The following CSP solutions require a Security Module (HSM).
- Certificate Authority
- Timestamping Authority
- Validation Authority
See below for the HSM requirements.
HSM versions
See the following table for the HSM versions supported by each solution.
Hardware | Client driver | Firmware | Certificate Authority | Timestamping Authority | Validation Authority |
|---|---|---|---|---|---|
Entrust nShield Connect XC | 13.9.0 (FIPS 140-2 Level 3 mode supported) | 12.60.15 & 12.60.2 |
|
|
|
Entrust nShield 5c | 13.9.0 | 13.2.4 |
|
|
|
Entrust nShield 5c 10G | Not supported | Not supported |
|
|
|
Epicom | EP990 v1.08-1 | — |
|
|
|
Thales Luna HSM 7 | 10.8.0 | 7.7.1-20 |
|
|
|
Thales TCT | 10.8.0 | 7.7.1-20 |
|
|
|
HSM card sets
You can only use 1/N card sets. A card set of, for example, 2/5 cards is not supported.
HSM high availability
On high-availability installations with a cluster of several HSMs:
- You cannot use HSMs from different providers simultaneously, so nShield and Thales HSMs cannot coexist in the same deployment.
- Entrust Validation Authority may experience the Thales TCT limitations described in the Thales TCT Universal Client Plugin Additional Information technical note dated May 28, 2025.
- Solutions that use the HSMs must be redeployed after any loss of connection to the HSMs, such as an HSM reboot.
HSM client drivers
You do not need to install the client drivers, as the solution already includes them.
HSM client drivers cannot be updated.