The following CSP solutions require a Security Module (HSM).

  • Certificate Authority
  • Timestamping Authority
  • Validation Authority

See below for the HSM requirements.

HSM versions

See the following table for the HSM versions supported by each solution.

Hardware

Client driver

Firmware

Certificate Authority

Timestamping Authority

Validation Authority

Entrust nShield Connect XC

13.9.0 (FIPS 140-2 Level 3 mode supported)

12.60.15 & 12.60.2

(tick) 

(tick) 

(tick) 

Entrust nShield 5c

13.9.0

13.2.4

(tick) 

(tick) 

(tick) 

Entrust nShield 5c 10G 

Not supported

Not supported

(error) 

(error) 

(error) 

Epicom

 EP990 v1.08-1

(error) 

(tick) 

(tick) 

Thales Luna HSM 7

10.8.0

7.7.1-20

(tick) 

(tick) 

(tick) 

Thales TCT

10.8.0

7.7.1-20

(error)  

(tick) 

(tick) 

HSM card sets

You can only use 1/N card sets. A card set of, for example, 2/5 cards is not supported.

HSM high availability

On high-availability installations with a cluster of several HSMs:

  • You cannot use HSMs from different providers simultaneously, so nShield and Thales HSMs cannot coexist in the same deployment.
  • Entrust Validation Authority may experience the Thales TCT limitations described in the Thales TCT Universal Client Plugin Additional Information technical note dated May 28, 2025.
  • Solutions that use the HSMs must be redeployed after any loss of connection to the HSMs, such as an HSM reboot.

HSM client drivers

You do not need to install the client drivers, as the solution already includes them. 

HSM client drivers cannot be updated.