Introduction

Microsoft Internet Information Services (IIS) for Windows Server is a Web server application. Entrust nShield Hardware Security Modules (HSMs) integrate with IIS to provide key protection with FIPS-certified hardware. Integration of the nShield HSM with IIS provides the following benefits:

Uses hardware validated to the FIPS 140-2 and FIPS 140-3 standards.
Enables secure storage of the IIS keys.

Product configuration

Entrust has successfully tested the nShield HSM integration with IIS in the following configuration:

Product	Version
Operating System	Windows 2025 Server
IIS version	10.0

Product

Version

Operating System

Windows 2025 Server

IIS version

10.0

Supported nShield hardware and software versions

Entrust successfully tested with the following nShield hardware and software versions:

Product	Security World Software	Firmware	Netimage
nShield 5c	13.6.11	13.2.4 (FIPS 140-3 certified)	13.6.11
Connect XC	13.6.11	12.72.1 (FIPS 140-2 certified)	13.6.7

Supported nShield features

Entrust has successfully tested nShield HSM integration with the following features:

Feature	Support
Module-Only key	Yes
OCS cards	Yes ¹
Softcards	No
nSaaS	Yes

Feature

Support

Module-Only key

Yes

OCS cards

Yes ¹

Softcards

nSaaS

Yes

¹ OCS without a passphrase and 1/N quorum must be used.

Requirements

Knowledge of your organization Certificate Practices Statement and a Security Policy / Procedure in place covering administration of the HSM.
Access to the Entrust TrustedCare Portal.
An Entrust nShield HSM.
A dedicated Windows server.
Network environment with usable ports 9004 and 9005 for the HSM.

Familiarize yourself with the nShield Documentation.

The importance of a correct quorum for the Administrator Card Set (ACS).
Whether Operator Card Set (OCS) protection or Softcard protection is required.
If OCS protection is to be used, a 1-of-N quorum must be used.
Whether your Security World must comply with FIPS 140 Level 3 or Common Criteria standards. If using FIPS 140 Level 3, it is advisable to create an OCS for FIPS authorization. For more information see FIPS 140 Level 3 compliance.
Whether to instantiate the Security World as recoverable or not.