Are there any best practice guidelines or pros/cons for using an HSM with the Issuing CA? Thank you, Paul

What vendor are you looking at? Would like to provide a vendor-specific answer. Brian

My organization has HSM devices already in house for other purposes, they are Thales nCipher net HSM devices. Thanks, Paul

Brian, Paul, Our project is progressing and I have a few follow-up questions: 1.) Are there any limitations of using the HSM if the CA is virtual? 2.) You mentioned in your previous post that when a private key is active and the last OCS card is removed that the private key is destroyed. Are you saying that the private key within the security world is destroyed? I'm guessing that there is a way to reactive the private key once the OCS cards are reinserted? or is the private key permanently destroyed? 3.) If the encrypted private key material is stored on the local file system, how does the HSM protect the private key material? What prevents someone from attempting to gain access to or decrypt the locally stored private key? Thank you, Paul

I have used Virtual Environment to Install the following: 1. RootCA(Offline) Virtual - Private Key on HSM with K of N Protection - Hard Disk removed locked up in Safe 2. PolicyCA(Offline) Virtual - Private Key on HSM with K of N Protection - Hard Disk removed locked up in Safe 3. IssuingCA(Online) Virtual - Private Key on HSM with K of N Protection 4. Web Enrollment on a Separate Virtual Machine. The Virtual Environment and HSM are working fine. Thanks.