Introduction

The Entrust Certificate Authority is a Public-Key Infrastructure (PKI) solution. The Entrust nShield Hardware Security Module (HSM) securely store and manage encryption keys. This document describes how to integrate both for added security of your PKI.

The HSM is available as an appliance or nShield as a Service (nSaaS). Throughout this guide, the term HSM refers to nShield Solo, nShield Connect, and nShield Edge products.

Product configuration

Entrust tested the integration with the following versions:

Product Version

Entrust Certificate Authority

v10.1.1

PostgreSQL

v15.2.0-9

Red Hat Enterprise Server

v8.9

Supported nShield hardware and software versions

Entrust successfully tested with the following nShield hardware and software versions:

Product Security World Software Firmware Netimage OCS Softcard Module

nSaaS

13.4.5

12.72.1 (FIPS 140-2 certified)

12.80.5

Connect XC

13.4.5

12.72.1 (FIPS 140-2 certified)

12.80.5

nShield Edge

13.4.5

12.72.0 (FIPS 140-2 certified)

nShield 5c

13.4.5

13.2.2

13.3.2

nShield Solo XC

13.4.5

12.72.1 (FIPS 140-2 certified)

Module Protected keys are no longer supported in Entrust Certificate Authority v10.0 and above.
Support for the nShield 5s is in the roadmap for a future release

Requirements

To integrate the HSM and Certificate Authority, you require:

Familiarize yourself with:

  • The Entrust Certificate Authority (https://www.entrust.com/digital-security).

  • The nShield HSM: Installation Guide and User Guide.

  • Your organizational Certificate Policy, Certificate Practice Statement, and a Security Policy or Procedure in place covering administration of the PKI and HSM:

    • The number and quorum of administrator cards in the Administrator Card Set (ACS) and the policy for managing these cards.

    • The number and quorum of operator cards in the Operator Card Set (OCS) and the policy for managing these cards.

    • The keys protection method: Module, Softcard, or OCS.

    • The level of compliance for the Security World, FIPS 140 Level 3.

    • Key attributes such as key size, time-out, or needed for auditing key usage.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.