The following solutions support a single HSM or a cluster of multiple HSMs for high availability.
Solution | Single HSM | HSM cluster |
|---|---|---|
Certificate Authority (CA) |
|
|
Timestamping Authority (TSA) |
|
|
Validation Authority (EVA) |
|
|
Refer to the following table for a list of supported HSM manufacturers and their corresponding versions.
Hardware | Client driver | Firmware |
|---|---|---|
Entrust nShield Connect XC | 13.9.0 (FIPS 140-2 Level 3 mode supported) | 12.60.15 & 12.60.2 |
Entrust nShield 5c | 13.9.0 | 13.2.4 |
Thales Luna HSM 7 | 10.8.0 | 7.7.1-20 |
Thales TCT | 10.8.0 | 7.7.1-20 |
General considerations:
- You do not need to install the client drivers because the solution already includes this software. However, these client drivers cannot be updated.
- You can only use 1/N card sets. A card set of, for example, 2/5 cards is not supported.
On high-availability installations with a cluster of several HSMs:
- You cannot use HSMs from different providers simultaneously, meaning that nShield and Thales HSMs cannot coexist within the same deployment.
- Entrust Validation Authority may experience the Thales TCT limitations described in the Thales TCT Universal Client Plugin Additional Information technical note dated May 28, 2025.
- Solutions using the HSMs must be redeployed after any loss of connection with the HSMs, such as after an HSM reboot.