Skip to main content
After deploying the Microsoft IIS service in CryptoHub (Deploy the Microsoft IIS service), add a client endpoint to it and install the FXCL CNG provider on the IIS server.
Add the endpoint to the Microsoft IIS service you deployed, which drives the libfxcl-cng.dll install. Set the endpoint’s Platform to Windows (64-bit; choose Windows32 only for a 32-bit host). The endpoint supports either ApiKey or TlsBundle authentication; use whichever your deployment standardizes on.

Deploy client endpoint

1
Go to the Endpoints menu inside the service you deployed.
2
In the Manage Endpoints menu, select [ Add New ].
3
In the Add Endpoint dialog:
  • Enter a Name for the endpoint.
  • Leave the value set to the CryptoHub Hostname that auto-populates.
  • Select Platform: Windows.
  • Select the authentication type your deployment uses (ApiKey or TlsBundle).
4
Select [ Add Endpoint ].The browser should prompt you to download a zip file containing the FXCL CNG module and a configuration file pre-configured to connect to your CryptoHub instance. Install it on the IIS server using the steps in the next section.

Install FXCL CNG

1
Extract the zip file downloaded in your browser after deploying the service in CryptoHub.
2
Go to the extracted directory, which contains the following files:
  • libfxcl-cng.dll
  • fxcl-cng-install.exe
  • fxcl-cng-uninstall.exe
  • config.json (JSONC; contains comments, so do not lint it as strict JSON)
  • client.p12
  • client-cert.pem
  • ca0.crtcaN.crt, ca-chain.pem
3
Run fxcl-cng-install.exe from an elevated prompt to install and register the provider. Options: -Name (provider name, default Futurex FXCL KMES CNG), -Path (module, default libfxcl-cng.dll), -Overwrite, -Top.
The installer copies only libfxcl-cng.dll into System32. It does not copy the configuration bundle. Until the rest of the extracted files are present at C:\Program Files\Futurex\fxcl\kmes\cng, certutil -csplist reports “An internal consistency check failed” for the provider. As an administrator, create C:\Program Files\Futurex\fxcl\kmes\cng and copy the full extracted bundle (config.json, client.p12, ca*.crt, ca-chain.pem, and the DLL) into it, then re-check.

Verify the provider is installed

Confirm the provider is installed and CryptoHub is reachable:
PowerShell
The output should list:
If instead you see Futurex FXCL KMES CNG: An internal consistency check failed, the configuration bundle is not yet in C:\Program Files\Futurex\fxcl\kmes\cng. See the warning in the install step above. After placing it, certutil -csplist shows a clean Loading Futurex Provider. line.If the provider loads but reports NTE_DEVICE_NOT_READY for an unrelated provider (such as the Microsoft Smart Card Key Storage Provider), that error refers to the smart card provider and can be ignored.

Confirm the provider reaches the CryptoHub

certutil -csplist only proves the module loaded. Confirm a live appliance round-trip before proceeding. Set log_level to traffic in config.json first (see Configure the log file location), then run:
PowerShell
The command output ends with CertUtil: -csptest command completed successfully.. The real proof is that C:\Program Files\Futurex\fxcl\kmes\cng\fxcl.log shows a mutual-TLS handshake to your CryptoHub on port 2001 and a live command exchange, for example:
The BC field echoes the appliance version, confirming the provider is talking to your CryptoHub.
With log_level: traffic, fxcl.log records the API key (a JWAPI: token) in every [Send] line. Mask these before sharing logs, and set log_level back to info for production.