When engineers first explore Public Key Infrastructure (PKI), it often starts with curiosity and a need to solve a specific task. However, as systems mature, security and resilience become non-negotiable. Eventually, automation and scale define success.
To support this journey, we have expanded our deployment options with the EJBCA Container Set, a modern, containerized PKI installation experience designed for today’s infrastructure. It includes:
- Streamlined deployment via Helm charts
- Full HSM integration
- Scalable PKI segmentation using EJBCA peer connectors
- Powerful import/export automation with the ConfigDump feature
Whether you are standing up your first PKI or planning for high-availability, multi-environment rollouts, the EJBCA Container Set helps you move from experimentation to enterprise readiness, with hardened security, true automation, and the flexibility to scale with confidence.
We call this journey Tinkering, Trust, and Turbocharge, and we are here to guide you every step of the way, from first steps to full-scale PKI operations.
Phase 1: Tinker – Explore & Prototype
Most engineers begin in the tinkering phase, exploring PKI out of curiosity or to solve a specific, immediate problem. This hands-on, experimental stage is focused on learning, experimenting with tools, and creating basic setups, often in test environments, self-signed certificates, and using easily available tools and components.
In this phase, flexibility and speed matter more than structure or scale. It is all about getting started and understanding how things work.
Tinkering with EJBCA Container Set
Get hands-on fast—start with the EJBCA Enterprise container. For example:
- Use the EJBCA Enterprise Helm chart to launch a developer Certificate Authority (CA) in Kubernetes with a soft-HSM and MariaDB Galera cluster.
- Establish a simple two-tier CA (Root + Subordinate), enroll a sample certificate via REST, and review CRL service, with this tutorial.
-> Check out the Helm deployment tutorial.
Or spin up an EJBCA Community container using Helm and get started with EJBCA by following our tutorials, for example:
- Use the EJBCA Enterprise Helm chart to launch EJBCA Community in your Kubernetes cluster. Check out the Tutorial
- The Community Edition does not support automation with ConfigDump, so your PKI must be set up and managed manually. Follow these tutorials to set up a basic two-tier PKI and issue TLS client and server certificates.
Please note that the Enterprise and Community Editions share the same Helm chart; however, some features are only available in EJBCA Enterprise Edition and not in the Community Edition.
Key outcomes while Tinkering: Validate your use cases (e.g., TLS, IoT identity, PQC PKI + Hybrid). Build confidence, baseline performance, and understand integration paths.
Next steps: Choose any other EJBCA Tutorials and use cases to continue tinkering, e.g., REST enrollment or Service Mesh certificates.
Phase 2: Trust – Harden & Secure
Once you recognize the value of PKI, it is time to professionalize your deployment.
We recommend using the EJBCA Enterprise Edition. It offers capabilities purpose-built for production environments, including:
- EJBCA Peer connector for scalable and secure PKI deployments through segmentation of PKI components CA, Validation Authority (VA) and Registration Authority (RA).
- Advanced HSM support, including Post-Quantum Cryptography (PQC) HSM integration.
- Automation features enabled through the Helm chart and ConfigDump for declarative configuration management.
Lock down your PKI
1. Use EJBCA Peer Connectors to enforce network zoning:
- Keep the CA in a protected subnet; only outbound mTLS connections reach the RA/VA peers in public zones.
- Automate the peer connector setup using the ConfigDump tool with JSON configs.
2. Integrate with real HSMs:
- Move from soft-HSM to a secure module. EJBCA production Crypto Tokens include advanced HSM support.
3. Build high availability:
- Use Helm to deploy multi-node CA, VA, and RA clusters behind a load balancer in each region. Use database clustering (e.g., MariaDB Galera or PostgreSQL HA) and replicated HSM sidecars.
4. Enforce separation of duties:
- Assign distinct roles for CA administrators, RA operators, and auditors. Harden connections, tamper-proof audit logs, and publish services via dedicated VA pods.
Diagram:Clustered deployment with Helm
Key outcomes
A hardened, production-grade PKI that is secure, resilient, and auditor-friendly.
Do you want to try this?
Read about it:
Try it out by following our Tutorial:
Phase 3: Turbocharge – Automate & Scale
With a hardened PKI in place, it is time to supercharge and scale your installation with confidence:
- Use Helm, Peer and ConfigDump, to automate issuance and scale your PKI. The EJBCA Helm chart provides centralized management via values.yaml, enabling dynamic scaling and replication.
- Use peer connectors to deploy lightweight RA/VA pods in remote clusters—ideal for global services or hybrid cloud setups.
Key outcomes
A self-scaling, resilient PKI that’s invisible to end users but critical to infrastructure integrity.
Do you want to try this?
Read about it:
Try it out by following our Tutorial:
Real-World Examples
> Segmentation Across Trust Domains
Financial services firms often isolate certifications for internal systems versus public clients. By establishing a CA in an isolated subnet and deploying RAs in DMZs using EJBCA Peer, they enforce strong segmentation with mTLS and audit control.
> Multi-Region High Availability
Global SaaS companies deploy CA/VA/RA clusters in Europe and North America, each with replicated HSMs and databases. Failover is automated, with sticky session load balancers and health-checked pods. Kubernetes handles pod autoscaling to meet demand bursts.
> Post-Quantum HSM Support and Migration
A leading European bank is using the EJBCA Container Set to prepare for PQC by piloting hybrid certificate issuance. Their security team runs a parallel CA hierarchy in Kubernetes, configured to issue ML-DSA and ML-KEM certificates using software-based cryptography providers. This environment mirrors their production setup but uses separate trust anchors and isolated namespaces to avoid operational risk.
As PQC-capable HSMs become available from their vendor, the bank plans a phased migration. Thanks to the containerized architecture and dynamic crypto token support in EJBCA, they can easily switch from software cryptography to hardware-backed keys without changing application integration points or trust models. Using Helm automation and GitOps pipelines, the bank maintains declarative configuration (via ConfigDump) for both classical and quantum-safe environments, supporting crypto-agility, compliance testing, and production readiness without disrupting existing operations.
The Journey Recap
| Phase | Focus | What You’ll Build |
| Tinker | Prototype & validate | Dev CA, REST workflows, ACME tests |
| Trust | Harden & secure | Segmented CA deployment with HSM and
HA clustering |
| Turbocharge | Automate & scale | Multi-region RA/VA, and Automatic scaling |
More details on the EJBCA Container Set in our documentation
Explore Keyfactor for Developers on YouTube
Keyfactor’s YouTube channel offers an extensive library of videos built to help engineers get started with PKI and signing. Whether you are just beginning or looking to scale, our curated playlists guide you through every step of the Tinkering → Trust → Turbocharge journey—so you can go from first experiments to production-ready solutions with confidence.
Final Thoughts
PKI is not delivered in one step; it is developed over time. Whether you’re in early prototyping or running global PKI services, the Tinker → Trust → Turbocharge model with EJBCA Enterprise Container set gives you a clear frame for action.
