHA-256

    • SHA384WithECDSA - id-TA-ECDSA-SHA-384

    • SHA512WithECDSA - id-TA-ECDSA-SHA-512

    Using SignServer you can set up a clustered Document Signer. For more information, see

    Terminal Types

    In addition to Inspection Systems (IS), EJBCA supports certificate hierarchies for Authentication Terminal (AT) and Signature Terminal (ST) end-entities as of EAC 2.10.

    To use AT or ST certificates, create certificate profiles with the Terminal Type configured for your CAs and end entities. For more information, see Inspection Systems.