You Are Here:

US Home > Support > Advisories > Managed PKI Client Service announces new Hardware Security Module (HSM)

Advisories

Managed PKI Client Service announces new Hardware Security Module (HSM)

November 10th, 2005

This advisory applies to VeriSign Managed PKI Client Customers with Automated Administration (AA) or Key Manager (KM) Components

The purpose of this advisory is to inform you of VeriSign’s new Hardware Security Module (HSM) support for the Managed PKI (MPKI) Automated Administration (AA) and Key Manager (KM) components deployed at your site. 

Notes:

If your MPKI environment does not have the AA or KM component installed onsite, this advisory letter is not applicable to you. 

If your installed AA or KM component uses software signing or software key generation, this advisory is not applicable to you.

Introduction

The VeriSign MPKI AA component, used for automated authentication of certificate subscribers, can operate in either software or hardware signing mode during its communication interaction with VeriSign’s backend services. Similarly, the MPKI KM component, used for escrow of encryption certificate private keys, can operate in either software or hardware key generation mode during the generation of private keys.  VeriSign’s currently supported HSM for AA hardware signing is SafeNet’s Luna 2 while the supported HSM for KM hardware key generation is SafeNet’s Luna RA.  SafeNet, VeriSign’s supplier for HSMs, will end support for Luna 2 and Luna RA on 2/15/2006 and has new replacement HSM products (Luna PCI or Luna SA) for VeriSign to continue support for AA hardware signing and KM hardware key generation.  Furthermore, VeriSign will be shipping a more cost-effective HSM (VeriSign USB Token) for hardware signing with AA on the Windows server platform.

MPKI AA and KM HSM Replacement Plan

MPKI customers (on v4.6.1, v5.0, v6.0 or v6.1) who have the AA or KM module deployed shall continue using their currently deployed Luna 2 (for AA) and Luna RA (for KM) HSMs as these hardware devices should continue to function as intended.  Existing customers who will upgrade to MPKI v6.1 shall also continue using their existing Luna 2 and Luna RA HSMs.  VeriSign will replace your Luna 2 and Luna RA HSMs with the new Luna PCI or Luna SA HSM should you encounter technical issues with your existing AA and KM deployments. 

Please consult with VeriSign Technical Support first to assess any technical issue you encounter with your existing Luna 2 and/or Luna RA HSM.  VeriSign Technical Support will determine whether a free replacement order of the proper new MPKI AA or KM HSM shall be shipped as indicated in the replacement matrix table below – see “VeriSign AA and KM HSM Replacements” Table.

Note: The pre-requisites for replacing your existing Luna 2 or Luna RA HSM with the new HSMs are that you must be operating or will be operating MPKI v6.0 or v6.1 since the new HSMs (i.e., Luna PCI and Luna SA) have been qualified against MPKI v6.0 and v6.1 only.  Should you have a need to upgrade to MPKI 6.1 (from v5.0 or v4.6.1), please contact your VeriSign sales representative for an assessment of the service upgrade cost.

Replacements for Existing MPKI AA HSM (Luna 2) and KM HSM (Luna RA)

The respective SafeNet HSMs and VeriSign USB token that will replace the current Luna 2 and Luna RA are outlined in the matrix table below.

Note: SafeNet Luna PCI and Luna SA can support either “key signing” or “key export” mode on varying OS platforms.  The new VeriSign AA and KM HSM kits will include the appropriate SafeNet HSMs configured in the correct mode for the operating platforms you require.

Table 1 VeriSign AA and KM HSM Replacements

Technical Support

If you have any questions or concerns, please contact VeriSign Technical Support at: enterprise-pkisupport@verisign.com.  Or call + 1 650-426-3535 or 1-800-579-2848.

VeriSign Product Management