> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Deploy a client endpoint

> Deploy a client endpoint for the Venafi Adaptable CA service in CryptoHub.

After you deploy the Venafi Adaptable CA service in CryptoHub, set up a client endpoint. An endpoint is a device authorized to access the service. Use the **Endpoints** menu to view and manage these devices. You can also add new endpoints by selecting **\[ Add New ]**. This prompts you to enter the device address and specify the endpoint. Detailed instructions for deploying a client endpoint and installing the client library files are provided below.

## Deploy client endpoint

Perform the following steps to deploy a client endpoint in CryptoHub:

<Steps>
  <Step>
    Go to the **Endpoints** menu inside the service you deployed.
  </Step>

  <Step>
    In the **Manage Endpoints** menu, select **\[ Add New ]**.
  </Step>

  <Step>
    In the **Add Endpoint** dialog:

    * Enter a **Name** for the endpoint (optional).
    * Leave the values set to the CryptoHub **Hostname** that is auto-populated.
    * Select the **Platform** on which to deploy Venafi Adaptable.
  </Step>

  <Step>
    Select **\[ Add Endpoint ]**. The browser should prompt the user to download a zip file containing the `Futurex KMES CA.ps1` and `FuturexCreateCustomFields.ps1` scripts, a credential file, and client PKI for establishing a TLS mutually authenticated connection to the CryptoHub instance.
  </Step>
</Steps>

## Extract the Venafi Adaptable CA endpoint zip

Perform the following steps to configure the Futurex Adaptable CA PowerShell scripts on the machine where you installed Venafi TPP:

<Steps>
  <Step>
    Open the **PowerShell** application.
  </Step>

  <Step>
    Go to the directory containing the Venafi Adaptable CA endpoint zip generated for the service in CryptoHub
  </Step>

  <Step>
    Extract the endpoint zip file using the `unzip` command, producing the following files:

    * `Futurex KMES CA.ps1`
    * `FuturexCreateCustomFields.ps1`
    * `README.md`
    * `credential.txt`
    * `info.txt`
    * `pki-password.txt`
    * `pki.p12`
  </Step>
</Steps>

## Extract the client PKI and root CA certificate using OpenSSL

<Note>
  Copy the password value inside the **pki-password.txt** file to your clipboard before proceeding. You will need to paste it in place of `yourpassword` in the OpenSSL commands below.
</Note>

Perform the following steps to extract the client PKI and root CA certificate using OpenSSL:

<Steps>
  <Step>
    Open the **PowerShell** application.
  </Step>

  <Step>
    Navigate to the directory containing the `pki.p12` file extracted in the previous step.
  </Step>

  <Step>
    Run the following OpenSSL command to extract the signed client certificate:

    ```shell expandable lines wrap title="Shell" theme={null}
    openssl pkcs12 -in yourfile.p12 -out clientcert.pem -clcerts -nokeys -passin pass:yourpassword
    ```
  </Step>

  <Step>
    Run the following OpenSSL command to extract the clear client private key:

    ```shell expandable lines wrap title="Shell" theme={null}
    openssl pkcs12 -in yourfile.p12 -out clientkey.pem -nocerts -nodes -passin pass:yourpassword
    ```
  </Step>

  <Step>
    Run the following OpenSSL command to extract the CA certificates:

    ```shell expandable lines wrap title="Shell" theme={null}
    openssl pkcs12 -in yourfile.p12 -out cacerts.pem -cacerts -nokeys -passin pass:yourpassword
    ```
  </Step>

  <Step>
    The entire CA certificate chain is output to the `cacerts.pem` file. Copy the contents of the *Client Application TLS* CA certificate that issued the client PKI, then paste it into a new file and save.
  </Step>
</Steps>

## Import the Client Application TLS CA certificate into the Trusted Root Certificate Authorities store in Windows

<Steps>
  <Step>
    Open the **Manage computer certificates** program.
  </Step>

  <Step>
    Right-click the **Trusted Root Certificate Authorities** store and select **All Tasks** > **Import**. This opens the Certificate Import Wizard.
  </Step>

  <Step>
    In the Certificate Import Wizard, select **\[ Next ]**.
  </Step>

  <Step>
    Select **\[ Browse ]**. In the File Explorer, select the **Client Application TLS CA** file and click **\[ Open ]**, then select **\[ Next ]**.
  </Step>

  <Step>
    Leave selected the **Trusted Root Certificate Authorities** store as the location to import the certificate and click **\[ Next ]**.
  </Step>

  <Step>
    Select **\[ Finish ]**. You should see a confirmation message that the import was successful.
  </Step>
</Steps>
