A PKCS#11 compliant device can be used for handling of CA key pairs, system keys, protection of archived keys, and for key generation.

For functional specifications, known issues and limitations related to current PKCS#11 drivers, see each HSM vendor’s web site. 

The following devices are explicitly verified for Certificate Manager and for Nexus OCSP Responder:

• AEP Systems Sureware Keyper, FIPS 140-1 level 4

• Atos Bull Trustway Proteccio NetHSM

  • Has been verified for CA key operations with the CIS. Not verified for use with CF server TLS certificate, PIN certificate and the KAR functionality.

• DocuSign ARX PrivateServer
• Gemalto SafeNet ProtectServer Internal - Express 2
• Gemalto SafeNet ProtectServer External 2
• Thales Luna CA3, FIPS 140-1 lvl 3
• Thales Luna CA4, FIPS 140-2 lvl 3
• Thales Luna SA 4.4, FIPS 140-2 lvl 3
  • When used with CM, since Thales Luna disallow key export when in FIPS mode, enable non-FIPS mode for use with CM KAR, Key Archiving and Recovery.
• Thales Luna SA 5.0, FIPS 140-2 lvl 3
  • When used with CM, since Thales Luna disallow key export when in FIPS mode, enable non-FIPS mode for use with CM KAR, Key Archiving and Recovery.
• Thales Luna G5

• Thales Luna HSM 6

• Thales Luna Network HSM 7
• Thales Luna PCIe HSM 7
• IBM 4758, FIPS 140-1 level 3 and 4
• Nitrokey HSM 2
• Entrust nShield Connect+, FIPS 140-2 level 3
• Entrust nShield Solo+, FIPS 140-2 level 3
• Entrust nShield Edge
• Utimaco CryptoServer Security Server CS 10/50 LAN/PCI, FIPS 140-2 level 3 (level 4 for physical)
• Utimaco CryptoServer Security Server Se 12/52/420/1200 LAN/PCI, FIPS 140-2 level 3
• Yubico YubiHSM 2