Introduction

The Entrust Validation Authority (EVA) Server is an Online Certificate Status Protocol (OCSP) server for distribution of certificate revocation information for certificates issued by any certification authority (CA). The EVA Server provides integrity and validity for online transactions by validating, in real-time, digital certificates issued by a CA. The Entrust nShield Hardware Security Module (HSM) integrates with the Entrust Validation Authority server through the nShield PKCS #11 cryptography API to securely generate and store the OCSP response signing keys. To respond to OCSP requests, Entrust Validation Authority connects with different components.

In this architecture:

Multiple clients send OCSP requests to the OCSP Responder service of Entrust Validation Authority.
Multiple Certification Authorities (CAs) issue certificates.
A Hardware Security Module (HSMs) managing one or several OCSP signing keys.
One database stores the status of the certificates. For each CA, Entrust Validation Authority obtains the certificate status from either:
- An Entrust CA Gateway instance.
- A full or "combined" CRL published in an LDAP or HTTP server. Entrust Validation Authority does not support partitioned CRLs.

In this guide, the CA GW was not used and instead Entrust Validation Authority was configured using a Certificate Revocation List (CRL) published on a HTTP server.

Requirements

The Entrust Validation Authority requires the following software:

Entrust Deployment Manager 2.0
Database
Entrust CA Gateway or a CRL Server hosted on a HTTP server.
Serial Number server (Not used in this integration)
Certification Authority (CA)

Reference the Entrust Validation Authority Deployment Guide for product specific requirements.

Before starting this integration, review:

The documentation for the nShield Connect HSM.
The documentation and configuration process for Entrust Deployment Manager.
The documentation and configuration process for Entrust Validation Authority.

Before using nShield products:

When creating a Security World, identify custodians of the administrator card set (ACS).
Obtain enough blank smart cards to create the ACS.
Define the Security World parameters. For details of the security implications of the choices, see the nShield Security Manual.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

Licensing

Configuring Entrust Validation Authority requires importing a license text file into the Entrust Deployment Manager server administration web UI. Obtain the license file to configure Entrust Validation Authority in the Entrust Deployment Manager web UI. Also reference the Entrust Validation Authority Deployment Guide for product specific license requirements.

Product configurations

Entrust tested nShield HSM integration with Entrust Validation Authority in the following configurations:

Product	Version
Entrust Validation Authority	2.3.0
Entrust Deployment Management	2.0.0
Postgres Database	12
easy-rsa CA	3.0.6-1
HSM Hardware	Connect XC

Supported features

Entrust tested nShield HSM integration with the following features:

Softcard	Module	OCS	nSaaS
Yes	Yes	Yes	Not Tested

Softcard

Module

OCS

nSaaS

Yes

Not Tested

Supported nShield hardware and software versions

Entrust tested with the following nShield hardware and software versions:

nShield Hardware	nShield HSM Firmware	FIPS
Connect XC	12.50.11	140 Level 2
Connect XC	12.50.11	140 Level 3

nShield Hardware

nShield HSM Firmware

FIPS

Connect XC

12.50.11

140 Level 2

Connect XC

12.50.11

140 Level 3

Supported nShield functionality

Feature	Support
Key Generation	Yes
Key Management	Yes
FIPS 140 Level 3 mode support	Yes
Operator Card Set	Yes
Softcards	Yes
Module-only keys	Yes
Load Sharing	Yes

Feature

Support

Key Generation

Yes

Key Management

Yes

FIPS 140 Level 3 mode support

Yes

Operator Card Set

Yes

Softcards

Yes

Module-only keys

Yes

Load Sharing

Yes