Regulated Markets and PKI: Solving the Pain Points with HSMs and Automation

The Challenge: High Stakes, High Complexity

Organizations operating in regulated markets must ensure:

• Protection of Root CA (Certificate Authority) and Sub CA private keys
• Secure certificate issuance, renewal, and revocation
• Compliance with standards such as eIDAS, FIPS, and Common Criteria
• High availability and business continuity
• Scalability without introducing manual errors or operational risk

Traditionally, these requirements have driven complex and fragile PKI setups: manual key handling, isolated CA systems, complex backup procedures, and custom failover designs. As certificate volumes grow and lifecycles shorten, these approaches no longer scale effectively.

The Solution: Hardware-Backed PKI Automation

To reduce complexity without compromising security, regulated organizations need a PKI architecture where trust is anchored in hardware and operations are driven by automation. This is exactly what the combination of MTG’s ERS ® (Enterprise Resource Security) solution and Securosys Primus HSMs delivers.

The MTG ERS ® suite provides a centralized, policy-driven PKI control layer, while Securosys Primus HSMs serve as the certified hardware root of trust. Connected via standard PKCS#11 interfaces, cryptographic keys and sensitive operations are securely confined to tamper-resistant hardware, while certificate processes are automated and orchestrated at the software level.

This approach reduces operational risk by minimizing exposure of sensitive cryptographic material and limiting manual key handling where appropriate. Private keys for Root and Subordinate Certificate Authorities are generated and remain within the HSM, ensuring they are protected throughout their lifecycle and never exposed outside the secure boundary of the device.At the same time, it allows organizations to scale certificate issuance and lifecycle management efficiently, without introducing architectural fragility or compliance gaps.

The result is a clean separation of responsibilities: MTG handles lifecycle automation and policy orchestration, while Securosys provides the hardware root of trust.

Designed for Regulated Environments

MTG ERS ®: Automating PKI Operations at Scale

MTG’s Enterprise Resource Security suite provides the cryptographic and operational foundation for modern PKI:

• CARA (Certification Authority & Registration Authority) operates as the certification authority, issuing and revoking certificates, especially for regulated scenarios such as eIDAS remote signatures. While CARA encompasses both CA and RA responsibilities by definition, Registration Authority functions within the ERS architecture are performed by the CLM, which avoids duplication and centralizes identity validation.
• KMS (Key Management System) securely generates and manages cryptographic keys
• CLM (Certificate Lifecycle Manager) automates the complete certificate lifecycle, including issuance, renewal, revocation, and auditing. In addition, CLM performs authentication and authorization checks of certificate requestors (End-Entities), ensuring that certificates are issued only to verified and approved identities.

Certified Security You Can Build On

Securosys Primus HSMs are designed for environments where compliance is non-negotiable. Certifications include:

• FIPS 140-2 Level 3
• Common Criteria EAL4+
• eIDAS EN 419221-5

Additional certifications, such as FIPS 140-3 and eIDAS Sole Control (SAM), are underway, ensuring long-term regulatory alignment.

This makes Primus HSMs a strong foundation for PKI deployments in financial services, public sector identity programs, healthcare systems, and trust services.

Performance and Scalability Without Trade-Offs

PKI workloads vary widely—from internal enterprise certificates to national-scale identity infrastructures. Primus HSMs are built to scale:

• Fixed or scalable performance, up to 1 million transactions per second in clustered deployments
• Up to 30 GB of internal key storage
• Up to 1,000 independent partitions for multi-tenant or segregated environments

This allows organizations to grow their PKI footprint without redesigning their security architecture.

Deployment Scenarios: New and Existing PKI

The combined MTG – Securosys solution adapts easily to organizations at different stages of PKI maturity.

For new PKI deployments, MTG CARA and CLM can be introduced as the foundational certificate authority and lifecycle management components, with Securosys Primus HSMs integrated from the outset to protect CA private keys. This enables organizations to build a modern PKI architecture that is automated by design and anchored in certified hardware trust, reducing future operational and compliance challenges.

In existing PKI environments, Securosys Primus HSMs can be introduced to protect Root and Sub CA keys without requiring a full redesign of the current infrastructure. MTG CLM can then be added to automate certificate lifecycles, improve visibility, and enforce policies consistently across the environment. This approach allows organizations to modernize their PKI incrementally, lowering risk while improving security, resilience, and regulatory alignment.

As a result, the solution is particularly well-suited for PKI modernization initiatives in regulated industries such as finance, public infrastructure, healthcare, and digital identity services.

Conclusion: Security Without Operational Burden

In regulated markets, PKI must deliver trust, compliance, and resilience, but it does not need to be complex. By combining MTG’s automated certificate lifecycle and CA services and Securosys Primus HSMs as a certified hardware root of trust, organizations can achieve:

• Strong private key protection without manual handling
• Automated, policy-driven PKI operations
• Compliance with global and regional standards
• Flexible deployment across on-premises, hybrid, and cloud environments

In an era where digital trust is mission-critical, hardware-backed automation is no longer a luxury. It is a necessity.