Introduction

The Entrust Cryptographic Security Platform PKI Hub is a versatile and robust virtual appliance that streamlines and simplifies deployment across various environments of the following Entrust solutions: Certificate Authority, CA Gateway, Certificate Enrollment Gateway, Certificate Hub, Timestamping Authority, and Validation Authority. The Entrust nShield Hardware Security Module (HSM) securely store and manage encryption keys. This document describes how to integrate both for added security of your PKI.

The HSM is available as an appliance or nShield as a Service (nSaaS). Throughout this guide, the term HSM refers to nShield Solo, nShield Connect, and nShield Edge products.

Product configuration

Entrust tested the integration with the following versions:

Product	Version
Entrust Cryptographic Security Platform	v1.2
Entrust Cryptographic Security Platform PKI Hub	v1.3.0
Security World	v13.9.0 (Embedded in the product)
PostgreSQL	15.14 (Deployed on a Red Hat 9 Linux server)
VMWare vSphere	8.0

Product

Version

Entrust Cryptographic Security Platform

v1.2

Entrust Cryptographic Security Platform PKI Hub

v1.3.0

Security World

v13.9.0 (Embedded in the product)

PostgreSQL

15.14 (Deployed on a Red Hat 9 Linux server)

VMWare vSphere

8.0

Supported nShield hardware and software versions

Entrust successfully tested with the following nShield hardware and software versions. All integration used OCS protection. Module-protected keys are not supported in Entrust Certificate Authority v10.0 and later versions.

Product	Firmware	Netimage
Connect XC	13.8.0	13.9.0
nShield 5c	13.8.0	13.9.0

Requirements

To integrate the HSM and PKI Hub, you require:

A dedicated virtual appliance for the installation.
A dedicated server for hosting a PostgreSQL database and the Entrust nShield key management data.
Access to the Entrust TrustedCare Portal.

Familiarize yourself with:

The Entrust Cryptographic Security Platform PKI Hub documentation.
The nShield documentation.
Your organizational Certificate Policy, Certificate Practice Statement, and a Security Policy or Procedure in place covering administration of the PKI and HSM:
- The number and quorum of administrator cards in the Administrator Card Set (ACS) and the policy for managing these cards.
- The number and quorum of operator cards in the Operator Card Set (OCS) and the policy for managing these cards.
- The keys protection method: Module, Softcard, or OCS. (Only OCS is supported).
- The level of compliance for the Security World, FIPS 140 Level 3.
- Key attributes such as key size, time-out, or needed for auditing key usage.