> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure CyberArk Trust Protection Foundation CryptoHub integration

> Configuration steps for integrating CyberArk Trust Protection Foundation with CryptoHub, including connector setup and HSM key generation.

This section covers the following integration configuration tasks:

* Create an HSM connector and generate a key
* Enable CyberArk Advanced Key Protect
* Generate an HSM private key
* Configure code signing

## Create a connector and generate a key

Perform the following steps to create an HSM connector and generate an HSM-Protected encryption key:

<Steps>
  <Step>
    Open the **CyberArk Configuration Console** application.
  </Step>

  <Step>
    Select the **Connectors** node.
  </Step>

  <Step>
    Select **\[ Create HSM Connector ]** in the **Actions** panel.
  </Step>

  <Step>
    Enter the local master admin username and password and click **\[ OK ]**.
  </Step>

  <Step>
    In the **Create New HSM (Cryptoki) Connector** window, specify a **Name** for the HSM connector.
  </Step>

  <Step>
    For **Cryptoki Dll Path**, select **\[ Browse... ]** and select the Futurex PKCS #11 DLL file at the following path:

    ```text expandable lines wrap title="Text" theme={null}
    C:\Program Files\Futurex\fxpkcs11\fxpkcs11.dll
    ```
  </Step>

  <Step>
    Select **\[ Load Slots ]**.
  </Step>

  <Step>
    Select the slot number configured in the FXPKCS11 configuration file (the default is slot **0**). This is where CyberArk Trust Protection Foundation accesses the encryption keys.
  </Step>

  <Step>
    For **User Type**, leave the default option selected, **Crypto Officer (User)**. CyberArk TPF uses the identity configured inside the **FXPKCS11** configuration file when connecting to the CryptoHub.
  </Step>

  <Step>
    For **Pin**, enter the CryptoHub identity password configured inside the `<CRYPTO-OPR-PASS>` tag in the `fxpkcs11.cfg` file.
  </Step>

  <Step>
    Select **\[ Verify ]**.

    <Check>
      If the connection to the CryptoHub is successful, a new Permitted Keys section populates in the window.
    </Check>
  </Step>

  <Step>
    Select **\[ New Key... ]**.
  </Step>

  <Step>
    In the **Create New HSM Key** window, enter a **Name** and select the **Type** for the key, and select **\[ Create ]**.

    <Check>
      If key creation is successful, the key is now viewable inside the CyberArk Trust Protection Foundation service on the CryptoHub. The name of the key is shown in the list of Permitted Keys in the Create New HSM Key window.
    </Check>

    <Note>
      If you plan to use CyberArk CodeSign Protect to store private code signing keys on the CryptoHub, select the Allow Key Storage checkbox here.
    </Note>
  </Step>

  <Step>
    Select **\[ Create ]** to save and close the window.
  </Step>
</Steps>

## Enable CyberArk Advanced Key Protect

HSM Private Key Generation and CyberArk Code Signing Certificate Private Key Storage require you to enable CyberArk Advanced Key Protect. Perform the following steps to do this:

<Steps>
  <Step>
    Open the **CyberArk Configuration Console** application.
  </Step>

  <Step>
    Select **\[ Enable CyberArk Advanced Key Protect... ]** in the **Actions** panel.
  </Step>

  <Step>
    Enter the local master admin username and password and select **\[ OK ]**.
  </Step>

  <Step>
    Review the information in the following dialog and select **\[ Enable ]** to proceed.
  </Step>

  <Step>
    Perform the following steps to restart the IIS, Venafi Platform, and Logging services:

    1. Select the **Product** node.
    2. Select **Website** and then select **\[ Restart ]** in the **Actions** panel.
    3. Select **Venafi Platform** and then select **\[ Restart ]** in the **Actions** panel.
    4. Select **Logging** and then select **\[ Restart ]** in the **Actions** panel.
  </Step>
</Steps>

## Generate HSM Private Key

CyberArk Trust Protection Foundation uses the CryptoHub for private key generation for SSH keys and certificates.

<Note>
  CyberArk Trust Protection Foundation uses Certificate Authority (CA) template objects to manage the certificate life cycle. Creating one is a prerequisite to HSM Key Generation. See Venafi documentation for more information.
</Note>

### Configure the Venafi platform policy

Perform the following steps to configure the Venafi platform policy to enable the CryptoHub for HSM key generation:

<Steps>
  <Step>
    Log in to the admin console: `https://[IP_address_of_Venafi_TPP]/vedadmin`
  </Step>

  <Step>
    Select **Policy Tree** in the main menu at the top of the page.
  </Step>

  <Step>
    In the **Policy : Certificate** window, go to the **Certificate** tab.
  </Step>

  <Step>
    Under **Other Information**, perform the following steps:

    1. Select the name of the **HSM Connector** you created for the CryptoHub in the **Key Generation** drop-down menu.
    2. Select the name of the **HSM-Protected Encryption Key** you created on the CryptoHub.
  </Step>

  <Step>
    Select **\[ Save ]** at the bottom of the page.
  </Step>
</Steps>

### Generate the certificate

Perform the following steps to generate the certificate:

<Steps>
  <Step>
    Select **Policy Tree** in the main menu at the top of the page.
  </Step>

  <Step>
    On the left-side menu, select **\[ Add ]** under the **Policy** drop-down menu and select **Certificates** > **Certificate**.
  </Step>

  <Step>
    Under **General Information**, enter the required information, and for **Management Type**, select **Provisioning** or **Enrollment**.
  </Step>

  <Step>
    Under **CSR Handling**, leave **Service Generated CSR** selected for **CSR Generation,** and leave **Generate Key/CSR on Application** set to `No`.
  </Step>

  <Step>
    Under **Subject DN**, enter the required information.
  </Step>

  <Step>
    Under **Private Key**, select the **Key Algorithm** to use and the desired **Key Strength** in bits.
  </Step>

  <Step>
    Under **Other Information**, search for and select the previously configured **CA Template**.
  </Step>

  <Step>
    Select **\[ Save ]**.
  </Step>

  <Step>
    Select the newly generated certificate from the policy tree.

