> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create client endpoints

> Create a client endpoint on CryptoHub to authorize the Nutanix cluster to connect to the KMIP service.

After downloading node CSRs from Prism Element, you need to create an equal number of client endpoints inside the Nutanix AOS service in CryptoHub. Endpoints are devices authorized to access the service. Use the Endpoints menu to view and manage these devices.

<Steps>
  <Step>
    Navigate to the **Endpoints** menu for the Nutanix AOS service you deployed.
  </Step>

  <Step>
    In the **Manage Endpoints** menu, select **\[ Add New ]**.
  </Step>

  <Step>
    In the **Add Endpoint** dialog:

    * Enter a **Name** for the endpoint. Use a descriptive name that helps you identify which node CSR this endpoint corresponds to (e.g. "nutanix-node-1", "nutanix-node-2", etc.).
    * Leave set the **CryptoHub Hostname** that is auto-populated.
  </Step>

  <Step>
    Select **\[ Add Endpoint ]**. The browser prompts you to download a zip file which contains the following files:

    | File                                                               | Description                                                                                                                           |
    | ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- |
    | `ca-chain.pem`                                                     | CA certificate bundle                                                                                                                 |
    | `client-cert.pem`                                                  | Client TLS certificate                                                                                                                |
    | `credential.txt`                                                   | Contains the name of the identity CryptoHub created for Nutanix to use when connecting and authenticating via KMIP                    |
    | `info.txt`                                                         | Includes the service name and address for connecting to the CryptoHub                                                                 |
    | `pki.p12`                                                          | Full Client PKI in encrypted PKCS #12 format (contains the CA chain, client certificate, and client private key)                      |
    | `pki-password.txt`                                                 | Contains the password for the PKCS #12 file                                                                                           |
    | `CryptoHub <number>.cer`                                           | Auto-generated self-signed CA certificate used to issue client endpoint TLS certs (number is random)                                  |
    | `Futurex Test Root CA (ECC).cer` or `Futurex Test Root SSL CA.cer` | Futurex Test Root CA for embedded Futurex Test TLS certs (ECC or RSA, based on the algorithm configured for the KMIP connection pair) |
    | `<number>-Prod-App-Alt.cer`                                        | KMIP server TLS certificate (number is random)                                                                                        |
  </Step>
</Steps>

<Warning>
  Each client endpoint you create corresponds to one node CSR you downloaded from Prism Element. Therefore, you must create the same number of endpoints as CSRs. If you have three CSRs, create three endpoints. If you have four CSRs, create four endpoints, and so on. Keep track of which endpoint corresponds to which node CSR to avoid confusion when signing the CSRs in the next step.
</Warning>

<Note>
  After deploying the client endpoint, CryptoHub creates a Certificate Authority (CA) for the service. This CA is used in the next step to sign the per-node CSRs that Nutanix generates. The CA certificate is also uploaded to Nutanix to establish trust.
</Note>

<Note>
  The `Futurex Test Root CA (ECC).cer` or `Futurex Test Root SSL CA.cer` file from this zip is the KMIP server root CA certificate. You will need this file when configuring the Certificate Authority in Prism Element.
</Note>
