Entrust nShield HSMs
Apply consistent security policies to put you in complete control
Enable trust in machines that are supporting critical business
Protect identities of devices and applications securing critical data
FIPS 140-2 and Common Criteria EAL 4+ root of trust
Automated lifecycle of keys and certificates
Generating keys in an HSM addresses risks by producing strong FIPS-compliant signing and encryption keys with maximum entropy, using random number generation and secure hardware protection. While HSMs provide a way to secure machine identities, many organizations still opt to create custom scripts and use other manual processes to generate and provision keys, leaving them vulnerable to attack and introducing new risks to the enterprise.
Venafi and Entrust have joined forces to help address the machine identity management challenge faced by today’s enterprise customers. Venafi delivers an out-of-the-box solution that integrates with industry-leading Entrust nShield HSMs, on premises or as a service, to leverage strong hardware-based signing and encryption keys throughout the enterprise.
Together Venafi and Entrust allow organizations to generate, store, and use keys securely – without private key material ever having to leave the HSM. These capabilities make it possible for enterprises to ensure the consistent use of the strongest cryptographic keys possible.
The process begins when an administrator enters application and HSM information into the Venafi Platform, triggering the following actions by the platform:
- Connects to the managed application and instructs the HSM to generate a key pair
- Retrieves a CSR from the HSM through the managed application
- Uses the CSR for certificate enrollment with a CA
- Installs the certificate on the managed application (the private key remains on the HSM)
Venafi delivers key and certificate with the key pair securely maintained by the HSM. The capability is supported on Apache, Windows IIS and Java keystores.