Introduction

Microsoft Internet Information Services (IIS) for Windows Server is a Web server application. Entrust nShield Hardware Security Modules (HSMs) integrate with IIS to provide key protection with FIPS-certified hardware. Integration of the nShield HSM with IIS provides the following benefits:

  • Uses hardware validated to the FIPS 140-2 and FIPS 140-3 standards.

  • Enables secure storage of the IIS keys.

Product configuration

Entrust has successfully tested the nShield HSM integration with IIS in the following configuration:

Product Version

Operating System

Windows 2025 Server

IIS version

10.0

Supported nShield hardware and software versions

Entrust successfully tested with the following nShield hardware and software versions:

Product Security World Software Firmware Netimage

nShield 5c

13.6.11

13.2.4 (FIPS 140-3 certified)

13.6.11

Connect XC

13.6.11

12.72.1 (FIPS 140-2 certified)

13.6.7

Supported nShield features

Entrust has successfully tested nShield HSM integration with the following features:

Feature Support

Module-Only key

Yes

OCS cards

Yes 1

Softcards

No

nSaaS

Yes

1 OCS without a passphrase and 1/N quorum must be used.

Requirements

  • Knowledge of your organization Certificate Practices Statement and a Security Policy / Procedure in place covering administration of the HSM.

  • Access to the Entrust TrustedCare Portal.

  • An Entrust nShield HSM.

  • A dedicated Windows server.

  • Network environment with usable ports 9004 and 9005 for the HSM.

Familiarize yourself with the nShield Documentation.

  • The importance of a correct quorum for the Administrator Card Set (ACS).

  • Whether Operator Card Set (OCS) protection or Softcard protection is required.

  • If OCS protection is to be used, a 1-of-N quorum must be used.

  • Whether your Security World must comply with FIPS 140 Level 3 or Common Criteria standards. If using FIPS 140 Level 3, it is advisable to create an OCS for FIPS authorization. For more information see FIPS 140 Level 3 compliance.

  • Whether to instantiate the Security World as recoverable or not.