Skip to main content
After you deploy the Venafi Adaptable CA service in CryptoHub, set up a client endpoint. An endpoint is a device authorized to access the service. Use the Endpoints menu to view and manage these devices. You can also add new endpoints by selecting [ Add New ]. This prompts you to enter the device address and specify the endpoint. Detailed instructions for deploying a client endpoint and installing the client library files are provided below.

Deploy client endpoint

Perform the following steps to deploy a client endpoint in CryptoHub:
1
Go to the Endpoints menu inside the service you deployed.
2
In the Manage Endpoints menu, select [ Add New ].
3
In the Add Endpoint dialog:
  • Enter a Name for the endpoint (optional).
  • Leave the values set to the CryptoHub Hostname that is auto-populated.
  • Select the Platform on which to deploy Venafi Adaptable.
4
Select [ Add Endpoint ]. The browser should prompt the user to download a zip file containing the Futurex KMES CA.ps1 and FuturexCreateCustomFields.ps1 scripts, a credential file, and client PKI for establishing a TLS mutually authenticated connection to the CryptoHub instance.

Extract the Venafi Adaptable CA endpoint zip

Perform the following steps to configure the Futurex Adaptable CA PowerShell scripts on the machine where you installed Venafi TPP:
1
Open the PowerShell application.
2
Go to the directory containing the Venafi Adaptable CA endpoint zip generated for the service in CryptoHub
3
Extract the endpoint zip file using the unzip command, producing the following files:
  • Futurex KMES CA.ps1
  • FuturexCreateCustomFields.ps1
  • README.md
  • credential.txt
  • info.txt
  • pki-password.txt
  • pki.p12

Extract the client PKI and root CA certificate using OpenSSL

Copy the password value inside the pki-password.txt file to your clipboard before proceeding. You will need to paste it in place of yourpassword in the OpenSSL commands below.
Perform the following steps to extract the client PKI and root CA certificate using OpenSSL:
1
Open the PowerShell application.
2
Navigate to the directory containing the pki.p12 file extracted in the previous step.
3
Run the following OpenSSL command to extract the signed client certificate:
Shell
openssl pkcs12 -in yourfile.p12 -out clientcert.pem -clcerts -nokeys -passin pass:yourpassword
4
Run the following OpenSSL command to extract the clear client private key:
Shell
openssl pkcs12 -in yourfile.p12 -out clientkey.pem -nocerts -nodes -passin pass:yourpassword
5
Run the following OpenSSL command to extract the CA certificates:
Shell
openssl pkcs12 -in yourfile.p12 -out cacerts.pem -cacerts -nokeys -passin pass:yourpassword
6
The entire CA certificate chain is output to the cacerts.pem file. Copy the contents of the Client Application TLS CA certificate that issued the client PKI, then paste it into a new file and save.

Import the Client Application TLS CA certificate into the Trusted Root Certificate Authorities store in Windows

1
Open the Manage computer certificates program.
2
Right-click the Trusted Root Certificate Authorities store and select All Tasks > Import. This opens the Certificate Import Wizard.
3
In the Certificate Import Wizard, select [ Next ].
4
Select [ Browse ]. In the File Explorer, select the Client Application TLS CA file and click [ Open ], then select [ Next ].
5
Leave selected the Trusted Root Certificate Authorities store as the location to import the certificate and click [ Next ].
6
Select [ Finish ]. You should see a confirmation message that the import was successful.