Certificate Authority is a robust, private-trust CA solution designed for enterprises aiming to establish and maintain a secure, scalable, and efficient Public Key Infrastructure (PKI). Built-in with a n-tier PKI hierarchy, this on-premises CA provides seamless certificate issuance and management, ensuring full control over your organization's cryptographic ecosystem.
When deployed on PKI Hub, this Entrust solution adds the following to the PKI Hub integration report.
Entrust products compatible with Certificate Authority
Certificate Authority for PKI Hub 1.4.0 is compatible with the following Entrust products.
- Certificate Manager included in PKI Hub 1.4.0
- Certificate Enrollment Gateway included in PKI Hub 1.4.0
Database management systems supported by Certificate Authority
PKI Hub, and the database-dependent solutions support the following DBMSs:
- PostgreSQL 15+
- The PKI DB Appliance
TLS configurations supported by Certificate Authority
Certificate Authority supports the following TLS configuration.
TLS versions | Key Encapsulation Mechanisms (KEMs) |
|---|---|
1.2 and 1.3 | X25519MLKEM768 |
See below for the supported ciphersuites.
Ciphersuite | TSL 1.2 | TLS 1.3 |
|---|---|---|
ECDHE-ECDSA-AES256-GCM-SHA384 |
|
|
ECDHE-RSA-AES256-GCM-SHA384 |
|
|
ECDHE-RSA-CHACHA20-POLY1305 |
| |
TLS_AES_128_GCM_SHA256 |
| |
TLS_CHACHA20_POLY1305_SHA256 |
|
Key types supported by Certificate Authority
See the table below for the supported Classic keys.
Label | Key algorithm | Signature algorithm | VA key type | VA signature algorithm |
|---|---|---|---|---|
ECDSAP256+SHA256 | ECDSAP256 | ecdsa-with-SHA256 | RSA2048 | sha256WithRSAEncryption |
ECDSAP384+SHA384 | ECDSAP384 | ecdsa-with-SHA384 | RSA2048 | sha256WithRSAEncryption |
ECDSAP521+SHA512 | ECDSAP521 | ecdsa-with-SHA512 | RSA2048 | sha256WithRSAEncryption |
RSA-2048+PKCS15-SHA256 | RSA2048 | sha256WithRSAEncryption | RSA2048 | sha256WithRSAEncryption |
RSA-2048+PSS-SHA256 | RSA2048 | sha256WithRSAPSS | RSA2048 | sha256WithRSAPSS |
RSA-3072+PKCS15-SHA256 | RSA3072 | sha256WithRSAEncryption | RSA2048 | sha256WithRSAEncryption |
RSA-3072+PSS-SHA256 | RSA3072 | sha256WithRSAPSS | RSA2048 | sha256WithRSAPSS |
RSA-4096+PKCS15-SHA512 | RSA4096 | sha512WithRSAEncryption | RSA2048 | sha256WithRSAEncryption |
RSA-4096+PSS-SHA512 | RSA4096 | sha512WithRSAPSS | RSA2048 | sha256WithRSAPSS |
See the table below for the supported Post-Quantum (PQ) keys.
The supported PQ keys may vary depending on the selected HSM and its configuration.
Label | Key algorithm | Signature algorithm | VA key type | VA signature algorithm |
|---|---|---|---|---|
Hash-SLH-DSA-SHA2-128f-With-SHA256 | Hash-SLH-DSA-SHA2-128f-With-SHA256 | Hash-SLH-DSA-SHA2-128f-With-SHA256 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHA2-128s-With-SHA256 | Hash-SLH-DSA-SHA2-128s-With-SHA256 | Hash-SLH-DSA-SHA2-128s-With-SHA256 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHA2-192f-With-SHA512 | Hash-SLH-DSA-SHA2-192f-With-SHA512 | Hash-SLH-DSA-SHA2-192f-With-SHA512 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHA2-192s-With-SHA512 | Hash-SLH-DSA-SHA2-192s-With-SHA512 | Hash-SLH-DSA-SHA2-192s-With-SHA512 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHA2-256f-With-SHA512 | Hash-SLH-DSA-SHA2-256f-With-SHA512 | Hash-SLH-DSA-SHA2-256f-With-SHA512 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHA2-256s-With-SHA512 | Hash-SLH-DSA-SHA2-256s-With-SHA512 | Hash-SLH-DSA-SHA2-256s-With-SHA512 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHAKE-128f-With-SHAKE128 | Hash-SLH-DSA-SHAKE-128f-With-SHAKE128 | Hash-SLH-DSA-SHAKE-128f-With-SHAKE128 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHAKE-128s-With-SHAKE128 | Hash-SLH-DSA-SHAKE-128s-With-SHAKE128 | Hash-SLH-DSA-SHAKE-128s-With-SHAKE128 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHAKE-192f-With-SHAKE256 | Hash-SLH-DSA-SHAKE-192f-With-SHAKE256 | Hash-SLH-DSA-SHAKE-192f-With-SHAKE256 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHAKE-192s-With-SHAKE256 | Hash-SLH-DSA-SHAKE-192s-With-SHAKE256 | Hash-SLH-DSA-SHAKE-192s-With-SHAKE256 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHAKE-256f-With-SHAKE256 | Hash-SLH-DSA-SHAKE-256f-With-SHAKE256 | Hash-SLH-DSA-SHAKE-256f-With-SHAKE256 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHAKE-256s-With-SHAKE256 | Hash-SLH-DSA-SHAKE-256s-With-SHAKE256 | Hash-SLH-DSA-SHAKE-256s-With-SHAKE256 | RSA2048 | sha256WithRSAEncryption |
ML-DSA-44 | ML-DSA-44 | ML-DSA-44 | RSA2048 | sha256WithRSAEncryption |
ML-DSA-65 | ML-DSA-65 | ML-DSA-65 | RSA2048 | sha256WithRSAEncryption |
ML-DSA-87 | ML-DSA-87 | ML-DSA-87 | RSA2048 | sha256WithRSAEncryption |
See the table below for the supported Composite keys.
