Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


Skip to end of metadata
Go to start of metadata


A PKCS#11 compliant device can be used for handling of CA key pairs, system keys, protection of archived keys, and for key generation.

For functional specifications, known issues and limitations related to current PKCS#11 drivers, see each HSM vendor’s web site. 

The following devices are explicitly verified:

  • AEP Systems Sureware Keyper, FIPS 140-1 level 4
  • Atos Bull Trustway Proteccio NetHSM 

    • Note: Only verified with CIS, not with CCM and KAR.

  • DocuSign ARX PrivateServer
  • Gemalto SafeNet ProtectServer Internal - Express 2
  • Gemalto SafeNet ProtectServer External 2
  • Gemalto SafeNet Luna CA3, FIPS 140-1 lvl 3
  • Gemalto SafeNet Luna CA4, FIPS 140-2 lvl 3
  • Gemalto SafeNet Luna SA 4.4, FIPS 140-2 lvl 3
    • Note: Since SafeNet Luna disallow key export when in FIPS mode, enable non-FIPS mode for use with CM KAR, Key Archiving and Recovery.
  • Gemalto SafeNet Luna SA 5.0, FIPS 140-2 lvl 3
    • Note: Since SafeNet Luna disallow key export when in FIPS mode, enable non-FIPS mode for use with CM KAR, Key Archiving and Recovery.
  • Gemalto SafeNet Luna G5
  • Gemalto SafeNet Luna HSM 6

  • Gemalto SafeNet Luna Network HSM 7
  • Gemalto SafeNet Luna PCIe HSM 7
  • IBM 4758, FIPS 140-1 level 3 and 4
  • Nitrokey HSM 2
  • Thales nShield Connect+, FIPS 140-2 level 3
  • Thales nShield Solo+, FIPS 140-2 level 3
  • Thales nShield Edge
  • Thales WebSentry PCI, FIPS 140-1 level 4
  • Thales WebSentry Ethernet, FIPS 140-1 level 4
  • Utimaco CryptoServer Security Server CS 10/50 LAN/PCI, FIPS 140-2 level 3 (level 4 for physical)
  • Utimaco CryptoServer Security Server Se 12/52/420/1200 LAN/PCI, FIPS 140-2 level 3
  • Yubico YubiHSM 2
PIN decryption is not allowed using a FIPS mode HSM.

This article is valid from Nexus Certificate Manager 8.1.

Related information