Introduction

The Entrust PKI Hub is a versatile and robust virtual appliance that streamlines and simplifies deployment across various environments of the following Entrust solutions: Certificate Authority, CA Gateway, Certificate Enrollment Gateway, Certificate Hub, Timestamping Authority, and Validation Authority. The Entrust nShield Hardware Security Module (HSM) securely store and manage encryption keys. This document describes how to integrate both for added security of your PKI.

The HSM is available as an appliance or nShield as a Service (nSaaS). Throughout this guide, the term HSM refers to nShield Solo, nShield Connect, and nShield Edge products.

Product configuration

Entrust tested the integration with the following versions:

Product Version

Entrust PKI Hub

v1.0

Supported nShield hardware and software versions

Entrust successfully tested with the following nShield hardware and software versions. All integration used OCS protection. Module-protected keys are not supported in Entrust Certificate Authority v10.0 and later versions.

Product Firmware Netimage

nSaaS

12.72.1 (FIPS 140-2 certified)

12.80.5

Connect XC

12.72.3 (FIPS 140-2 certified)

13.6.5

nShield 5c

13.4.5 (FIPS 140-3 certified)

13.6.5

Requirements

To integrate the HSM and PKI Hub, you require:

  • A dedicated virtual appliance for the installation.

  • A dedicated server for hosting a PostgreSQL database and the Entrust nShield key management data.

  • Access to the Entrust TrustedCare Portal.

Familiarize yourself with:

  • The Entrust PKI Hub Entrust PKI Hub 1.0 - Installation and Administration Guide.

  • The Entrust nShield Product Documentation.

  • Your organizational Certificate Policy, Certificate Practice Statement, and a Security Policy or Procedure in place covering administration of the PKI and HSM:

    • The number and quorum of administrator cards in the Administrator Card Set (ACS) and the policy for managing these cards.

    • The number and quorum of operator cards in the Operator Card Set (OCS) and the policy for managing these cards.

    • The keys protection method: Module, Softcard, or OCS.

    • The level of compliance for the Security World, FIPS 140 Level 3.

    • Key attributes such as key size, time-out, or needed for auditing key usage.