The following CSP solutions require a Security Module (HSM).

  • Certificate Authority
  • Timestamping Authority
  • Validation Authority

See below for the HSM requirements.

HSM versions

See the following table for the HSM versions supported by each solution.

Hardware

Client driver

Firmware

CA

TSA

VA

Entrust nShield Connect XC

13.7.3 (FIPS 140-2 Level 3 mode supported)

12.60.15 & 12.60.2

(tick) 

(tick) 

(tick) 

Entrust nShield 5c

13.7.3

13.2.4

(tick) 

(tick) 

(tick) 

Thales Luna HSM 7

 10.8.0

7.7.1-20

(error) 

(tick) 

(tick) 

HSM card sets

You can only use 1/N card sets. A card set of, for example, 2/5 cards is not supported.

HSM high availability

On high-availability installations with a cluster of several HSMs:

  • You cannot use HSMs from different providers simultaneously, so nShield and Thales HSMs cannot coexist in the same deployment.
  • Entrust Validation Authority may experience the Thales TCT limitations described in the Thales TCT Universal Client Plugin Additional Information technical note dated May 28, 2025.
  • Solutions that use the HSMs must be redeployed after any loss of connection to the HSMs, such as an HSM reboot.

HSM client drivers

You do not need to install the client drivers, as the solution already includes them. 

HSM client drivers cannot be updated.