Entrust Datacard (Europe) Limited

Managed Root CA

Entrust will commission, host and manage your high assurance off-line Root CA using an audited tScheme process. With the Hosted Root CA service you have a solution built to your own policy requirements with full control of your own cryptographic keys, managed from an accredited facility in the UK.


  • High assurance Root CA PKI service
  • Full design and commissioning service
  • Can be built to a customer specific Certificate Policy
  • Fully audited Key Signing Ceremony
  • Root CA cryptographic keys held in FIPs140-2 Level 3 HSMs
  • Full backup and recovery facility
  • Standalone offline Root CA managed and assured under tScheme
  • Customer-only access to HSM held CA Private Key
  • Will support sub- CA infrastructure on multiple technologies
  • Hosted in a purpose-built UK ISO27001 compliant facility


  • A robust root CA that can meet industry standard compliance
  • Reduces business risk by compliance with recognised assured tScheme processes
  • Annual audited assurance process, with customer to validate keys/policy
  • Bespoke design fits your business requirements
  • Built to comply with industry and UK Government standards
  • tScheme and ETSI Certified environment
  • Easy front-end integration with TrustedX EIDAS for digital signing
  • Fast deployment with low complexity
  • Device agnostic solution approach that scales as you grow
  • No PKI expertise required and no hardware/software to manage


£19,500 an instance a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at robert.hann@entrust.com. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

3 6 0 4 0 0 0 3 8 9 0 4 3 2 2


Entrust Datacard (Europe) Limited Robert Hann
Telephone: 07818 552411
Email: robert.hann@entrust.com

Service scope

Service constraints
System requirements
None - the Root CA is offline

User support

Email or online ticketing support
Email or online ticketing
Support response times
Aim to respond to the most severe issues within 1 hour
User can manage status and priority of support tickets
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
All services operate 24x7. The standard support package is 9am - 5pm Monday-Friday (excluding holidays). Other support options are available. A customer service engineer is allocated for each service request.
Support available to third parties

Onboarding and offboarding

Getting started
Following the Root CA build, there is a Key Signing Ceremony (KSC). This is the event where the protected key material for the CA is created. The Key Signing Ceremony for CAs is conducted at our secure facilities. We provide proven and highly refined documentation for the conduct of the signing ceremony and will orchestrate this carefully planned process.
Service documentation
Documentation formats
End-of-contract data extraction
The Root CA can be handed over with proper security procedures.
End-of-contract process
Off Boarding is triggered when if customer wants to migrate the key pair(s), before the keys are naturally due to expire. In this case Entrust can sell the hardware, if usable life remains in it, to the customer at current market rate. In any scenario, we would provide a migration plan supported by our professional services to ensure the process is carried out securely, swiftly and with the least disruption.

Using the service

Web browser interface
Command line interface


Scaling available
Independence of resources
Root CA activities are planned and scheduled well in advance of any critical events
Usage notifications
Usage reporting


Infrastructure or application metrics


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2019
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach
A third-party destruction service

Backup and recovery

Backup and recovery
What’s backed up
  • Backups stored to two geographical locations
  • Root CA backed up to Removable media
Backup controls
Backups are performed at a Key Signing ceremony under two person control, audit conditions, video recorded and records maintained for 7 years after the life of the Root CA
Datacentre setup
Single datacentre with multiple copies
Scheduling backups
Supplier controls the whole backup schedule
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
Other protection between networks
No network connectivity. Data in Transit is protected by file level encryption or secure channels such as SFTP
Data protection within supplier network
Other protection within supplier network
Standalone system - no associated network connectivity

Availability and resilience

Guaranteed availability
Not applicable to Root CAs that are offline
Approach to resilience
Multiple Offline Backups are maintained
Outage reporting
Not Applicable

