You need a private Certificate Authority. Maybe for internal mTLS, maybe for device identity, maybe because you’re tired of paying $400/month for AWS Private CA. Three open-source options dominate: EJBCA (enterprise-grade, full-featured, complex), Smallstep (developer-friendly, modern, opinionated), and HashiCorp Vault PKI (secrets-engine approach, API-first, short-lived certs).
Each solves the “I need a CA” problem differently. Here’s which one fits your situation.
At a Glance
| Dimension | EJBCA | Smallstep | Vault PKI |
|---|---|---|---|
| Philosophy | Enterprise PKI platform | Modern, developer-first CA | Secrets engine that issues certs |
| Complexity | High (Java, WildFly, DB) | Low (single binary, Go) | Medium (Vault cluster) |
| Target audience | PKI teams, compliance-heavy orgs | DevOps, platform teams | DevOps, microservices teams |
| ACME support | ✅ | ✅ | ❌ (EST-like via API) |
| Web UI | ✅ (full admin + RA UI) | ✅ (minimal) | ✅ (Vault UI) |
| HSM support | ✅ (PKCS#11, extensive) | ✅ (PKCS#11, YubiKey) | ✅ (via Vault seal/transit) |
| Protocols | ACME, SCEP, EST, CMP, REST | ACME, REST | REST API only |
| Certificate profiles | Unlimited, highly configurable | Template-based | Role-based |
| Compliance | WebTrust, ETSI, Common Criteria | Basic | Basic |
| Clustering/HA | ✅ (database-backed) | ✅ (with HA backend) | ✅ (Raft/Consul) |
| License | LGPL (Community) / Commercial | Apache 2.0 | BSL (was MPL) |
| Language | Java | Go | Go |
| Setup time | Hours-days | Minutes | Minutes (if Vault exists) |
EJBCA: The Enterprise Workhorse
What It Is
EJBCA is a full-featured PKI platform that can serve as Root CA, Intermediate CA, Registration Authority, OCSP responder, and CRL publisher — all in one. It’s been around since 2001 and is used by governments, telecom operators, and large enterprises worldwide.
Best For
- Organizations needing compliance certifications (WebTrust, ETSI, Common Criteria)
- Multi-tier PKI hierarchies (Root → Policy → Issuing CAs)
- Environments requiring SCEP, EST, CMP (not just ACME)
- Large-scale device enrollment (IoT, mobile, network equipment)
- Teams with dedicated PKI administrators
Architecture
┌─────────────────────────────────────────┐
│ EJBCA (Java/WildFly) │
├─────────────────────────────────────────┤
│ CA Engine: multiple CAs, profiles, rules │
│ RA: approval workflows, enrollment │
│ Protocols: ACME, SCEP, EST, CMP, REST │
│ OCSP Responder: built-in │
│ CRL Publisher: LDAP, HTTP, file │
│ Admin UI: full web management │
│ Audit: comprehensive logging │
├─────────────────────────────────────────┤
│ Database: PostgreSQL / MySQL / MariaDB │
│ HSM: PKCS#11 (Thales, Entrust, etc.) │
└─────────────────────────────────────────┘Setup
# Docker (quickest for evaluation)
docker run -it --rm -p 8080:8080 -p 8443:8443 \
-h ejbca-node1 keyfactor/ejbca-ce
# Production: requires database, HSM, proper TLS, clustering
# Typical production deployment: 2-4 nodes + PostgreSQL + HSMStrengths
- Most feature-complete open-source CA available
- Proven at massive scale (millions of certificates)
- Full compliance support (WebTrust audit-ready)
- Every enrollment protocol supported
- Extensive certificate profile customization
- Built-in RA with approval workflows
Weaknesses
- Complex to deploy and operate (Java stack, database, application server)
- Steep learning curve (hundreds of configuration options)
- Resource-heavy (JVM, database, multiple services)
- Community Edition lacks some enterprise features
- Documentation can be overwhelming
Smallstep: The Developer-Friendly CA
What It Is
Smallstep (step-ca) is a modern, lightweight CA designed for DevOps and cloud-native environments. Single binary, minimal configuration, opinionated defaults. It prioritizes short-lived certificates and automation over complex PKI hierarchies.
