Why Migrate from
Microsoft CA to EJBCA?

Microsoft CA was an easy choice for traditional IT environments, but the shift to Azure, multi-cloud, and modern applications demands more from your PKI.

See the comparison

You've outgrown your
traditional PKI

Behind every certificate is a public key infrastructure (PKI). Microsoft Active Directory Certificate Services (ADCS), often referred to as Microsoft CA, has long been the de facto PKI for organizations. It’s well integrated with Microsoft infrastructure and it supports standard use cases.

However, the path to the cloud introduces new challenges. For starters, traditional PKI wasn’t built to handle the volume and velocity of certificate usage today. Not to mention a lack of out-of-the-box integrations and easily overlooked misconfigurations that create serious risks.

Icon Icon

Operational drawbacks

Traditional PKI deployments built on Microsoft CA can only install one CA per server. As use cases grow, the footprint of CA servers becomes costly and complex to manage.

Icon Icon

New use cases

Microsoft CA is well-integrated with AD infrastructure, but it becomes an operational roadblock as organizations adopt new use cases and shift to modern multi-cloud, multi-OS architectures.

Icon Icon

Cloud migration

Traditional PKI is rigid and inflexible. Organizations need a modern PKI solution that can be deployed how and where they need it, whether it’s on-premise or in the cloud, fully managed or self-hosted.

Modernize Your PKI with EJBCA

Keyfactor EJBCA is built for the modern enterprise. From the creators of EJBCA Community, the world’s most trusted and widely adopted open-source CA software, Keyfactor EJBCA is a powerful PKI engine for hybrid and multi-cloud environments.

Why Teams Choose EJBCA


EJBCA is a multi-tenant solution that offers the flexibility to run multiple use cases and CAs in a single installation

Microsoft integrated

Supports Auto-enrollment, Microsoft Intune, Azure Key Vault, and comprehensive support for HSMs

Easily extensible

EJBCA supports integration with modern interfaces and protocols such as CMP, EST, SCEP, ACME, REST API, and Web Services

Flexible deployment

EJBCA is available in the cloud, as a service (SaaS), or as a turnkey software or hardware appliance with a built-in HSM

Trusted and compliant

EJBCA is Common Criteria certified and has been deployed in numerous WebTrust and eIDAS audited installations

Highly scalable

Supports scalable database-level clustering and high availability to meet even the highest certificate demands

Compare Microsoft CA and EJBCA

Here are the key reasons why EJBCA is the most widely adopted PKI today

Table Logo
Table Logo
High availability

Unreliable support via JET database when certificate issuance gets into the millions

High availability at the database level via Oracle RAC cluster, MariaDB, PostgreSQL, Microsoft SQL Server

Custom certificate extensions

Not supported

Custom extensions are easily added using the UI or CLI

Certificate profiles

Limited to Active Directory certificate templates available

Certificate profiles are flexible and easily implemented. New profiles can be added via the UI or CLI. EJBCA supports export and import of profiles.

Multitenant CA solution

Not supported

No limit on the number of tenant CA that can be installed on an EJBCA instance

OS support

Windows Server only

Any operating system is supported

Rest API

Not available

Rich Rest API available

SOAP Web Services

Not available

Rich WS API available

Certificate Management Protocol (CMP)

Not available

Supported complying with RFC 4210 and RFC 6712

External, independent OCSP Responder

Supported based on the CRL

Fully supported including whitelisting of certificates and the support of configurable response options i.e. GOOD or UNKNOWN for certificates not issued by the CA

Microsoft auto-enrollment


Supported via Certificate Enrollment Policy (CEP) and Certificate Enrollment Service (CES) for a native integration for certificate enrollment

Web GUI-based RA

Limited support

Full support

Certificate approvals

Limited support

Flexible support with simple or partitioned workflows

External RA

Must be custom-built

Available out of the box

Certificate transparency

Not supported

Supported complying with RFC 6962


Not supported

Supported complying with RFC 8555


Not supported

Supported complying with RFC 7030

Fully Supported

Available via third parties

Delivered directly by the vendor

Custom Development

Available via third parties

Keyfactor can deliver custom versions of the product and add specific customer enhancements


Not available

Supported complying with BSI TR-03110

ICAO standards (Travel documents)

Not available

Available. Keyfactor is committed to supporting the latest standards in a reasonable time frame.

Peer connectors

Not available

Keyfactor products provide peer connectors* for inter-component communication between a CA and an RA or a CA and a VA

Azure Intune integration


Supported for certificate issuance & revocation

Azure OAuth integration

Not available

Available for authtication to EJBCA adminweb, RA web, and Rest/Web service APIs

Azure Key Vault

Not supported

Supported for Key Vault & managed HSM

Azure storage blobs

Not available

EJBCA can publish certificates, CRLs, and CA certificates to Azure storage blobs

Azure machine identities

Not available


Step-by-step PKI migration

Are you using Microsoft ADCS and consider migrating? No problem, Keyfactor has done this before. Depending on your existing use cases and new requirements the PKI migration strategy might look different. However, for a typical migration from your existing Microsoft ADCS installation to EJBCA, see this step-by-step guide.