> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Sign node CSRs on the CryptoHub

> Sign each Nutanix CVM node CSR using the CryptoHub Certificate Authority and export the signed certificates and CA certificate.

*Sign each per-node CSR from Nutanix using the CryptoHub Certificate Authority. Export the signed certificate/s — you will upload these to Prism Element in the next step.*

## Sign a node CSR

Repeat the following steps for each CSR file downloaded from Prism Element.

<Steps>
  <Step>
    In the CryptoHub web UI, go to **PKI and CA** > **Certificate Management**.
  </Step>

  <Step>
    Expand the **Client App TLS CA** X.509 Certificate Container and CryptoHub CA tree.
  </Step>

  <Step>
    For each node, locate the Nutanix certificate that CryptoHub generated when you deployed the client endpoints in the previous step. Record its name—you'll use it as the Common Name (CN) when issuing the node certificate from the CSR. Then delete the certificate, since the replacement you issue must reuse that exact name.
  </Step>

  <Step>
    Right-click the CryptoHub CA certificate and select **Add Certificate** > **From Request**.
  </Step>

  <Step>
    In the CSR dialog, click **Browse** and select the CSR file for the node you are signing.
  </Step>

  <Step>
    In the **Subject DN** tab, change the Common Name (CN) value to match the name of the certificate you noted earlier.
  </Step>

  <Step>
    In the **Basic Info** tab, leave all default values.
  </Step>

  <Step>
    In the **V3 Extensions** tab, select the **TLS Client Certificate** profile.
  </Step>

  <Step>
    Click **\[ OK ]** to issue the certificate.
  </Step>
</Steps>

Repeat these steps for every CSR file in the `csrs.zip` archive. Each CVM node requires a separately signed certificate.

## Export signed node certificate/s

Export each signed certificate individually in PEM format.

<Steps>
  <Step>
    Go to **PKI and CA** > **Certificate Management**.
  </Step>

  <Step>
    Expand the **Client App TLS CA** tree and locate a signed node certificate you issued.
  </Step>

  <Step>
    Right-click the certificate and select **Export** > **Certificate(s)**.
  </Step>

  <Step>
    Set the encoding to **PEM**.
  </Step>

  <Step>
    Click **\[ Browse ]**, enter a filename that identifies the node (for example, `node1-signed.pem`), and click **\[ OK ]**.
  </Step>

  <Step>
    Click **\[ OK ]** to download the file.
  </Step>
</Steps>

Repeat for each signed node certificate. Keep track of which certificate corresponds to which CVM node — you will upload them individually in Prism Element.

<Note>
  The client endpoint zip you downloaded in the previous section contains the KMIP server root CA certificate (`Futurex Test Root CA (ECC).cer` or `Futurex Test Root SSL CA.cer`). Nutanix uses this certificate to validate the CryptoHub's identity during the mTLS handshake. You will upload it when configuring the Certificate Authority in Prism Element in the next section.
</Note>