Identity and authentication

User authentication
Other user authentication
Offline Root CA requires Username and password for server management purposes only. Root CA requires quorum of security credentials under multi-person control to access the Root CA Private Keys
Access restrictions in management interfaces and support channels
Not applicable to Root CAs
Access restriction testing frequency
At least every 6 months
Management access authentication
Description of management access authentication
Not applicable to Root CAs
Devices users manage the service through
Dedicated device on a segregated network (providers own provision)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
All business operations and locations are covered by the scope of the ISO27001:2013 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Cyber essentials
Cyber essentials plus
Other security certifications
Any other security certifications
  • TScheme TSd0106_3-01 Approval Profile Certificate Status Management
  • TScheme TSd0104_3-01 Approval Profile Certificate Generation
  • TScheme TSd0105_3-01 Approval Profile Certificate Dissemination
  • TScheme TSd0106_3-01 Approval Profile Certificate Status Management

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Information security policies and processes
Entrust, with the full commitment of the senior leadership, strongly believes that the fundamental principle to its success in innovation is its information security strategy. This strategy is based on adherence to enterprise-wide world-class governance, a set of controls and strict compliance with National UK Government, financial, international, and industry standards such as:
• ISO 27001
• tScheme
• Cyber Essentials (Managed Root CA out of scope)

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Configuration is agreed at the initiation of the Root CA and will not typically change through out the life of the CA. Any required changes are with explicit agreement with the Policy Authority
Vulnerability management type
Vulnerability management approach
Not Applicable - Offline Managed Root CA
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
A Root CA is offline so security controls are based on physical access and multi-person controls. A customer's Root CA can only be brought up with their attendance. Audit logs are maintained in accordance with the Certificate Policy and tScheme compliance. All records are retained for 7 years after the life of the CA
Incident management type
Supplier-defined controls
Incident management approach
Our Incident Management policy and procedures follows best practice as required by ISO27001:2013. Examples of incidents and events are defined and subsequent actions are designed into security incident responses.
Users report incidents either by telephone, email or directly to managers or the Security Manager. All incidents are recorded in the Service Desk system and coordinated through to closure by the investigating body.
Incident reports are generated upon completed investigation and these are shared with interested parties under NDA, as required contractually, legally, regulatory. All incidents are reported to the Security Management Forum and subsequently to the Board

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart

Energy efficiency

Energy-efficient datacentres

Social Value

Fighting climate change

Fighting climate change

Covid-19 recovery

Covid-19 recovery

Tackling economic inequality

Tackling economic inequality

Equal opportunity

Equal opportunity

Entrust is committed to creating and maintaining a quality working environment in which all individuals are treated with respect and dignity. Everyone has the right to work in a professional atmosphere that promotes equal employment opportunities. Entrust prohibits discrimination and harassment and strictly adheres to all applicable labor and employment laws in every country in which we operate.

All colleagues are expected to demonstrate respect, professionalism, and good judgement in both their work and workplace interactions. This includes, but is not limited to, avoiding behaviors such as:

Dishonesty, willful omission, or falsification of information;
Carelessness, neglect, or behavior that limits or hinders productive work, including unexcused absences or tardiness;
Violation of any applicable company policy; and
Other unprofessional or disrespectful behaviors that could endanger good working relationships or interfere with productivity.
Entrust also strives to provide an inclusive environment where colleagues feel appreciated for their unique characteristics and are comfortable sharing their ideas and authentic selves. Our diversity and inclusion program is aimed at celebrating, educating, and empowering all colleagues and cultures we represent.

Even minor, unintentional inequities can have a negative effect on workplace culture. Be mindful of behavior that may demonstrate disrespect or cause others to feel excluded or their contributions devalued.


At Entrust, Safety is a high priority. For the well-being of each individual and the Company, all colleagues must be conscious of safety risks and take reasonable steps to mitigate those risks where possible. Maintaining a culture of safety requires a team effort to identify and correct unsafe conditions. Colleagues are encouraged to report hazards and safety concerns to their managers so that Entrust can continue to build and maintain a safe and efficient workplace.


£19,500 an instance a year
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at robert.hann@entrust.com. Tell them what format you need. It will help if you say what assistive technology you use.