Luna HSM: TalkingTrust Video Series

Luna HSM: TalkingTrust Video Series

Secure your devices, identities and transactions with
Thales Luna HSMs and ecosystem partners – the foundation of digital trust

TalkingTrust with Thales and DigiCert - PKI

TalkingTrust with Thales and DigiCert - PKIPublic Key Infrastructure (PKI) is the proven framework for securing communications, transactions, network access, data and verifying ownership or authorship. However, traditional PKI deployment can be complicated and time-consuming. Also, if the digital keys are not properly secured, there are risks of a security breach. DigiCert, a leading provider in PKI solutions, has teamed up with Thales, an industry leader in data protection, to provide a “minutes, not months” deployable solution with automation for keeping keys safe and protecting your communications and assets. Join DigiCert and Thales to discover how a modern PKI platform and Thales Hardware Secure Module (HSM) establish roots of trust and drive security.




Join DigiCert and Thales in a discussion about how a modern, “minutes, not months” deployable Public Key Infrastructure platform integrated with Hardware Secure Module (HSM) is critical to establish a root of trust and ensure safe protection of digital keys and business assets.

John Ray, Director of HSM Product Management at Thales
Brian Trzupek, Senior Vice President, Product Management at DigiCert

Review all integrations and supporting documents for Thales with DigiCert.
Thales Technology Partner:

Partner website:



Video Transcript

TalkingTrust Series - DigiCert – PKI


00:10 Hi everybody.

00:11 Welcome to the next installment of

00:13 the TalkingTrust video series.

00:16 My name is John Ray. I’m the Director of

00:18 HSM

00:19 Product Management at Thales, and I’m

00:21 joined today by

00:22 Brian Trupeck, the Senior VP of Product

00:25 Management

00:26 from DigiCert. Hi Brian. Hey John. Thanks

00:29 for having me here today.

00:30 Welcome to the show.

00:33 Today

00:34 we are going to talk about how DigiCert

00:36 and Thales are making

00:37 PKI easy for our customers,

00:41 so let me get some slides up here. So

00:44 Brian, what's

00:45 so important about PKI?

00:4 John so you know from a DigiCert

00:52 perspective, we look at 

00:55 three main pieces to PKI. The

00:57 authentication,

00:58 the encryption, and the integrity.

01:01 And we look at these three things

01:03 uniquely with PKI because you can do

01:06 it so effectively, so securely.

01:08 You know, this PKI technology has been

01:10 around for the plus side of 20 years

01:12 and it has weathered the test of time

01:14 very very well.

01:16 Very high security applications built

01:17 on this

01:19 and so we have at this core from

01:22 providing

01:22 user device authentication data

01:25 encryption and

01:26 system integrity around these

01:28 three principles.

01:30 This is where our products

01:32 fill out and where we work with Thales a

01:34 lot to

01:35 deliver on this vision. So it's

01:38 really a

01:39 foundational technology for a lot of

01:41security systems isn't it.

01:42 That's right. It's found in

01:44 everything. I mean you're talking door

01:45 locks,

01:46 IoT, government entities,

01:48 passports.

01:50 websites. You know it's everywhere.

01:54 It certainly is.

01:58 So from a digital perspective, to

02:01 go

02:01 just a layer deeper, we have

02:04 a platform

02:06 called DigiCert one and this is

02:08 really

02:09 digital bringing together a lot of

02:10 technologies that we've developed

02:12 through the years. This is 

02:14 backing with our generation

02:15 Five CA infrastructure,

02:18 and we pulled this forward into a

02:20 cloud native

02:21 platform that offers a super flexible

02:24 deployment

02:25 in factories on-premises, for

02:27 customer clouds, and we

02:29 have a managed offering ourselves.

02:32 It allows the customers to use

02:34 those kinds of PKI use cases

02:37 that we just mentioned briefly in any

02:39 way that they want,

02:40 and have very secure software that

02:43 is then updatable in all of those paths and

02:45 deployment patterns. Deploy that in

02:48 huge scale so if you have the

02:51 cloud behind you, if you know we're

02:53 running in a kubernetes sort of

02:55 infrastructure,

02:56 you can dynamically scale out across

02:58 resources

02:59 and we deliver all of that 

03:01 great tech stuff behind the scenes

03:04 on top of offering very customer-centric

03:07 workflows

03:08 around things like enterprise

03:10 authentication,

03:11 DevOps, IoT, document signing, and some

03:14 things we'll talk about later.

03:16 In all of this you know it's backed from

03:19 a PKI perspective with HSMs and we

03:21 have

03:22 very tight integrations with Thales. So

03:24 it's all about

03:25 making it easier for customers to deploy

03:27 that scale.

