Loading
Language
Partners
HSM Partner
ZetaCert
×
Utimaco
European manufacturer of Hardware Security Modules, certified silicon for classical and post-quantum cryptography.
About Utimaco
Utimaco is a global platform provider of trusted Cybersecurity and Data Protection solutions and services with headquarters in Aachen (Germany) and Campbell, CA (USA). Utimaco develops on-premises and cloud-based hardware security modules, solutions for key management and data protection as well as Public Warning Systems. Utimaco is one of the world's leading manufacturers in its key market segments. Find out more on www.utimaco.com.
Nature of the integration
ZetaCA and PKIFactor integrate natively with Utimaco u.trust GP HSM Se-Series via PKCS#11 R3. Cryptographic keys are generated, stored and rotated inside Utimaco's certified silicon (FIPS 140-3 Level 3, Common Criteria), for classical algorithms (RSA-2048 to 8192, ECDSA-P256/P384/P521), post-quantum signatures (ML-DSA-44/65/87, FIPS 204), key encapsulation (ML-KEM-512/768/1024, FIPS 203) and stateful hash-based signatures for long-lived roots (LMS, HSS, XMSS, NIST SP 800-208). The ML-DSA, ML-KEM and LMS implementations went through NIST CAVP testing during the 2025 cycle (certificate references available on request).
Architecture
From certificate to hardware key
The end-to-end cryptographic path, from the application request down to certified silicon.
Application
PKIFactor
Multi-CA CLM orchestration
Application
ZetaCA
Post-quantum native issuance
PKCS#11 R3
Cryptographic Interface
Standard cryptographic interface between software and hardware. Utimaco vendor mechanisms for PQC, including external-mu offload (FIPS 204 §6.2).
Hardware Security
Utimaco u.trust GP HSM
u.trust GP Se-Series · FIPS 140-3 Level 3 · Common Criteria
QuantumProtect
in-fieldPost-quantum application package activated on existing HSMs. No hardware replacement required.
ML-DSA-44/65/87ML-KEM-512/768/1024LMS / HSSCAVP-validated
Certified siliconNon-extractable keys
Featured
End-to-end post-quantum PKI
ZetaCA issues classical (RSA, ECDSA), post-quantum native (ML-DSA-44/65/87) and hybrid certificates — either dual-cert (RFC 9763 RelatedCertificate) or alternative-signature (X.509 §9.8 / draft-ietf-lamps-x509-alt-sig). ML-DSA signing is always performed in Utimaco hardware. PKCS#11 R3 with vendor mechanisms (CKM_MECH_MLDSA_*) including external-mu offload (FIPS 204 §6.2) for high-throughput signing.
ML-DSA-65ML-KEM-768LMSPKCS#11 R3CAVP-validated
HSM-native generation
Keys are generated inside Utimaco silicon. Never in application memory, never on disk, never extractable.
In-field PQC upgrade
QuantumProtect activates ML-DSA, ML-KEM and LMS on existing u.trust GP HSM units. No hardware replacement, no downtime.
NIST CAVP validated
ML-DSA, ML-KEM and LMS implementations went through NIST CAVP testing during the 2025 cycle (certificate references available on request). Auditable evidence usable in a FIPS 140-3 certification or RGS qualification path.
Compliance & validation
Transparent breakdown of what runs in Utimaco hardware versus what ZetaCA handles in software.
Algorithm
NIST FIPS
Utimaco hardware
ZetaCA
Algorithm
ML-DSA-44/65/87
NIST FIPS
FIPS 204
CAVP-validatedUtimaco hardware
QuantumProtectZetaCA
in-HSM signingAlgorithm
ML-KEM-512/768/1024
NIST FIPS
FIPS 203
CAVP-validatedUtimaco hardware
QuantumProtectZetaCA
in-HSM keygen + encapsulationAlgorithm
LMS / HSS
NIST FIPS
SP 800-208
CAVP-validatedUtimaco hardware
QuantumProtectZetaCA
software fallbackAlgorithm
SLH-DSA
NIST FIPS
FIPS 205
Utimaco hardware
roadmapZetaCA
software via OpenSSL 3.5Algorithm
FN-DSA / Falcon
NIST FIPS
FIPS 206 (draft)
Utimaco hardware
roadmapZetaCA
software via oqs-providerAs of 2026-05. Updated as new validations are published.