Add the endpoint to the Microsoft IIS service you deployed, which drives the
libfxcl-cng.dll install. Set the endpoint’s Platform to Windows (64-bit; choose
Windows32 only for a 32-bit host). The endpoint supports either ApiKey or TlsBundle
authentication; use whichever your deployment standardizes on.Deploy client endpoint
1
Go to the Endpoints menu inside the service you deployed.
2
In the Manage Endpoints menu, select [ Add New ].
3
In the Add Endpoint dialog:
- Enter a Name for the endpoint.
- Leave the value set to the CryptoHub Hostname that auto-populates.
- Select Platform: Windows.
- Select the authentication type your deployment uses (ApiKey or TlsBundle).
4
Select [ Add Endpoint ].The browser should prompt you to download a zip file containing the FXCL CNG module and a
configuration file pre-configured to connect to your CryptoHub instance. Install it on the IIS
server using the steps in the next section.
Install FXCL CNG
1
Extract the zip file downloaded in your browser after deploying the service in CryptoHub.
2
Go to the extracted directory, which contains the following files:
libfxcl-cng.dllfxcl-cng-install.exefxcl-cng-uninstall.execonfig.json(JSONC; contains comments, so do not lint it as strict JSON)client.p12client-cert.pemca0.crt…caN.crt,ca-chain.pem
3
Run
fxcl-cng-install.exe from an elevated prompt to install and register the provider.
Options: -Name (provider name, default Futurex FXCL KMES CNG), -Path (module, default
libfxcl-cng.dll), -Overwrite, -Top.Verify the provider is installed
Confirm the provider is installed and CryptoHub is reachable:PowerShell
The output should list:If instead you see
Futurex FXCL KMES CNG: An internal consistency check failed, the
configuration bundle is not yet in C:\Program Files\Futurex\fxcl\kmes\cng. See the warning in
the install step above. After placing it, certutil -csplist shows a clean Loading Futurex Provider. line.If the provider loads but reports NTE_DEVICE_NOT_READY for an unrelated provider (such as the
Microsoft Smart Card Key Storage Provider), that error refers to the smart card provider and can
be ignored.Confirm the provider reaches the CryptoHub
certutil -csplist only proves the module loaded. Confirm a live appliance round-trip before proceeding. Set log_level to traffic in config.json first (see Configure the log file location), then run:
PowerShell
The command output ends with The
CertUtil: -csptest command completed successfully.. The real
proof is that C:\Program Files\Futurex\fxcl\kmes\cng\fxcl.log shows a mutual-TLS handshake to
your CryptoHub on port 2001 and a live command exchange, for example:BC field echoes the appliance version, confirming the provider is talking to your
CryptoHub.