03:29 That's right. Deploy and use,

03:31 because what we saw in previous

03:33 platforms was

03:34 that customers would try to

03:36 use a generic PKI platform to solve

03:39 all kinds of needs I just

03:41 mentioned, and they'd run into trouble

03:43 because

03:44 one platform can't be built to solve all

03:46 of those things. So when you look at the

03:48 actual customer-centric perspective for

03:50 how they're trying to solve things,

03:52 meet them there with PKI, all of a sudden

03:54 you've got some magic and

03:55 and that's where we saw

03:57 lift off. Okay so it's about deploying

04:00 and managing once it's deployed.

04:02 Yeah, excellent.

04:05 So how does that tie into the HSMs?

04:08 That's a super good question. So we’ve

04:10 got a little screenshot here. 

04:11 This is one of the areas we're super

04:13 proud of. In the product stack the

04:15 the first HSMs that we implemented and 

04:18 integrated with

04:19 were the Thales HSMs, and you can

04:21 actually see in the screen here

04:23 some of the SafeNet provider setup.

04:25 But not only did we integrate with those,

04:29 we also you know provided

04:32 really rich management. We have a pretty

04:35 industry-

04:35 leading web console where you can

04:37 actually configure the HSM, you can

04:39 configure HA groups, you can

04:41 do all sorts of HSM management very very

04:43 easily

04:44 from the web page right inside the

04:46 kubernetes console,

04:48 deploying into a containerized

04:50 infrastructure

04:52 mapping back to your Thales HSM for that

04:54 strong key protection

04:55 and providing powerful roles and rights

04:57 and access controls around

04:59 policy driven access to that. So

05:02 from a foundation

05:03 you can deploy strong trusted PKI root

05:06 certificates ICAs etc. protected in the

05:08 HSM,

05:09 and then upstream in the different

05:11 workflows in the application.

05:13 Customers are able to consume that and

05:14 use it without having to worry about all

05:16 that HSM

05:17 layer or configuration, they can get to

05:19 work. 

05:21 So I guess PKI and HSMs and

05:24 that foundation they go together

05:26 that protection of that key

05:29 and keeping it easy for the deployment


05:33 the management of that is

05:36 important. Yeah that's right, and in all

05:38 of our use cases that key protection is

05:40 absolutely critical.

05:42 You know we have many government

05:43 types of use cases, large industry. 

05:46 You know there's different

05:48 ways people are using this and they want

05:49 to ensure the integrity of trust for

05:51 their systems. 

05:52 All right, and I guess when it gets to

05:56 that

05:57 making it easy, it's making it quick to

06:00 deploy as well. 

06:02 It is. One of the 

06:04 benefits that we

06:06 have seen is you know we had a system

06:09 and some customers still have it out

06:11 there

06:11 that was on-premises and a very

06:15 traditional

06:16 windows install

06:17 architecture, get a database

06:20 running behind it, and cluster

06:22 and configure and do all these things.

06:24 It took us with our customers often

06:27 times

06:28 10 weeks. You're

06:30 talking two and a half months in some

06:31 cases to

06:32 deploy and configure and get to a

06:35 usable PKI system. That's a lot of

06:38 time. That's a lot of opportunity cost.

06:40 Now with the modern PKI we're doing this

06:44 in minutes not months, and we have the

06:47 ability to,

06:48 you know if you already have 

06:49 a Microsoft azure cluster,

06:51 kubernetes cluster or something

06:52 configured, you can deploy into that

06:54 pretty much instantaneously. You can

06:56 connect that with a Thales HSM

06:58 and you can be up and running

07:01 within an hour,

07:02 and now from a customer perspective they

07:05 can

07:05 test the system. They can test

07:07 integrations. They can you now forget

07:09 about all of that heavy lifting

07:11 and get to work using PKI almost

07:13 immediately,

07:14 and that really helps out everybody.

07:19 Yeah that certainly does when you

07:21 can do things quickly,

07:22 get rid of all that I'll call it

07:24 baggage, and deploy quickly, test quickly.

07:27 That certainly helps. Now we talked

07:29 about

07:31 or you mentioned earlier,

07:33 the high level value of PKI

07:35 and for authentication encryption and

07:37 integrity,

07:38 how do you break that down into the more

07:40 real world use cases that

07:42 it fits into. Yeah I mean I

07:45 could go

07:46 for a half hour on this slide, so real

07:48 quick I think

07:50 at its core DigiCert is providing easy to

07:54 use PKI. We're doing that through

07:55 automation

07:56 where PKI is unseen. You know our

07:59 customers tell us that's where it's most

08:01 valuable. It's seamlessly

08:03 working and it's not burdening people. We

08:05 see

08:06 five major groups of use cases

08:08 and we have workflows built around these.

