Install Futurex PKCS #11 (FXPKCS11) on the machine where you installed the third-party application. Select one of the following operating systems and perform the instructions:Documentation Index
Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
Use this file to discover all available pages before exploring further.
Windows
Perform the following instructions to install FXPKCS11 on Windows:Extract the Endpoint zip file downloaded in your browser after deploying the service in CryptoHub. The zip file contains the following files:
| File | Description |
|---|---|
PKCS11Manager.exe | Program to test the connection to the CryptoHub and perform basic functions through the FXPKCS11 module, such as logging in and generating random data. |
ca-chain.pem | CA certificate bundle |
client-cert.pem | Client TLS certificate |
client.p12 | Full Client PKI in encrypted PKCS #12 format (contains the CA chain, client certificate, and client private key) |
configTest.exe | Program to test the configuration and connection to the CryptoHub |
fxpkcs11.cfg | Configuration file for the Futurex PKCS #11 library |
fxpkcs11.dll | The Futurex PKCS #11 library file. |
CryptoHub <number>.cer | Auto-generated self-signed CA certificate used to issue client endpoint TLS certs (number is random) |
Futurex Test Root CA (ECC).cer or Futurex Test Root SSL CA.cer | Futurex Test Root CA for embedded Futurex Test TLS certs (ECC or RSA, based on the algorithm configured for the connection pair) |
Move all of the preceding FXPKCS11 files to
C:\Program Files\Futurex\fxpkcs11. Create the Futurex\fxpkcs11 directory as an administrator.The Futurex PKCS #11 module expects to find the FXPKCS11 configuration file (
fxpkcs11.cfg) in the C:\Program Files\Futurex\fxpkcs11 directory by default. If you want to store the config elsewhere, set the FXPKCS11_CFG environment variable to the full path of the config file. Ensure the TLS files referenced in the config are also in the same directory.Configure secrets (recommended: use an environment variable for the PKCS #12 password).PKCS #11 PIN
- Find it in
CRYPTO-OPR-PASSinsidefxpkcs11.cfg. - Copy the PIN to your clipboard, then comment out the
CRYPTO-OPR-PASSline. You will configure this PIN in Jarsigner in the next step.
-
Find it in
PROD-TLS-KEY-PASSinsidefxpkcs11.cfg. -
We recommend copying this password, then replacing the value in
fxpkcs11.cfgwithenv:PKCS11_P12. -
Set the machine-wide environment variable in an elevated Command Prompt (Run as Administrator):
ReplaceShell
safestwith the actual P12 password you copied to your clipboard.
Logs
- Default FxPKCS11 log location:
C:\Program Files\Futurex\fxpkcs11 - To customize, modify the
<LOG-FILE>definition infxpkcs11.cfg.
Quick validation (recommended)Validate config and connection:
- Run
configTest.exefromC:\Program Files\Futurex\fxpkcs11. - Confirm the connection test succeeds.
- If it fails, check the FxPKCS11 log file (see “Logs” above) and verify the PKCS #12 password and TLS materials are in the expected locations.
- Run
PKCS11Manager.exefromC:\Program Files\Futurex\fxpkcs11. - Confirm you can authenticate and perform a simple action (e.g., generate random data).
- If authentication fails, verify the PKCS #11 PIN is correct. To update the PKCS #11 PIN, log in to the CryptoHub dashboard, navigate to the Identity and Access menu, and select the Applications & Partitions tab. Find the application you deployed, and in the Manage section, select the Authentication button. This opens a dialog where you can change the PIN/password for the endpoint.
Linux
Perform the following instructions to install FXPKCS11 on Linux:Extract the zip file downloaded from CryptoHub. The zip file contains the following files:
| File | Description |
|---|---|
PKCS11Manager | Program to test the connection to the CryptoHub and perform basic functions through the FXPKCS11 module, such as logging in and generating random data. |
ca-chain.pem | CA certificate bundle |
client-cert.pem | Client TLS certificate |
client.p12 | Full Client PKI in encrypted PKCS #12 format (contains the CA chain, client certificate, and client private key) |
configTest | Program to test the configuration and connection to the CryptoHub |
fxpkcs11.cfg | Configuration file for the Futurex PKCS #11 library |
libfxpkcs11.so | The Futurex PKCS #11 library file. |
CryptoHub <number>.cer | Auto-generated self-signed CA certificate used to issue client endpoint TLS certs (number is random) |
Futurex Test Root CA (ECC).cer or Futurex Test Root SSL CA.cer | Futurex Test Root CA for embedded Futurex Test TLS certs (ECC or RSA, based on the algorithm configured for the connection pair) |
Move all the preceding files to one of the following locations:
- To make the FXPKCS11 library accessible system-wide, use sudo to move the files to the
/usr/local/lib/fxpkcs11directory. - To make the FXPKCS11 library accessible only for the current user, move the files to the
$HOME/lib/fxpkcs11directory.
Use the following command to move Alternatively, store the config elsewhere and set FXPKCS11_CFG. Ensure the TLS files listed above are also placed in the same directory as the config file:
fxpkcs11.cfg and the TLS files to /etc:Shell
Shell
Configure secrets (recommended: use an environment variable for the PKCS #12 password).PKCS #11 PIN
- Find it in
CRYPTO-OPR-PASSinsidefxpkcs11.cfg. - Copy the PIN to your clipboard, then comment out the
CRYPTO-OPR-PASSline. You will configure this PIN in Jarsigner in the next step.
-
Find it in
PROD-TLS-KEY-PASSinsidefxpkcs11.cfg. -
We recommend copying this password, then replacing the value in
fxpkcs11.cfgwithenv:PKCS11_P12. -
Set
PKCS11_P12system-wide (RHEL or Debian/Ubuntu) by creating:Contents:ShellReplace/etc/profile.d/fxpkcs11.shsafestwith the actual P12 password you copied to your clipboard.
Logs
- Default FxPKCS11 log location: the current directory (i.e., the same directory as
fxpkcs11.cfg) - To customize, modify the
<LOG-FILE>definition infxpkcs11.cfg.
Quick validation (recommended)Validate config and connection:
- Run
configTestand confirm the connection test succeeds. - If it fails, check the FxPKCS11 log file (see “Logs” above) and verify:
fxpkcs11.cfgpath (default:/etc/fxpkcs11.cfg), orFXPKCS11_CFGif overriddenclient.p12and.cerfiles are in the same directory asfxpkcs11.cfgPKCS11_P12is set correctly (start a new shell and run:echo "$PKCS11_P12")
- Run
PKCS11Managerand confirm you can authenticate and perform a simple action (e.g., generate random data). - If authentication fails, verify the PKCS #11 PIN is correct. To update the PKCS #11 PIN, log in to the CryptoHub dashboard, navigate to the Identity and Access menu, and select the Applications & Partitions tab. Find the application you deployed, and in the Manage section, select the Authentication button. This opens a dialog where you can change the PIN/password for the endpoint.
The PKCS #11 PIN is located in the For PKCS #11 integrations, the PIN is always configured in Jarsigner rather than in the FXPKCS11 configuration file.
<CRYPTO-OPR-PASS> parameter in fxpkcs11.cfg. Copy this PIN value to your clipboard — you will need to paste it into Jarsigner in the next step.After copying the PIN, comment out the <CRYPTO-OPR-PASS> line in fxpkcs11.cfg:fxpkcs11.cfg