Introduction

Keyfactor EJBCA Enterprise is a certificate management solution that is ready for post-quantum cryptography (PQC). It deploys fast, runs anywhere, and scales to meet any architecture. Entrust nShield HSMs provide FIPS or Common Criteria certified solutions to securely generate, encrypt, and decrypt cryptographic keys.

The nShield HSM provides enhanced security to Keyfactor EJBCA Enterprise in the management of cryptographic keys and certificates. In addition, the nShield HSM supports various PQC algorithms. This guide describes how to integrate Keyfactor EJBCA Enterprise with an nShield HSM.

Product configurations

Entrust has successfully tested nShield HSM integration with Keyfactor EJBCA Enterprise in the following configurations:

Product	Version
Keyfactor EJBCA Enterprise Cloud - 8x5 Support	v9.4.2

Product

Version

Keyfactor EJBCA Enterprise Cloud - 8x5 Support

v9.4.2

Supported nShield features

Entrust has successfully tested nShield HSM integration with the following features:

Feature	Support
Softcards	Yes
Module-only key	Yes
OCS cards	Yes
nSaaS	Supported but not tested

Feature

Support

Softcards

Yes

Module-only key

Yes

OCS cards

Yes

nSaaS

Supported but not tested

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield HSM hardware and software versions:

nShield 5c

Security World Software	Firmware	Netimage	OCS	Softcard	Module
13.9.3 (STS 4)	13.8.4	13.9.3	✓	✓	✓

Security World Software

Firmware

Netimage

OCS

Softcard

Module

13.9.3 (STS 4)

13.8.4

13.9.3

✓

Connect XC

Security World Software	Firmware	Netimage	OCS	Softcard	Module
13.9.3 (STS 4)	13.8.3	13.9.3	✓	✓	✓

Security World Software

Firmware

Netimage

OCS

Softcard

Module

13.9.3 (STS 4)

13.8.3

13.9.3

✓

Requirements

Access to the Entrust TrustedCare Portal. This portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.
An Entrust nShield HSM.

Familiarize yourself with the Keyfactor EJBCA Cloud AWS documentation and the nShield Security World documentation.

You must also understand:

The importance of a correct quorum for the Administrator Card Set (ACS).
Whether Operator Card Set (OCS) protection or Softcard protection is required.
- If OCS protection is to be used, a 1-of-N quorum must be used.
Whether your Security World must comply with FIPS 140 Level 3 or Common Criteria standards.

If using FIPS 140 Level 3, it is advisable to create an OCS for FIPS authorization. The OCS can also provide key protection for the Vault master key. For more information see FIPS 140 Level 3 compliance.
Whether to instantiate the Security World as recoverable or not.