> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Prepare client and root certificates

> Generate a PKCS #12 client certificate with x509v3 extensions and export the root CA certificate for the Hitachi VSP KMIP integration.

The Hitachi VSP requires a **PKCS #12 client certificate with x509v3 extensions** and a **root CA certificate in X.509 format**. The client certificate must be signed by a CA trusted by the CryptoHub. Follow the steps below to generate and prepare these certificates.

<Warning>
  The client certificate **must include x509v3 extensions**. Certificates without these extensions will be silently rejected by the VSP. Ensure your OpenSSL configuration includes `req_extensions` and `x509_extensions` sections.
</Warning>

## Generate a private key and CSR

<Steps>
  <Step>
    On the SVP or a management workstation with OpenSSL installed, generate a 2048-bit RSA private key:

    ```bash expandable lines wrap title="Bash" theme={null}
    openssl genrsa -out client.key 2048
    ```
  </Step>

  <Step>
    Create an OpenSSL configuration file (for example, `openssl-vsp.cnf`) that includes x509v3 extensions. At minimum, the configuration should include:

    ```text expandable lines wrap title="openssl-vsp.cnf" theme={null}
    [req]
    distinguished_name = req_dn
    req_extensions = v3_req

    [req_dn]
    commonName = Hitachi VSP

    [v3_req]
    basicConstraints = CA:FALSE
    keyUsage = digitalSignature, keyEncipherment
    extendedKeyUsage = clientAuth
    ```
  </Step>

  <Step>
    Generate a CSR using the configuration file:

    ```bash expandable lines wrap title="Bash" theme={null}
    openssl req -new -key client.key -out client.csr -config openssl-vsp.cnf
    ```
  </Step>
</Steps>

## Sign the CSR on the CryptoHub

<Steps>
  <Step>
    Submit the `client.csr` to the CryptoHub's Certificate Authority for signing.
  </Step>

  <Step>
    The CryptoHub returns a signed client certificate (for example, `client.crt`) in PEM format.
  </Step>

  <Step>
    Export the **root CA certificate** (`cacert.pem`) from the CryptoHub. This is the CA certificate that the VSP will use to verify the CryptoHub's identity during the KMIP TLS handshake.

    <Note>
      If you deployed a client endpoint, the KMIP server root CA certificate (`Futurex Test Root CA (ECC).cer` or `Futurex Test Root SSL CA.cer`) is already included in the endpoint zip. You can use either that file or the exported `cacert.pem`.
    </Note>
  </Step>
</Steps>

## Convert the signed certificate to PKCS #12

<Steps>
  <Step>
    Convert the signed certificate and private key into PKCS #12 format:

    ```bash expandable lines wrap title="Bash" theme={null}
    openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
    ```
  </Step>

  <Step>
    Set a password when prompted. You will need this password when importing the certificate into Storage Navigator.
  </Step>
</Steps>

<Check>
  After completing this step, you should have:

  * `client.p12` — Client certificate in PKCS #12 format (required by the VSP)
  * `cacert.pem` — CryptoHub root CA certificate in X.509 PEM format
</Check>