08:10 Servers - you know your typical

08:12 kind of web server, the key

08:14 management associated with web server

08:16 where Thales comes in

08:17 in those perspectives too. User - so

08:19 if you think about enterprise users,

08:21 email security like smime,

08:25 synchronizing keys across multiple

08:27 applications, mobile devices,

08:29 laptops, iPads, authentication,

08:31 and MDM. Those sorts of activities all

08:34 have PKI powered behind it for

08:36 protection of those assets.

08:38 so Brian, with the servers and the

08:40 users it's really about

08:42 ensuring the identity of those different

08:44 things.

08:45 Yeah, identity for the web

08:48 server

08:49 use cases absolutely, mobile devices,

08:52 authentication, email, 

08:54 there's

08:55 identity in there. Email also is about

08:57 encryption of those messages

08:59 and tampering with. 

09:00 Protecting that data too. 

09:03 You look

09:05 forward then like document

09:06 signing use cases where we work in

09:09 the EU, 

09:10 like eIDAS and qualified

09:12 signing and

09:13 Adobe integrations for consumer

09:16 solutions

09:17 where we're able to do individual mass

09:18 signing regulated, where we're

09:20 implementing these flows to allow people

09:22 to get these documents signed and use

09:24 third-party systems to do that,

09:25 and we're providing that key management

09:27 underneath and we're making all that HSM

09:29 management and all those components

09:31 pretty seamless for those customers to

09:33 consume it.

09:34 From a device management perspective in

09:36 the lower right if you think about IoT,

09:39 we do everything from the chip

09:40 manufacturer in the supply chain where

09:42 they're fabricating chips,

09:43 through the device manufacturer in

09:45 factory and injecting credentials or

09:47 identities

09:48 into devices, authentication into devices,

09:50 to when a device gets fielded

09:52 and needs to be updated and firmware

09:55 needs to be signed and things like that. 

09:56 We cover that whole spectrum of those

09:58 those use cases and I think that's a

10:00 highlight that those use cases are very

10:01 different than the others, Yeah and that

10:03 seems to be a growing area with more and

10:06 more

10:06 connected devices from phones to smart

10:09 home to

10:12 even printers and things like that. 

10:14 Everything. 

10:16 Airplanes. So everything in there

10:19 and then last but not least is DevOps

10:21 which

10:22 you know it's just such a growing area

10:24 with cloud transformation these days. 

10:26 Customers changing the security

10:28 perimeter of their infrastructure to

10:30 include the cloud. They want to ensure

10:32 the integrity of containers

10:34 workloads. They want to ensure the

10:38 identity of those things as well

10:40 so that they can have trusted systems

10:42 running in maybe third-party operated

10:44 data centers or cloud environments while

10:48 managing the secrets and the privacy

10:49 related to

10:51 how developers or 

10:53 the SRE teams are deploying software,

10:55 and so we have very tight

10:56 integrations to automate all of these.

10:59 Yeah, and I think in the world

11:01 security is being built in by the

11:03 developers, so you need to

11:04 have this sort of nice workflow built in

11:07 with them. It's not added on after the

11:09 fact anymore.

11:10 Yeah, that's right.

11:12 You can skip to the next one where we

11:14 talk a little

11:15 bit about that. So to that point,

11:17 it's a great segue

11:18 from the developer

11:20 perspective. Just starting down there

11:22 those integrations we have for that

11:23 automation is right into the things like

11:25 the IDs that they're writing code in,

11:27 right into the

11:28 Kubernetes and Dockers management

11:31 systems that they're using things like

11:32 that,

11:33 and you go around you know kind of

11:35 the circle here. 

11:36 There's all of this third-party

11:38 technology in all these PKI use cases

11:41 where PKI's being used,

11:42 and we just have these integrations to

11:44 them where we can help manage

11:46 whatever it is

11:47 related to some of the key

11:48 aspects of the usage of them to the PKI

11:51 deploying certificates and

11:53 allowing identity access or encryption

11:55 in all these places. 

11:58 So this really shows a lot of the

12:00 different integrations

12:02 of the solution of the PKI,

12:05 and DigiCert and the HSMs

12:08 with

12:09 other third-party products and how it

12:11 ties in. Yeah, that's right, and in devices

12:14 down there, just as an example like you

12:15 see Thales down there.

