CLMOpen source · LGPL-2.1-or-later
EJBCA Community
By Keyfactor
Open-source PKI and certificate authority software for issuing and managing X.509 certificates at scale, with CRL and OCSP revocation and support for the SCEP, EST, CMP, and ACME enrollment protocols. The commercial Enterprise edition adds high availability, HSM integration, and support; EJBCA originated at Sweden's PrimeKey, which merged into Keyfactor in 2021.
Verified Source: 1
- Product type
- Software
- Deployment
- On-premHybridCLI
- Organization size
- SMBMid-marketEnterprise
- Pricing tier
- Freemium
Capability checklist
CLMHow EJBCA Community measures up against the full Certificate Lifecycle Management taxonomy.
- Certificate discovery & inventory — not supported
- Finds every certificate across on-prem, cloud, and Kubernetes environments — including unknown, expired, and shadow certificates nobody was tracking.
- Automated issuance & renewal — supported
- Issues and renews certificates automatically through ACME and direct CA integrations, so nothing depends on someone remembering to do it by hand.
- Expiry monitoring & alerting — not supported
- Watches expiration dates across the whole estate and alerts owners well before a certificate lapses and causes an outage.
- Private CA & internal PKI — supported
- Runs internal certificate authorities and PKI to issue the private certificates that secure machine-to-machine and internal service traffic.
- Deployment integrations — not supported
- Pushes issued certificates directly into load balancers, Kubernetes, MDM, and web servers instead of leaving admins to install them by hand.
- Crypto-agility & rotation — not supported
- Inventories the algorithms and keys in use and rotates them at scale, including preparing for the migration to post-quantum cryptography.
Alternatives
Other Certificate Lifecycle Management tools with overlapping capabilities, sized for similar teams.