Entrust Private PKI Solutions (PKIaaS, CSP PKI, Managed PKI, nShield HSM, PQC)

Following the January 2025 sale of its publicly trusted certificate business to Sectigo, Entrust focuses on private PKI for enterprise and hybrid‑cloud environments, with post‑quantum readiness options. We design and operate Entrust‑based PKI to manage machine identities, secure internal services, and meet regulatory obligations.

Why SafeCipher for Entrust (Outcomes)

  • Private PKI at scale with automated discovery/renewals and policy controls
  • Crypto‑agility & PQC roadmap and hybrid cert pilots for high‑value services
  • HSM‑backed keys with Entrust nShield or cloud HSMs; BYOK/Managed HSM
  • Audit‑ready CP/CPS, ceremony packs, logging standards, and evidence

Entrust PKI Delivery Models (Choose Your Deployment)

PKI as a Service (PKIaaS)

Cloud‑delivered, highly scalable PKI for rapid onboarding and simplified lifecycle management—including post‑quantum cryptography support.

Cryptographic Security Platform (CSP) PKI

Container‑based, virtual appliance for on‑prem, cloud, or hybrid. Bundles Certificate Authority (CA), Certificate Lifecycle Management (CLM), and automation in a single package.

Core Components (Across All Models)

  • Certificate Authority (CA): robust, scalable issuance and management for private certificates
  • Certificate Hub: central portal for discovery, control, and automation across public/private certs
  • Hardware Security Modules (HSMs): Entrust nShield for tamper‑resistant key protection; integrates with CSP/PKIaaS
  • Certificate Lifecycle Management (CLM): visibility, policy, automation for discovery, renewal, and revocation
  • Enrollment Services (RA): automated enrolment & renewal with Microsoft Auto‑Enrollment, SCEP, and ACME
  • CA Gateway (REST API): integrate PKI/CLM with applications, partners, and DevOps pipelines

Digital Certificate Solutions (Use Cases)

  • IoT & OT Security: scalable device identity, automated issuance for machines/users in constrained networks
  • Document & Code Signing: high‑assurance signatures for documents and software; LTV/TSA options; software supply‑chain hardening
  • Enterprise mTLS & Access: service‑to‑service mTLS, VPN/Wi‑Fi (EAP‑TLS), CBA for portals and admin access

Important Note on Public Trust (2025)

As of early 2025, Entrust is not a public certificate authority for internet‑facing SSL/TLS. Public trust was acquired by Sectigo. Entrust’s current portfolio serves enterprise private PKI, machine identities, and internal security.

Architecture Patterns (How We Design It)

  • Offline root anchored in HSM; issuing CAs in secure zones (on‑prem/cloud)
  • Hybrid: on‑prem root + cloud issuing backed by nShield/cloud HSM; CLM automation
  • Kubernetes & cloud‑native: cert‑manager issuers, short‑lived cert rotation, GitOps pipelines
  • Signing services: HSM‑backed code/document signing with notarisation & LTV

Integrations (Where It Connects)

  • CAs/PKI: Entrust CSP PKI/PKIaaS, Microsoft AD CS, EJBCA
  • CLM/Control Planes: Keyfactor, Venafi/CyberArk (policy, discovery, renewal)
  • Cloud/KMS/HSM: Azure Key Vault/Managed HSM, AWS KMS/CloudHSM, GCP KMS; Entrust nShield on‑prem
  • Network/Edge: F5, Nginx, HAProxy, IIS/Apache, Citrix ADC; RADIUS/NAC (ISE/ClearPass)
  • DevOps/Supply Chain: GitHub/GitLab/Azure DevOps, Terraform/Ansible, signing services, HashiCorp Vault

Governance & Compliance (Making It Auditable)

  • CP/CPS authoring & maintenance; Key Management Standard (algorithms, sizes, validity)
  • Ceremonies: Root Key Generation (RKG), backup/restore SOPs, custody forms (M of N)
  • Monitoring: issuance SLOs, CRL/OCSP health, immutable logs; SIEM dashboards
  • Regulatory alignment: GDPR/UK GDPR, NIS2, PCI DSS 4.0, ISO 27001; sector evidence

Our Shortcodes (for Clear Requests)

  • EN‑PKIaaS → Entrust PKI as a Service
  • EN‑CSP → Entrust Cryptographic Security Platform (PKI)
  • EN‑MPKI → Entrust Managed PKI Services
  • EN‑NSHIELD → Entrust nShield HSM (on‑prem)
  • EN‑HUB → Entrust Certificate Hub
  • EN‑CAGW → Entrust CA Gateway (REST API)

Example: EN‑CSP/EN‑NSHIELD/ServerTLS‑Std/PROD/DMZ/payments‑edge

Deliverables (What You Get)

  • Solution design (HLD/LLD), policy packs, RA workflows, connector inventory
  • Build: CSP/PKIaaS configuration, HSM setup, enrollment protocols, automation
  • Operations: issuance/renewal/revocation runbooks, DR, maintenance windows
  • Evidence: ceremony packs, audit logs, compliance traceability matrix

FAQ: Entrust Private PKI — Common Questions

Can Entrust issue public SSL/TLS now? No—public trust moved to Sectigo in 2025. Entrust focuses on private PKI and machine identity.

Which model should we choose? PKIaaS for speed, CSP PKI for control/flexibility, Managed PKI if you need expert‑run operations.

Do we need nShield HSMs? For CA/signing keys, yes (or cloud HSM). We’ll design the right custody model (BYOK/Managed HSM).

How do we prepare for PQC? We define crypto policy, enable hybrid pilots where appropriate, and plan device/client impacts.

Get Started (Assessment → Pilot → Scale)

  1. Inventory & gap analysis across certs, keys, apps, and infrastructure
  2. Pilot: stand up EN‑PKIaaS or EN‑CSP for a high‑value domain; integrate enrollment (ACME/SCEP/Auto‑Enroll)
  3. Scale: automate renewals, standardise policies, roll out signing and IoT/OT identity