MTG Enterprise Resource Security

MTG Certificate Lifecycle Manager (CLM) is an enterprise-grade solution for managing the complete lifecycle of digital certificates, helping organizations secure identities, communications, and transactions across their IT infrastructure.

As a key component of modern Public Key Infrastructure (PKI) and identity management strategies, CLM provides a centralized platform for issuing, renewing, revoking, and auditing digital certificates used for users, devices, servers, and applications. It automates certificate lifecycle tasks, enforces policies, and delivers visibility into certificate usage to minimize the risk of outages, breaches, or compliance failures.

Designed for flexibility and scalability, CLM supports both on-premise and cloud environments, integrating with Active Directory, ITSM workflows, DevOps pipelines, and enterprise applications.

MTG Key Management System (KMS) and Certificate and Revocation Administration (CARA) are core components of MTG’s Enterprise Root of Security (ERS) suite that provide the foundational cryptographic and certificate services upon which MTG CLM builds.

MTG CARA acts as the certificate authority, handling issuance and revocation of certificates—particularly for regulated environments such as eIDAS remote signatures—and exposes this trust anchor to dependent systems. While MTG KMS securely generates, stores, and manages cryptographic keys - when integrated - within Securosys HSMs via PKCS#11, ensuring strong protection and compliance for sensitive key material.

In addition to its native enterprise integrations, MTG Certificate Lifecycle Manager works seamlessly with Securosys Primus HSMs — whether deployed with on-premise Primus HSM or in the cloud with CloudHSM

Why integrate with Securosys Primus HSM

This integration allows your organization to offload critical cryptographic operations and private key protection to a tamper-resistant hardware environment, strengthening the trust foundation of their PKI and ensuring compliance with stringent security and industry standards.

Key benefits of the integration:

• Stronger Key Security: Certificate private keys are generated, stored, and protected entirely within the HSM, never exposed to software or external access.
• Regulatory Compliance: Supports FIPS 140-2 Level 3 and Common Criteria EAL4+, enabling compliance with strict regulations such as eIDAS, GDPR, and more.
• Tamper-Proof Assurance: Hardware-based security guarantees protection against physical and logical attacks, safeguarding the trust anchor of PKI.
• High Availability and Scalability: Clustered HSM deployment provides redundancy, load balancing, and failover, ensuring uninterrupted certificate services.
• Secure Key Backup: Enables safe key backup and escrow within the same HSM trust domain, maintaining security while allowing controlled recovery.
• Cryptographic Acceleration: Offloads certificate signing, encryption, and decryption operations to dedicated hardware, improving performance and reducing system load.
• Deployment Flexibility: Supports hybrid, cloud-native, and on-premise infrastructures, delivering a consistent security posture across diverse IT environments.

Integration Procedure

The integration between MTG ERS and Primus HSM is documented by MTG in their online documentation.

A quick overview of the steps:

1. Set up the HSM as described in the Primus HSM User Guide.

   info

   This step can be skipped if you're using CloudHSM. CloudHSM partitions come preconfigured.

2. Install the Primus PKCS#11 API Provider on the machine running the CARA Server.

3. Configure Cara Server to use the Securosys Primus HSM.