> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Generating certificates in CryptoHub

> Generate root CA and leaf certificates in CryptoHub.

In this section, we will log in to CryptoHub, create an X.509 Certificate Container, generate a root CA, and issue a leaf certificate.

## Log in to the CryptoHub web UI

<Steps>
  <Step>
    Go to the hostname or IP address of the CryptoHub web UI in your browser.
  </Step>

  <Step>
    Log in with your administrator users.
  </Step>
</Steps>

## Create an X.509 Certificate Container

<Steps>
  <Step>
    Go to **PKI and CA** > **Certificate Management**.
  </Step>

  <Step>
    Select **\[ Add CA ]**.
  </Step>

  <Step>
    In the **X.509 Certificate Container** creation dialog, configure the following settings:

    * **Name: Windows Certificate Store**
    * **Host:** **None**
    * **Type: X.509**
    * **Owner group:** Select the Windows Certificate Store role created for the service
  </Step>
</Steps>

## Generate a root CA certificate

<Steps>
  <Step>
    Right-click the certificate container you created and select **Add Certificate** > **New Certificate**.
  </Step>

  <Step>
    Configure the following **Subject DN** settings:

    * **Preset: Classic**
    * **Common Name: Root**
  </Step>

  <Step>
    Configure the following **Basic Info** settings:

    * **Profile:** Select **Certificate Authority**
  </Step>

  <Step>
    Select **\[ OK ]**.
  </Step>
</Steps>

## Issue a leaf certificate

<Steps>
  <Step>
    Right-click the **Root** CA certificate and select **Add Certificate** > **New Certificate**.
  </Step>

  <Step>
    Configure the following **Subject DN** settings:

    * **Preset: Classic**
    * **Common Name: Leaf**
  </Step>

  <Step>
    Configure the following **Basic Info** settings:

    * Leave the fields set to the default values.
  </Step>

  <Step>
    Configure the following **V3 Extensions** settings:

    * **Profile:** Select **TLS Client Certificate**
  </Step>

  <Step>
    Select **\[ OK ]**.
  </Step>
</Steps>

## Export the certificates

<Steps>
  <Step>
    Right-click the **Root** CA certificate and select **Export** > **Certificate(s)**.
  </Step>

  <Step>
    Change **Encoding** to **PEM** and select **\[ Browse ]**.
  </Step>

  <Step>
    Specify a filename for web transfer (e.g., `leaf-cert.pem`) and select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ OK ]** to initiate the export.
  </Step>

  <Step>
    When prompted, save the certificate file.
  </Step>

  <Step>
    Repeat steps 1-5 for the **Leaf** certificate.
  </Step>
</Steps>

## Assign names to the private keys

<Steps>
  <Step>
    Go to **Key Management** > **Key Database**.
  </Step>

  <Step>
    Right-click the **Leaf** key pair in the **Keys** section and select **Edit**.
  </Step>

  <Step>
    Under **Key Settings**, enter "Leaf" in the **Name** field and select **\[ OK ]** to save.
  </Step>

  <Step>
    Right-click the **Root** key pair in the **Keys** section and select **Edit**.
  </Step>

  <Step>
    Under **Key Settings**, enter "Root" in the **Name** field and select **\[ OK ]** to save.
  </Step>
</Steps>

## Give the Windows Certificate Store role permissions to use the private keys

<Steps>
  <Step>
    Go to **Key Management** > **Key Database**.
  </Step>

  <Step>
    Right-click the **Leaf** key pair in the **Keys** section and select **Permission**.
  </Step>

  <Step>
    Select **Service - Windows Certificate Store** in the dropdown menu and select **\[ Add ]**.
  </Step>

  <Step>
    Grant the **Use** permission and select **\[ Save ]**.
  </Step>

  <Step>
    Repeat steps 1-4 for the **Root** key pair.
  </Step>
</Steps>
