Support for Entrust nShield® HSM

A non-FIPS Citrix ADC appliance stores the server’s private key on the hard disk. On a FIPS appliance, the key is stored in a cryptographic module known as a hardware security module (HSM). Storing a key in the HSM protects it from physical and software attacks. In addition, the keys are encrypted by using special FIPS approved ciphers.

Only the Citrix ADC MPX 9700/10500/12500/15500 FIPS appliances support a FIPS card. Support for FIPS is not available on other MPX appliances, or on the SDX and VPX appliances. This limitation is addressed by supporting an Entrust nShield® Connect external HSM on all Citrix ADC MPX, SDX, and VPX appliances except the MPX 9700/10500/12500/15500 FIPS appliances.

Entrust nShield® Connect is an external FIPS-certified network-attached HSM. With an Entrust HSM, the keys are securely stored as application key tokens on a remote file server (RFS) and can be reconstituted inside the Entrust HSM only.

If you are already using an Entrust HSM, you can now use a Citrix ADC to optimize, secure, and control the delivery of all enterprise and cloud services.


  • Entrust HSMs comply with FIPS 140-2 Level 3 specifications, while the MPX FIPS appliances comply with level 2 specifications.
  • You cannot decrypt the trace while using the Entrust HSM. Only the Hardserver can read the response from the HSM to the Citrix ADC appliance, because it is encrypted.

Supported versions matrix

Citrix ADC Version Entrust Client Version Hardserver Version Entrust Firmware Version
10.5e, 11.0, 11.1, 12.0, 12.1 11.70, 11.72 2.71.2 2.50.16, 2.51.10
Support for Entrust nShield® HSM