Engage logo 990000 rev 2.000

  • Home
  • Products
  • Certificate Authority
  • BlackVault CA

BlackVault CA
Certificate Authority with Hardware Security Module  


The BlackVault CA (Certificate Authority) is a fully functional CA application. It is utilized to provide strong assurance of identity by issuing and managing public-key certificates. Certificates are generated within secure software and trusted hardware with private keys stored in the tamper reactive cryptographic boundary of the integrated HSM. The BlackVault CA ensures both maximum security and operational simplicity.

Powerful and intuitive, the BlackVault CA is the right choice for highly secure certificate authority operations.


The BlackVault CA is a Certificate Authority with an integrated Hardware Security Module that simplifies and secures the implementation and operation of PKI infrastructures. Ready to deploy purpose built FIPS level 3
CA appliance that performs:
• X.509 certificate generation
• CSR and CRL processing
• OCSP and EST servers
• Key generation & management

The BlackVault CA is deployed as a root or subordinate CA and is effective in online and offline PKI applications including:
• Industrial Internet of Things (IIoT)
• Web Services
• Code & Document Signing
• Secure Email
• NSA Commercial Solutions for Classified

The BlackVault CA securely boots up as a secure certificate authority server running inside of a tamper reactive cryptographic boundary. All cryptographic functions, including private / public key generation and certificate signing are performed inside FIPS Level 3 protected hardware.
The cryptographic algorithms are also FIPS certified and use a sophisticated NIST hardware random number generator to ensure key entropy. Private keys are never in the clear; including key backups where keys are encrypted.


Powerful Features
The BlackVault CA securely boots as a Certificate Authority and can be configured as a root CA with self-signed certificates or a subordinate CA with chain of trust to the root CA. Unlike general purpose operating systems and standalone HSMs, the BlackVault CA powers on in CA mode while automatically linking all CA functionality to its highly secure HSM cryptographic boundary. 

The BlackVault CA supports both networked and off-line (air-gapped) applications, and is easily transported to a secure room or safe without loss or compromise of cryptographic material. It also delivers the latest secure CA features, including Enrollment over Secure Transport (EST) protocol, as well as OCSP, and a full suite of advanced cryptographic algorithms (including Suite B).

Certificate Revocation Lists (CRLs)

The BlackVault CA maintains and updates the CRL as certificates are revoked. The CRL is accessed using the Online Certificate Status Protocol (OCSP).

Real Time Audits
Constantly updated configuration and operation information provide Security Administrators with the data to discover anomalous activity or failure of critical functions. Audit information can be sent to a trusted entity and is protected to prevent unauthorized access, modification, or deletion.


Military Grade Tamper Reactive
The BlackVault cryptographic boundary is within the silicon of its secure CPU. This silicon die shield has dynamic fault detection with real-time environmental and tamper detection circuitry. It also avoids inadvertent tamper, making the BlackVault safe to transport. Critical security parameters, such as a certificate’s private key, are encrypted by an inaccessible Master key stored within the cryptographic boundary and zeroized if a tamper event is detected.



Engage logo 990000 rev 2.000
9565 Soquel Drive Dr,
Aptos Ca 95003
Telephone: 1-831-688-1021
Toll Free : 1-877-ENGAGE4
Fax: 1-831-688-1421
© 1989-2017 Engage Inc.
Designed, Fabricated, and Assembled
in America icon
Supported Worldwide