12:17 You know, that's a great example of where

12:19 we work together because

12:20 in that device manufacturer segment for

12:23 IoT

12:24 where you know somebody's producing a

12:27 device,

12:28 oftentimes they want the PKI system in

12:30 that

12:31 factory or in the network of the

12:33 factories, and they also want the HSMs

12:35 there. 

12:35 They want full key sovereignty

12:37 protection,

12:38 data sovereignty as things are going

12:41 into devices to be

12:42 sent out into the world. It's a

12:44 great way where the combination of all

12:46 these technologies come together to

12:47 really solve a meaningful problem for

12:49 those guys.

12:50 So that that segues nicely

12:53 into

12:53 different deployment options and

12:56 where people

12:57 are looking to deploy. You talked

12:59 about sovereignty

13:0 and inside a datacenter, a particular

13:03 factory

13:04 versus a cloud sort of service or

13:07 solution. 

13:08 Yeah, so I think when you look at

13:12 you know this is an example of a

13:14 high-level deployment architecture.

13:16 There's so many ways people can deploy

13:18 this

13:18 in so many different scenarios, but I

13:20 think the keys

13:22 of what a deployment looks like is

13:24 right. There's a

13:26 PKI server centrally, and we do

13:28 things with like auto enrollment

13:30 software you know auto enrollment

13:31 itself in Microsoft technologies,

13:34 enterprise gateways that are on-premises

13:36 for customers to control enrollments and

13:38 allow users to tie to

13:40 directories and enroll.

13:42 We have the clients, so Windows.

13:44 Mac,

13:45 all these things that take care of

13:47 that endpoint technology to configure

13:49 the PKI, deploy it, get it into

13:52 software that's using it so that users

13:54 don't have to. If you gave a user

13:55 an smime cert and said go configure it

13:57 across all your devices so that the keys

13:59 work,

13:59 that's never going to happen and so we

14:01 have the software that

14:03 ties in whether it's mobile laptop,

14:05 whatever, to do that and make all

14:07 those things work.

14:08 This is one example

14:10 but all of this

14:11 ultimately is backed where we have

14:14 a Thales HSM in multiple places here

14:17 for our customers when they

14:20 have a solution that is on-premises and

14:22 talking back hybrid, talking back to our

14:24 cloud, they're going to want to protect

14:26 those keys, those communication keys,

14:28 those authentication keys to their core

14:29 CA that's in in our cloud

14:31 with the Thales HSM on their end to

14:34 protect how things are authenticating

14:36 and how

14:36 any local key escrows happening, they

14:39 could you know

14:40 store keys and escrow them for any of

14:42 these use cases

14:43 on-premises and work with a hybrid PKI

14:45 deployment.

14:47 And then obviously as we're

14:49 back ending

14:50 an HSM or a PKI as a managed service

14:53 for somebody,

14:54 we have the HSMs using

14:57 providing strong protection for those

14:59 keys related to the root CAs, and the

15:02 signing CAs, the ICAs that customers are

15:04 deriving PKI credentials from,

15:06 it really powers this whole thing.

15:10 Yeah so it looks like lots of different,

15:12 like you said,

15:13 a million different ways how you

15:15 could deploy PKI for all of those

15:17 different use cases with different

15:19 requirements, and it looks like we have

15:21 flexibility here for the customers to

15:23 choose what fits.

15:24 That's right. That's a great

15:26 summary. Okay

15:27 perfect. So when you

15:30 you put all this together,

15:33 why DigiCert and Thales, why Thales HSMs,

15:36 how did they fit into

15:37 work to help solve these

15:41 PKI deployment issues and make it easy

15:43 for customers.

15:44 Yeah I mean it's so foundational

15:47 these two things just belong together

15:49 right. 

15:50 If you have the workflows that we're

15:52 providing for things like root of

15:54 trust or you know compliance auditing

15:56 cert management,

15:57 that's all great but unless those keys

16:01 those ICAs, those roots, unless those

16:03 assets are protected

16:05 with an HSM the whole system is worthless.

16:08 You don't have any value, you

16:10 don't have any trust in PKI

16:12 without that strong protection

16:13 underneath it and 

16:16 it's not just that PKI or

16:17 the roots and the ICAs like I said,

16:19 it's also you know when customers are

16:21 actually using this

16:22 things like key escrow and some of these

16:24 other areas where

16:26 you're generating PKI assets and you

16:27 need to securely store them

16:29 so that somebody else can't access them.

16:31 That's what's underneath this whole

16:33 platform.

