Prerequisites

This page describes the prerequisites that you need to fulfill to get started with using Securosys HSMs for eIDAS.

Get an HSM

Of course, you need to have an HSM. This can be an on-premise Primus HSM, that you install and configure yourself. Alternatively, Securosys CloudHSM is a managed HSM service, allowing you to get started immediately.

CloudHSM

CloudHSM is a hosted offering from Securosys, where Securosys manages the HSMs for you in a geo-redundant cluster. For testing purposes, CloudHSM offers a free 90-day trial.

Sign up to CloudHSM →

On-premise

Contact the Securosys Sales team to purchase a Primus HSM. There are various models available.

You will need to deploy, manage, and maintain the HSM yourself. For production, a cluster of two or more devices is highly recommended.

Required Firmware

The Primus HSM must run firmware version v3.1 (or newer), since v3.1 introduced support for SAM mode.

Firmware packages can be downloaded from the Support Portal.

Full Compliance

For full compliance with Common Criteria (CC), the HSM needs to run a certified firmware version. The 3.1 release branch is currently undergoing certification, and is expected to be completed in late 2025. Note that the 3.2 (LTS) branch is not CC certified.

Additionally, the HSM needs to be operated in compliance with Common Criteria. For details, see Section 14.1 "Common Criteria operating instructions and condition" of the Primus HSM User Guide.

When using CloudHSM, you would need to choose the ECO CC service to have a certified firmware and operating environment. However, the ECO CC service still runs firmware version 2.8.21 until 3.1 is certified!

Additionally, please contact your local auditor or regulator to find out whether you need to own the HSM hardware yourself or whether the Securosys-operated CloudHSM ECO CC service is acceptable.

tip

You can already start integration testing, and go live once the firmware certification is complete.

Required Licenses

CloudHSM

CloudHSM includes all required licenses by default.

On-premise

For on-premise HSMs, your license needs to include the following options:

• KEY_AUTH, EXTENDED_KEY_ATTRIBUTES (for SKA)
• SAM
• ROOT_KEY_STORE
• REST_API, TSB_ENGINE (if using the Transaction Security Broker)

UI

System ➜ Diagnostics Device ➜ License

Console

hsm_diagnostics lic

Existing CA

As explained in the How It Works guide, the identification of users is delegated to an external Certificate Authority (CA). Therefore, you need to have a Public Key Infrastructure (PKI) that can identify users and issue certificates to them.

Later in the installation, you will load one or more CA certificates onto the HSM Partition.

tip

You can use the Primus HSM to securely store the CA signing keys. Simply create an additional HSM Partition for the CA, to keep the CA and your eIDAS applications separate. See the Solutions Explorer for a list of existing integrations with various PKI and CA vendors.