The supported composite keys may vary depending on the selected HSM and its configuration.
Label | Key algorithm | Signature algorithm | VA key type | VA signature algorithm |
|---|---|---|---|---|
MLDSA44-ECDSA-P256-SHA256 | MLDSA44-ECDSA-P256-SHA256 | MLDSA44-ECDSA-P256-SHA256 | RSA2048 | sha256WithRSAEncryption |
MLDSA44-RSA2048-PKCS15-SHA256 | MLDSA44-RSA2048-PKCS15-SHA256 | MLDSA44-RSA2048-PKCS15-SHA256 | RSA2048 | sha256WithRSAEncryption |
MLDSA44-RSA2048-PSS-SHA256 | MLDSA44-RSA2048-PSS-SHA256 | MLDSA44-RSA2048-PSS-SHA256 | RSA2048 | sha256WithRSAPSS |
MLDSA65-ECDSA-P256-SHA512 | MLDSA65-ECDSA-P256-SHA512 | MLDSA65-ECDSA-P256-SHA512 | RSA2048 | sha256WithRSAEncryption |
MLDSA65-ECDSA-P384-SHA512 | MLDSA65-ECDSA-P384-SHA512 | MLDSA65-ECDSA-P384-SHA512 | RSA2048 | sha256WithRSAEncryption |
MLDSA65-RSA3072-PKCS15-SHA512 | MLDSA65-RSA3072-PKCS15-SHA512 | MLDSA65-RSA3072-PKCS15-SHA512 | RSA2048 | sha256WithRSAEncryption |
MLDSA65-RSA3072-PSS-SHA512 | MLDSA65-RSA3072-PSS-SHA512 | MLDSA65-RSA3072-PSS-SHA512 | RSA2048 | sha256WithRSAPSS |
MLDSA65-RSA4096-PKCS15-SHA512 | MLDSA65-RSA4096-PKCS15-SHA512 | MLDSA65-RSA4096-PKCS15-SHA512 | RSA2048 | sha256WithRSAEncryption |
MLDSA65-RSA4096-PSS-SHA512 | MLDSA65-RSA4096-PSS-SHA512 | MLDSA65-RSA4096-PSS-SHA512 | RSA2048 | sha256WithRSAPSS |
MLDSA87-ECDSA-P384-SHA512 | MLDSA87-ECDSA-P384-SHA512 | MLDSA87-ECDSA-P384-SHA512 | RSA2048 | sha256WithRSAEncryption |
MLDSA87-ECDSA-P521-SHA512 | MLDSA87-ECDSA-P521-SHA512 | MLDSA87-ECDSA-P521-SHA512 | RSA2048 | sha256WithRSAEncryption |
MLDSA87-RSA3072-PSS-SHA512 | MLDSA87-RSA3072-PSS-SHA512 | MLDSA87-RSA3072-PSS-SHA512 | RSA2048 | sha256WithRSAPSS |
MLDSA87-RSA4096-PSS-SHA512 | MLDSA87-RSA4096-PSS-SHA512 | MLDSA87-RSA4096-PSS-SHA512 | RSA2048 | sha256WithRSAPSS |
Hardware security modules supported by Certificate Authority
See the following table for hardware security modules (HSM) versions supported by Certificate Authority and other solutions.
Hardware | Client driver | Firmware | Certificate Authority | Timestamping Authority | Validation Authority |
|---|---|---|---|---|---|
Entrust nShield Connect XC | 13.9.0 (FIPS 140-2 Level 3 mode supported) | 12.60.15 & 12.60.2 |
|
|
|
Entrust nShield 5c | 13.9.0 | 13.2.4 |
|
|
|
Entrust nShield 5c 10G | Not supported | Not supported |
|
|
|
Epicom | EP990 v1.08-1 | — |
|
|
|
Thales Luna HSM 7 | 10.8.0 | 7.7.1-20 |
|
|
|
Thales TCT | 10.8.0 | 7.7.1-20 |
|
|
|
General considerations:
- You do not need to install the client drivers because the solution already includes this software. However, these client drivers cannot be updated.
- You can only use 1/N card sets. A card set of, for example, 2/5 cards is not supported.
On high-availability installations with a cluster of several HSMs:
- You cannot use HSMs from different providers simultaneously, meaning that nShield and Thales HSMs cannot coexist within the same deployment.
- Entrust Validation Authority may experience the Thales TCT limitations described in the Thales TCT Universal Client Plugin Additional Information technical note dated May 28, 2025.
- Solutions using the HSMs must be redeployed after any loss of connection with the HSMs, such as after an HSM reboot.