Typically with crypto you want to stick with one major industry standard implementation that is strenuously verified. It's probably more concerning if everyone's using their own.
Suppose so but doesn’t it become one well to poison? It just surprises me a bit (mainly because I was NOT familiar with EJBCA and have moderate awareness of PKI)