Overview – hardware security for real-world PKI

Khatim PKI Server is designed to keep private keys inside trusted hardware while giving administrators full control over PKI lifecycle operations. Whether you’re launching a new CA hierarchy or importing an existing one, Khatim PKI Server supports seamless integration with any HSM that implements the PKCS#11 (Cryptoki) interface. Keys stay in hardware, signing operations execute in the HSM while it orchestrates policy, issuance and lifecycle management from the PKI admin portal.

What this delivers

  • True hardware-backed key custody for Root and Issuing CAs.

  • Ability to generate new keys inside the HSM or import existing keys/certificates.

  • Segregation of duties via multiple Key Vaults mapped to HSM slots.

  • Support for network, PCIe and USB HSMs through a single PKI management surface.

"Keep keys where they belong - protected, monitored, and ready for enterprise PKI"

Supported HSM Types & integration steps

Integrates with any HSM exposing PKCS#11. Integration is straightforward – administrators provide the Cryptoki (PKCS#11) library path, target slot, and the user PIN. For cloud-managed keys (e.g., AWS KMS, Azure Key Vault) that expose PKCS#11 or compatible interfaces, it can also orchestrate secure signing workflows.

Quick integration steps

  1. Install HSM client software on the pki server host (so pkcs11 library / cryptoki is available).

  2. Define a Key Vault and point it at the Cryptoki (.dll/.so) path, slot number and user PIN.

  3. Choose “Generate key in HSM” or “Import existing key/certificate” depending on your use case.

  4. Bind the key to CA roles and policies (root, issuing, timestamp signing, etc.).

  5. Test signing operations and verify certificate issuance and chain building.

Multiple Key Vaults & slot segregation
It supports creating multiple Key Vaults that map to different HSM slots or partitions. This enables security segmentation e.g., one slot for root CA keys, another for issuing keys, a third for operational signing – improving separation of duties and reducing blast radius.

HSM types supported

  • Network-attached HSMs (Luna, Thales, Utimaco, etc.)

  • PCIe HSMs (on-prem accelerator cards)

  • USB HSMs (where applicable for lab/edge deployments)

  • Cloud KMS (when the vendor exposes compatible interfaces / PKCS#11 bridge)

"Plug in the HSM. Point Khatim PKI Server. Start issuing certs securely"

Supported algorithms & key sizes

Khatim PKI Server supports a wide range of signature algorithms and key sizes so you can deploy to current needs and plan for the future:

RSA: 512, 1024, 2048, 3072, 4096, 7680, 8192, 16384
ECDSA families:

  • nist_p (160, 192, 224, 256, 384, 521)

  • secp_k1 (192, 224, 256)

  • secp_r1 (160, 192, 224, 256, 384, 521)

  • brainpool_p_r1 (160, 192, 224, 256, 320, 384, 521)

  • brainpool_p_t1 (160, 192, 224, 256, 320, 384, 521)

PQC (ML-DSA / Dilithium): Dilithium2, Dilithium3, Dilithium5

This breadth enables hybrid deployments (classical + PQC), supports interoperability needs, and lets you tailor key parameters to compliance and performance goals.

"Crypto agility across classical and post-quantum primitives"

Operational guidance: checklist & Thales note

Before integrating an HSM, ensure the device and host environment are properly prepared:

  1. The HSM supports PKCS#11 (Cryptoki).

  2. The HSM is initialized with admin and operator roles configured.

  3. Any partitioning and slots are configured according to your security plan.

  4. HSM client (vendor libraries/utilities) is installed where Khatim PKI Server is running and can be used to query the device.

  5. SO (Security Officer) and user PINs are provisioned. Khatim PKI Server requires the user PIN to access HSM key operations.

  6. Thales FIPS/Network HSMs: if using Thales with FIPS modes, ensure RSAKeyGenMechRemap is enabled in the client config per vendor guidance.

These steps prevent common integration issues and make HSM onboarding predictable.

"Prepare the HSM correctly - deployment is easy when you follow the checklist"

Monitoring, alerts & lifecycle operations

Khatim PKI Server includes built-in HSM monitoring. The platform polls HSM and raises alerts for connectivity failures, . Alerts can be delivered via email or integrated with your incident management and SIEM systems.

Operational features

  • Per-slot health checks and availability indicators.

  • Alerting on PIN/authorization errors.

For more details PKI HSM health monitoring, checkout PKI Insights.

"Detect problems early - HSM health as a first-class metric"

Create or import CA hierarchies – flexible lifecycle support

Whether building a new PKI from scratch or assimilating an existing CA, it supports both paths. Use the PKI Designer to model hierarchies and map each CA role to an HSM Key Vault (generate keys in-place or import pre-existing key material and bind certificates). This flexibility simplifies migrations, mergers, and consolidation projects.

"Build new trust or bring existing trust with you"

Words from Client

Leading companies rely on us for their PKI and digital signature needs

We were struggling with our PKI implementation when Codegic came to the rescue. They not only sorted our technical issues but also designed the whole PKI for the infrastructure.

Hemal Patel, CEO, Ray Pte. Ltd.