Best For
- DevOps/platform teams who want a CA without becoming PKI experts
- Kubernetes environments (integrates with cert-manager)
- SSH certificate authority (built-in SSH CA — unique feature)
- Short-lived certificates (hours/days, not years)
- Small-to-medium deployments (hundreds to thousands of certs)
- Teams that value simplicity over configurability
Architecture
┌─────────────────────────────────────────┐
│ step-ca (single Go binary) │
├─────────────────────────────────────────┤
│ CA: X.509 + SSH certificate issuance │
│ ACME: built-in ACME server │
│ Provisioners: OIDC, JWK, X5C, K8s, etc. │
│ Templates: customizable cert profiles │
│ Admin API: REST │
├─────────────────────────────────────────┤
│ Storage: BadgerDB (embedded) or MySQL/PG │
│ HSM: PKCS#11, YubiKey, Cloud KMS │
└─────────────────────────────────────────┘Setup
# Install
curl -L https://smallstep.com/cli/docs/step-ca/installation | bash
# Initialize CA (interactive)
step ca init --name "My Internal CA" --dns ca.internal --address :443
# Start
step-ca $(step path)/config/ca.json
# Issue a certificate
step ca certificate "myservice.internal" service.crt service.key
# That's it. CA running in under 5 minutes.Strengths
- Incredibly simple to set up (minutes, not hours)
- Single binary, minimal dependencies
- Built-in SSH CA (issue SSH certificates alongside X.509)
- OIDC integration (tie certificate issuance to SSO identity)
- Short-lived certificates by default (encourages good practices)
- Excellent documentation and developer experience
- Active open-source community
Weaknesses
- Less configurable than EJBCA (opinionated = limited flexibility)
- No SCEP, EST, or CMP support (ACME + REST only)
- No built-in OCSP responder (relies on short-lived certs instead)
- No approval workflows or RA functionality
- Not designed for compliance-heavy environments (no WebTrust path)
- Smaller ecosystem than EJBCA or Vault
HashiCorp Vault PKI: Certificates as Secrets
What It Is
Vault’s PKI secrets engine turns Vault into a CA. It’s not a standalone CA product — it’s a feature within Vault’s broader secrets management platform. You get certificate issuance alongside dynamic database credentials, SSH keys, cloud credentials, and encryption-as-a-service.
Best For
- Organizations already running Vault (add PKI without new infrastructure)
- Microservices/service mesh environments needing short-lived mTLS certs
- Teams wanting certificates + secrets in one platform
- API-first environments (everything via Vault API)
- Very short-lived certificates (hours, auto-renewed by Vault Agent)
Architecture
┌─────────────────────────────────────────┐
│ HashiCorp Vault Cluster │
├─────────────────────────────────────────┤
│ PKI Secrets Engine: │
│ • Root CA (or intermediate signed by │
│ external root) │
│ • Roles (define what certs can be issued)│
│ • Issue endpoint (API-driven) │
│ • CRL generation │
│ • OCSP (Enterprise only) │
├─────────────────────────────────────────┤
│ Also available: │
│ • KV secrets, Database creds, SSH │
│ • Transit (encryption), AWS/Azure/GCP │
├─────────────────────────────────────────┤
│ Storage: Raft (integrated) or Consul │
│ Auth: K8s, AWS IAM, OIDC, AppRole, etc. │
└─────────────────────────────────────────┘Setup
# Enable PKI engine (assumes Vault is already running)
vault secrets enable pki
vault secrets tune -max-lease-ttl=87600h pki
# Generate root CA (or import external)
vault write pki/root/generate/internal \
common_name="My Root CA" ttl=87600h
# Create a role (defines issuance policy)
vault write pki/roles/web-server \
allowed_domains="internal.example.com" \
allow_subdomains=true max_ttl=72h
# Issue a certificate
vault write pki/issue/web-server \
common_name="api.internal.example.com" ttl=24hStrengths
- Zero additional infrastructure if you already run Vault
- Unified platform (secrets + PKI + encryption + SSH)
- Excellent Kubernetes integration (Vault Agent, CSI driver)
- Very short-lived certificates (hours) with automatic renewal
- Strong access control (Vault policies)
- API-first design (everything programmable)
Weaknesses
- No ACME support (applications must use Vault API or Agent)
- No SCEP/EST/CMP (can’t enroll network devices or mobile)
- Limited certificate profile customization (compared to EJBCA)
- Requires Vault cluster (operational overhead if not already running Vault)
- PKI is one feature among many (not purpose-built for PKI)
- OCSP responder only in Enterprise edition
- BSL license (restrictions on offering as managed service)
Decision Matrix
Do you need compliance certifications (WebTrust, ETSI)?
