The following outlines the architecture of a standalone CA/RA/VA.
You can deploy a complete PKI in a single instance. Since EJBCA has everything built-in you can have a single instance functioning as both CA and RA. This is a very efficient, easy to manage, and cost-effective solution that is suitable for many SME enterprise deployments.
Multiple CAs for different use-cases can co-exist in a single instance and security levels can be scaled with, for example:
Administrators can use smart cards or soft tokens for accessing the administration interface.
The CA can use an HSM or soft tokens for the CA signing keys.
Users and machines can be issued with soft tokens or smart cards/USB tokens.
Various filtering options can be deployed in firewalls.
For more information on creating a CA with EJBCA, see EJBCA Operations Guide.