> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Install Futurex PKCS #11

> Step-by-step guide to install Futurex PKCS #11 on the application host machine.

Install **Futurex PKCS #11 (FXPKCS11)** on the machine where you installed the application with which you are integrating.

## Linux

Perform the following steps to install **FXPKCS11** on Linux:

<Steps>
  <Step>
    Extract the Endpoint zip file downloaded from CryptoHub. The zip file contains the following files:

    <table>
      <thead>
        <tr>
          <th><code>PKCS11Manager</code></th>
          <th>Program to test the connection to the CryptoHub and perform basic functions through the <strong>FXPKCS11</strong> module, such as logging in and generating random data.</th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><code>ca-chain.pem</code></td>
          <td>CA certificate bundle</td>
        </tr>

        <tr>
          <td><code>client-cert.pem</code></td>
          <td>Client TLS certificate</td>
        </tr>

        <tr>
          <td><code>client.p12</code></td>
          <td>Full Client PKI in encrypted PKCS #12 format (contains the CA chain, client certificate, and client private key)</td>
        </tr>

        <tr>
          <td><code>configTest</code></td>
          <td>Program to test the configuration and connection to the CryptoHub </td>
        </tr>

        <tr>
          <td><code>fxpkcs11.cfg</code></td>
          <td>Configuration file for the Futurex PKCS #11 library</td>
        </tr>

        <tr>
          <td><code>libfxpkcs11.so</code></td>
          <td>The Futurex PKCS #11 library file.</td>
        </tr>

        <tr>
          <td><code>CryptoHub \<number>.cer</code></td>
          <td>Auto-generated self-signed CA certificate used to issue client endpoint TLS certs (number is random)</td>
        </tr>

        <tr>
          <td><code>Futurex Test Root CA (ECC).cer</code> or <code>Futurex Test Root SSL CA.cer</code></td>
          <td>Futurex Test Root CA for embedded Futurex Test TLS certs (ECC or RSA, based on the algorithm configured for the connection pair)</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    Move all the preceding files to one of the following locations:

    * To make the **FXPKCS11** library accessible system-wide, use sudo to move the files to the `/usr/local/lib/fxpkcs11` directory.
    * To make the **FXPKCS11** library accessible only for the current user, move the files to the `$HOME/lib/fxpkcs11` directory.

    <Warning>
      IMPORTANT

      The Futurex PKCS #11 module expects `fxpkcs11.cfg` in the `/etc` directory by default. The config references the following files by relative path, so they must all be in the same directory as `fxpkcs11.cfg`:

      * `client.p12`
      * `CryptoHub <number>.cer`
      * `Futurex Test Root CA (ECC).cer` or `Futurex Test Root SSL CA.cer`
    </Warning>
  </Step>

  <Step>
    Use the following command to move `fxpkcs11.cfg` and the TLS files to `/etc`:

    ```shell expandable lines wrap title="Shell" theme={null}
    sudo mv fxpkcs11.cfg client.p12 CryptoHub*.cer Futurex*.cer /etc/
    ```

    Alternatively, store the config elsewhere and set **FXPKCS11\_CFG**. **Ensure the TLS files listed above are also placed in the same directory as the config file:**

    ```shell expandable lines wrap title="Shell" theme={null}
    export FXPKCS11_CFG=/path/to/your/fxpkcs11.cfg
    ```
  </Step>
</Steps>

<Note>
  You can find the PKCS11 PIN in the `<CRYPTO-OPR-PASS>` parameter in the Futurex PKCS #11 configuration file (`fxpkcs11.cfg`).

  For PKCS #11 integrations that enable you to define the PKCS11 PIN inside the integrating application, we recommend removing the `<CRYPTO-OPR-PASS>` line from the FXPKCS11 configuration file.
</Note>