├── Yes → EJBCA (only option with compliance path)
└── No →
Are you already running HashiCorp Vault?
├── Yes → Vault PKI (add PKI engine, zero new infrastructure)
└── No →
Do you need SCEP/EST/CMP for device enrollment?
├── Yes → EJBCA (only option with all protocols)
└── No →
Do you need SSH certificates too?
├── Yes → Smallstep (built-in SSH CA)
└── No →
How complex is your PKI hierarchy?
├── Simple (1 root + 1 issuing) → Smallstep (simplest)
├── Medium (multiple issuers, roles) → Vault PKI
└── Complex (multi-tier, policies, RA) → EJBCAPerformance Comparison
| Metric | EJBCA | Smallstep | Vault PKI |
|---|---|---|---|
| Certificates/second | 500-2,000 | 100-500 | 200-1,000 |
| Memory (idle) | 1-2 GB (JVM) | 50-100 MB | 200-500 MB |
| Startup time | 30-60 seconds | 1-2 seconds | 5-10 seconds |
| Storage per 1M certs | ~10 GB (database) | ~2 GB | ~5 GB |
EJBCA wins on raw throughput (optimized for high-volume issuance). Smallstep wins on resource efficiency. Vault is in the middle.
Can They Work Together?
Yes — and this is common:
EJBCA (offline Root CA)
↓ signs
Vault PKI (online Issuing CA for microservices — short-lived certs)
↓ issues
Service mesh certificates (24-hour validity, auto-renewed)
Smallstep (SSH CA)
↓ issues
SSH certificates for developer access (8-hour validity, SSO-tied)Use EJBCA for the trust hierarchy and compliance. Use Vault for high-volume, short-lived operational certificates. Use Smallstep for SSH. Each tool does what it’s best at.
FAQ
Q: Which is cheapest to run? A: Smallstep (single binary, minimal resources, Apache 2.0 license). Vault is free for PKI but requires a cluster. EJBCA Community Edition is free but resource-intensive (JVM + database).
Q: Which scales best? A: EJBCA (designed for millions of certificates, database-backed, clusterable). Vault scales well with Raft. Smallstep is designed for smaller deployments (thousands, not millions).
Q: Can I migrate between them? A: The certificates they issue are standard X.509 — they work everywhere regardless of which CA issued them. Migrating the CA itself means: create new CA, sign it with your Root, start issuing from the new CA, let old certificates expire. The Root CA stays the same.
Q: What about cert-manager integration? A: All three work with cert-manager. EJBCA has an official cert-manager issuer. Smallstep has a step-issuer. Vault has the cert-manager vault issuer. cert-manager is the Kubernetes interface; the CA backend is your choice.
Q: Which should a startup use? A: Smallstep. It’s the fastest to set up, simplest to operate, and covers 90% of startup PKI needs (internal mTLS, SSH certificates, ACME for automation). Graduate to EJBCA or Vault when you outgrow it.