Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


Skip to end of metadata
Go to start of metadata


A PKCS#11 compliant device can be used for handling of CA key pairs, system keys, protection of archived keys, and for key generation.

For functional specifications, known issues and limitations related to current PKCS#11 drivers, see each HSM vendor’s web site. 

The following devices are explicitly verified for Certificate Manager and for Nexus OCSP Responder:

  • AEP Systems Sureware Keyper, FIPS 140-1 level 4
  • Atos Bull Trustway Proteccio NetHSM

    • When used with CM, only verified with CIS, not with CCM and KAR.

    • Not relevant for Nexus OCSP Responder
  • DocuSign ARX PrivateServer
  • Gemalto SafeNet ProtectServer Internal - Express 2
  • Gemalto SafeNet ProtectServer External 2
  • Thales Luna CA3, FIPS 140-1 lvl 3
  • Thales Luna CA4, FIPS 140-2 lvl 3
  • Thales Luna SA 4.4, FIPS 140-2 lvl 3
    • When used with CM, since Thales Luna disallow key export when in FIPS mode, enable non-FIPS mode for use with CM KAR, Key Archiving and Recovery.
    • Not relevant for Nexus OCSP Responder
  • Thales Luna SA 5.0, FIPS 140-2 lvl 3
    • When used with CM, since Thales Luna disallow key export when in FIPS mode, enable non-FIPS mode for use with CM KAR, Key Archiving and Recovery.
    • Not relevant for Nexus OCSP Responder
  • Thales Luna G5
  • Thales Luna HSM 6

  • Thales Luna Network HSM 7
  • Thales Luna PCIe HSM 7
  • IBM 4758, FIPS 140-1 level 3 and 4
  • Nitrokey HSM 2
  • Entrust nShield Connect+, FIPS 140-2 level 3
  • Entrust nShield Solo+, FIPS 140-2 level 3
  • Entrust nShield Edge
  • Utimaco CryptoServer Security Server CS 10/50 LAN/PCI, FIPS 140-2 level 3 (level 4 for physical)
  • Utimaco CryptoServer Security Server Se 12/52/420/1200 LAN/PCI, FIPS 140-2 level 3
  • Yubico YubiHSM 2
PIN decryption is not allowed using a FIPS mode HSM.

This article is valid for Nexus Certificate Manager 8.1 and later.

Related information