How and why LuxTrust migrated to the Nexus certificate authority software

Luxembourg’s national trust services provider LuxTrust migrated to identity and security company Nexus Group’s certificate authority (CA) software in 2017. “As of 2019, switching to the Nexus software has proved to be beneficial both for us as a company and for the citizens of Luxembourg. The migration process was straight-forward and had low business impact, thanks to competent help from Nexus,” says Ralph Berkes, chief engineer at LuxTrust.

LuxTrust’s core business is to issue electronic identities (eIDs) to everybody living or working in Luxembourg. The electronic identities are used to grant secure access to a wide range of e-services within both the private and public sector, and to make legally binding digital signatures.

LuxTrust is fully eIDAS certified

“People can get one private eID and one employee eID, which are stored centrally and accessed via mobile apps, smart cards or hard tokens,” says Pascal Rogiest, CEO of LuxTrust.

The electronic identities are based on public key infrastructure (PKI) certificates, and LuxTrust is fully certified according to the EU regulation eIDAS (electronic identification, authentication and trust services).

“Our services are ranked as having the highest possible quality: our certificates are deemed ‘qualified,’ according to eIDAS,” says Rogiest.

The previous setup didn’t meet the needs

At the heart of a PKI is the certificate authority software, which issues and manages the certificates. Prior to August of 2017, LuxTrust used a certificate authority software from a large American vendor.

“We had outsourced the management of this certificate authority software to another company, but this setup didn’t meet our specific needs,” says Berkes.

Why did you want another certificate authority software?

“We experienced limitations and drawbacks with the software. All softwares have their pros and cons, and there were good things with our previous certificate authority software. But the drawbacks took the upper hand. It was complicated to operate and upgrade, mainly because it required a dedicated instance of the software per certificate authority – that is, it wasn’t multitenant,” says Berkes.

This meant that every time LuxTrust wanted to make changes to the certificate authority software, they had to make the changes in all the different instances of the software. With a multitenant software – such as the Nexus certificate authority software – many certificate authorities can be run on the same instance of the software.

Tough demands on the new software

“So, multitenancy was one of our main requirements when we started to look for a new CA software supplier. But we had a range of other important requirements too: first of all, the CA software of course has to be reliable and efficient, and appropriately certified. We also wanted a suitable pricing model, and we had tough demands on flexibility and detailed requirements on the certificates,” says Berkes.

In the end of 2016, LuxTrust initialized a project with the aim of migrating the certificate authorities to a new certificate authority software, run on their own servers.

Workshops with potential suppliers

“The process of choosing a new CA software involved workshops with potential suppliers, where we got to test out their CA softwares and see if they could fulfil our requirements. Among other things, we wanted to see how we could create and change policies, and change configurations, and how we could integrate the CA software with our services,” says Berkes.

What’s your best advice for people in the process of choosing a new CA software?

“To have these workshops, where you are allowed to play with the software. It’s very important to be able to see how the software functions in reality. Someone can show you a PowerPoint presentation about a CA software, and it looks really good – but you don’t know if it’s really true. When you play with it, you can discover problems with it and challenge the supplier,” says Berkes.

Nexus committed to meet all demands

The Nexus certificate authority software didn’t originally meet all of LuxTrust’s demands, but Nexus committed to develop the software to deliver fixes in coming releases.

“And Nexus has fulfilled its promises. We are happy with the solution: it functions as expected,” says Berkes.

What are the biggest benefits with the Nexus CA software?

“One very important aspect is the pricing model, as it gives us flexibility when volumes and transactions increase over time. Other important benefits are that the application is very straight forward to use, and that it provides all the audit logs and all the access controls we need: we can limit the functionality to different roles, and that’s very important for us since we are heavily regulated. And as I’ve already mentioned, the multitenancy feature is also very important to us. There are also a number of other useful features that we benefit from, and we appreciate that Nexus develops more features continuously,” says Berkes.

Are the citizens and organizations of Luxembourg also experiencing improvements after the software change?

“The benefits of the Nexus software are most noticeable for us internally, but there are a number of benefits for the citizens and organizations as well, and there are more to come,” says Berkes.

Migration of the cryptographic keys

LuxTrust operates the Nexus certificate authority software as a certificate factory and OCSP (Online Certificate Status Protocol) responder for certificate status validation.