    <Check>
      The Certificate Status should be OK.
    </Check>
  </Step>

  <Step>
    Select **\[ Renew Now ]**.

    <Check>
      The Certificate Status changes to Queued for renewal.
    </Check>
  </Step>

  <Step>
    After a moment, select **\[ Refresh ]** to show the certificate details in the window.
  </Step>

  <Step>
    If you selected **Provisioning** as the **Management Type**, associate the certificate with the intended application object.
  </Step>
</Steps>

## Configure code signing

CyberArk CodeSign Protect can store private code signing keys in the CryptoHub. This section describes the basic steps to configure this functionality for the integration. See Venafi documentation for more details.

<Note>
  Certificate Authority (CA) template objects are used in CyberArk Trust Protection Foundation to manage the certificate lifecycle. Creating one is a prerequisite to CodeSign. See Venafi documentation for more information.
</Note>

<Note>
  To use an HSM for key storage, you must enable Key Storage on the HSM Connector.
</Note>

### Assign permissions

Perform the following steps to assign permissions to a Code Signing administrator:

<Steps>
  <Step>
    Open the **CyberArk Configuration Console** application.
  </Step>

  <Step>
    Select the **System Roles** node.
  </Step>

  <Step>
    Select **\[ Add CodeSign Protect Administrator ]** in the **Actions** panel.
  </Step>

  <Step>
    Select a user to grant **CodeSign Protect Administrator** permissions.
  </Step>
</Steps>

### Create a Code Signing flow

Perform the following steps to create a Code Signing flow:

<Steps>
  <Step>
    Open the **CyberArk Configuration Console** application.
  </Step>

  <Step>
    Under the **Code Signing** node, select **Custom Flows**.
  </Step>

  <Step>
    Select **Add new Code Signing Flow** in the **Actions** panel.
  </Step>

  <Step>
    Enter a name for the Code Signing Flow.
  </Step>

  <Step>
    Select the newly created Code Signing Flow and add an approver through the **Actions** panel.
  </Step>
</Steps>

### Create an environment template

Perform the following steps to create an environment template for the Code Signing Project:

<Steps>
  <Step>
    Open the **CyberArk Configuration Console** application.
  </Step>

  <Step>
    Under the **Code Signing** node, select **Environment Templates**.
  </Step>

  <Step>
    Select **Certificate** in the **Actions** panel under **Add Single Template**.
  </Step>

  <Step>
    Enter a name for the **Code Signing Environment Template** and select **\[ Create ]**.
  </Step>

  <Step>
    In the **Settings** tab of the **Properties** window, enter a **Description** and select a **Certificate Container** and **Signing Flow**.
  </Step>

  <Step>
    Go to the **Certificate Authority** tab and select a **CA Template**, and select **\[ Add ]**.
  </Step>

  <Step>
    Go to the **Keys** tab and select which key sizes to enable for **RSA** and **Elliptic Curve** keys.
  </Step>

  <Step>
    Open the **Key Storage** tab and select the **Futurex HSM Connector**, and select **\[ Add ]**.
  </Step>

  <Step>
    Enter any optional information in the remaining tabs, and select **\[ OK ]**.
  </Step>
</Steps>

### Create a Code Signing Project

Perform the following steps to create a new Code Signing Project:

<Steps>
  <Step>
    Log in to Aperture: `https://[IP_address_of_Venafi_TPP]/aperture/codesign`
  </Step>

  <Step>
    Select **Projects** in the main menu at the top of the page.
  </Step>

  <Step>
    Select **\[ Create Project ]**.
  </Step>

  <Step>
    Enter a **Project Name** and **Description**.
  </Step>

  <Step>
    Select **\[ Create ]**.
  </Step>
</Steps>

### Create an environment

Perform the following steps to create an environment for the project with a new HSM private key and certificate:

<Steps>
  <Step>
    Inside the newly created Code Signing Project, go to the **Environments** tab and select **Add Environment** > **Certificate & Key**.
  </Step>

  <Step>
    Enter the **Environment Name**.
  </Step>

  <Step>
    Select the **Environment Template** you created for this Code Signing project.
  </Step>

  <Step>
    For **Creation Type**, select **Create New**.

    <Check>
      The Key Storage Location should now list the Futurex HSM Connector.
    </Check>
  </Step>

  <Step>
    Enter any other necessary information for the certificate.
  </Step>

  <Step>
    Select **\[ Save ]**.
  </Step>

  <Step>
    Select **\[ Submit For Approval ]** to generate a new certificate and private key once it is approved.
  </Step>
</Steps>

### Approve the Project

Perform the following steps to approve the Project:

<Steps>
  <Step>
    Log in to Aperture: `https://[IP_address_of_Venafi_TPP]/aperture/codesign`
  </Step>

  <Step>
    Select **Approvals** in the main menu at the top of the page.
  </Step>

  <Step>
    Under **Pending Approvals**, select the Project Creation request you just submitted.
  </Step>

  <Step>
    Select **\[ Approve ]**.

    <Check>
      Go back to the project, and in the Environments tab, you should see a Certificate & Key in Hardware (such as the CryptoHub).
    </Check>
  </Step>
</Steps>