16:34 Yeah I guess one of the things with PKI

16:36 is that 

16:38 the technology comes down to

16:41 the protection of a root key makes it

16:43 easy to deploy in all the different

16:45 devices or entities or

16:47 or,

16:50 devices or identities trust

16:52 each other, but

16:54 it relies on that one key and so

16:57 making sure that well protected

16:58 is really important.

17:00 Yeah exactly and I guess compliance

17:03 sometimes comes into play too but

17:04 depending on the use case.

17:06 Yeah I mean you look at a

17:08 government or even IoT where they maybe

17:10 have some regulations they need to

17:12 produce devices with,

17:13 in a lot of cases there could be

17:14 regulatory components for how they need

17:16 to manage data and

17:18 encrypt it and sign it and store it and

17:21 provide access to it and it's integral

17:23 to what we're providing.

17:26 Absolutely, and I guess from a cost

17:28 perspective if it's quick to set up and

17:30 easy to set up then that

17:32 certainly reduces the cost. Yeah that's

17:34 right. I mean the fact that we can

17:36 deploy so quickly and get customers

17:39 connected, we've got

17:40 all these standard protocols SCAP, EST

17:44 CMP v2, ACME, all these things

17:46 built into the platform so people can

17:48 get going

17:49 really quickly. That allows them to

17:52 get in,

17:53 scale use this thing and do this

17:57 at record setting pace

17:59 that we haven't had before so that their

18:01 time to value has just

18:04 decreased so dramatically that they can

18:07 immediately

18:07 judge what the system

18:09 is going to do for them. Absolutely,

18:11and I guess from we mentioned,

18:14 easy to set up but also continuing the

18:17 management and the auditing and the

18:18 reporting of that,

18:19 that's a really important part to it and

18:21 making sure that

18:22 is easy to do as well. Yeah, I mean it's

18:2 always a piece where you have

18:27 regulation, where you have PKI,

18:29 where you're providing roots of

18:30 trust, you need to have that

18:32 auditability. You need to

18:33 have the ability to produce and

18:36 demonstrate that for third parties or

18:38 internal parties that are interested in

18:40 how you protected these assets and

18:42 ensuring that you do have trust and

18:44 that's where certificate management

18:45 comes in. 

18:46 So on top of all of these great

18:48 things we talked about

18:49 having all those protocols, having all

18:51 these workflows, having the auditability,

18:53 the strong key protection,

18:55 that ties it all together so that

18:56 ultimately below this layer of PKI you

18:59 can manage the certificates inside of

19:01 all these workflows customers are using.

19:04 Awesome. So that's a really great

19:06 overview of how DigiCert and Thales have

19:08 been working together to

19:10 to make it easy, make PKI

19:13 easy for our customers. We've got

19:16 some information here that if

19:18 you want any more

19:19 information there's a nice solution

19:22 brief talking about

19:24 DigiCert and PKI management. We've got

19:27 some information on the integration

19:29 of DigiCert and Thales HSMs and

19:34 some more general information in

19:36 general, and links here

19:38 if you want to go and look at some

19:40 of the other TalkingTrust

19:42 videos. So I'd like to in closing

19:46 bring us back to our faces.

19:49 I'd like to thank Brian for that

19:52 excellent talk and information

19:55 on PKI

19:56 and HSMs together from DigiCert,

20:00 and like to thank everybody for

20:03 listening

20:03 and watching and hope you have a good

20:05 day. Thanks for having me.

Secure PKI Management solutions with DigiCert® and Thales - Solution Brief

Secure PKI Management solutions with DigiCert® and Thales - Solution Brief

DigiCert, the world’s leading provider in PKI solutions, has teamed up with Thales, the worldwide leader in data protection, to provide a joint solution for authenticating and encrypting user communications, systems, emails, documents, websites and servers.

Securing Emerging Technologies with Thales Luna HSMs - Solution Brief

Securing Emerging Technologies with Thales Luna HSMs - Solution Brief

In today's digital world, enterprise and government are in a state of flux. Organizations are optimizing by taking workloads to the cloud, or forging ahead transforming, taking advantage of a wide variety of emerging technologies. They are revisiting their strategies due to...

Luna Network HSM

Luna Network Hardware Security Module - Product Brief

Secure your sensitive data and critical applications by storing, protecting and managing your cryptographic keys in Thales Luna Network Hardware Security Modules (HSMs) - high-assurance, tamper-resistant, network-attached appliances offering market-leading performance and...

DigiCert Platform 8 with Thales HSMs - Integration Guide

DigiCert Platform 8 with Thales HSMs - Integration Guide

This document describes the installation and configuration steps for SafeNet Network HSM to be used by the DigiCert PKI Enterprise Gateway and Autoenrollment server.