“We have a redundant system: we have two data centres for the online CAs, and we have two offline CAs on computers in safes. The registration authority is a portal that we have developed ourselves,” says Berkes.

The migration from the old CA software began with migration of the cryptographic keys to a new hardware security module (HSM) in the end of July 2017.

“This was a critical operation, as the keys are the heart of the CA. The migration took place in a secure room with an auditor present,” says Berkes.

A migration team of five people

The migration to the new CA software took place on in the end of August 2017.

“We started at 2 p.m. on a Saturday, to minimize the impact on our users. Pretty much everybody in Luxembourg uses our services, so it’s really important that the system is up and running,” says Berkes.

The migration team consisted of Berkes and three more people from LuxTrust, plus Christophe Cauche, technical account manager at Nexus.

“We also got some help from the company that had managed the old CA software, but we wanted to involve them as little as possible. I’m very happy with Christophe’s contributions: he has been very supportive and active during the entire project,” says Berkes.

Went smoother than expected

During the migration, two root CAs, seven sub-CAs, a number of certificate policies, and many certificates were imported to the Nexus CA software.

“We had done a test migration earlier, but during the sharp migration we ran into an issue nonetheless: when we imported the certificate revocation list it was so big that the application became unresponsive. We restarted the application, and that solved the problem. So, over all it was a straight-forward migration that went smoother than expected. We all stayed at our premises all night, and at 7 o’clock on Sunday morning we were finished,” says Berkes.

LuxTrust recommends Nexus

The Nexus CA software has now (as of January 2019) been up and running for 1.5 years, and Berkes says that he can wholeheartedly recommend both the software and Nexus.

“If we have any questions, we contact the Nexus support team or Christophe. It’s really important to always have access to a competent technical consultant from the supplier, and Nexus is really great in this aspect. When it comes to the commercial parts, our Nexus contact is Philippe Fonton, director for France at Nexus. We are very satisfied with the way he managed the commercial discussions and the Nexus team availability,” says Berkes.

A part of the Nexus Smart ID platform

The Nexus general-purpose certificate authority software is a part of the Nexus Smart ID platform, which is used by large organizations all around the world to enable trusted corporate identities or secure communication in internet of things applications such as connected cars.

Magnus Malmström, CEO of Nexus, is pleased that LuxTrust opted for the Nexus CA software.

“As a national trust service provider, LuxTrust is a heavily regulated organization with very high demands on their CA software, so having them choosing us is a real badge of honor. The migration project from legacy CA software assured low business impact for LuxTrust, which is a strong endorsement of the great technical skills we have at Nexus,” says Malmström.


Other related blogs:

How Luxembourg enables widespread use of e-services in the private and public sectors

LuxTrust opts for Nexus’s solution to issue eIDs to everybody in Luxembourg


For more information about luxtrust 


"People can get one private eID and one employee eID, which are stored centrally and accessed via mobile apps, smart cards or hard tokens."


LuxTrust was created in 2005, on the initiative of the government in Luxembourg, and is now co-owned by the government and a number of retail banks. Its customers include governments, institutions, leading banks and SMEs.


LuxTrust enables the management of electronic identities through strong authentication of physical persons via digital certificates and provides trust services such as face-to-face and remote-identification services; qualified electronic signatures; eSeals for companies; strong authentication services; qualified electronic timestamps; validation of domain and website authentication (SSL certificates); and management of connected identities, including the internet of things applications. The company supports a wide range of certificate devices, from smartcards and hardware token to mobile applications.

LuxTrust is certified according to the EU regulation eIDAS and other applicable regulations such as GDPR and PSD2.

For more information, visit

Choose another case study

Authentication Blog Customer Cases PKI Virtual smart cards Workforce

Nexus X STid: Bridging the gap between physical and digital access

14 May, 2024
The Nexus & STid joint solution will empower authorized users - employees, visitors, and contractors - to access corporate premises and digital res...
Citizen ID Customer Cases PKI

Pantasign strengthens trust in India’s digital ecosystem with Nexus PKI

25 March, 2024
Pantasign is leading the way towards a trusted digital authentication ecosystem to meet the changing security requirements of India's digital lands...
Citizen ID Customer Cases PKI

XtraTrust empowers secure digital transformation in India with Nexus PKI

21 March, 2024
XtraTrust empowers secure digital transformation in India with Nexus Smart ID PKI