Entrust nShield HSMs
Updated Jul. 21 2021

With growing numbers of machines used by organizations to support digital transformation, protecting their identities is critical. Venafi orchestrates connections to machines needing certificates, while protecting cryptographic keys with Entrust nShield hardware security modules (HSMs).
Business Outcomes
  • Apply consistent security policies to put you in complete control

  • Enable trust in machines that are supporting critical business

  • Protect identities of devices and applications securing critical data

Integration Features
  • FIPS 140-2 and Common Criteria EAL 4+ root of trust

  • Automated lifecycle of keys and certificates

Solution Overview

Generating keys in an HSM addresses risks by producing strong FIPS-compliant signing and encryption keys with maximum entropy, using random number generation and secure hardware protection. While HSMs provide a way to secure machine identities, many organizations still opt to create custom scripts and use other manual processes to generate and provision keys, leaving them vulnerable to attack and introducing new risks to the enterprise.

Venafi and Entrust have joined forces to help address the machine identity management challenge faced by today’s enterprise customers. Venafi delivers an out-of-the-box solution that integrates with industry-leading Entrust nShield HSMs, on premises or as a service, to leverage strong hardware-based signing and encryption keys throughout the enterprise. 

Together Venafi and Entrust allow organizations to generate, store, and use keys securely – without private key material ever having to leave the HSM. These capabilities make it possible for enterprises to ensure the consistent use of the strongest cryptographic keys possible. 



The process begins when an administrator enters application and HSM information into the Venafi Platform, triggering the following actions by the platform: 

  1. Connects to the managed application and instructs the HSM to generate a key pair 
  2. Retrieves a CSR from the HSM through the managed application 
  3. Uses the CSR for certificate enrollment with a CA
  4. Installs the certificate on the managed application (the private key remains on the HSM) 

Venafi delivers key and certificate with the key pair securely maintained by the HSM. The capability is supported on Apache, Windows IIS and Java keystores.