> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Install and configure FXCL CNG

> Deploy a client endpoint, install FXCL CNG, and verify the provider on the IIS server.

After deploying the **Microsoft IIS** service in CryptoHub ([Deploy the Microsoft IIS service](/Integrations/CryptoHub/TLS_offloading/Microsoft_IIS/Deploy_the_service)), add a client endpoint to it and install the FXCL CNG provider on the IIS server.

<Note>
  Add the endpoint to the **Microsoft IIS** service you deployed, which drives the
  `libfxcl-cng.dll` install. Set the endpoint's **Platform** to **Windows** (64-bit; choose
  `Windows32` only for a 32-bit host). The endpoint supports either **ApiKey** or **TlsBundle**
  authentication; use whichever your deployment standardizes on.
</Note>

## Deploy client endpoint

<Steps>
  <Step>
    Go to the **Endpoints** menu inside the service you deployed.
  </Step>

  <Step>
    In the **Manage Endpoints** menu, select **\[ Add New ]**.
  </Step>

  <Step>
    In the **Add Endpoint** dialog:

    * Enter a **Name** for the endpoint.
    * Leave the value set to the CryptoHub **Hostname** that auto-populates.
    * Select **Platform**: **Windows**.
    * Select the authentication type your deployment uses (**ApiKey** or **TlsBundle**).
  </Step>

  <Step>
    Select **\[ Add Endpoint ]**.

    The browser should prompt you to download a zip file containing the **FXCL CNG** module and a
    configuration file pre-configured to connect to your CryptoHub instance. Install it on the IIS
    server using the steps in the next section.
  </Step>
</Steps>

## Install FXCL CNG

<Steps>
  <Step>
    Extract the zip file downloaded in your browser after deploying the service in CryptoHub.
  </Step>

  <Step>
    Go to the extracted directory, which contains the following files:

    * `libfxcl-cng.dll`
    * `fxcl-cng-install.exe`
    * `fxcl-cng-uninstall.exe`
    * `config.json` (JSONC; contains comments, so do not lint it as strict JSON)
    * `client.p12`
    * `client-cert.pem`
    * `ca0.crt` … `caN.crt`, `ca-chain.pem`
  </Step>

  <Step>
    Run `fxcl-cng-install.exe` from an elevated prompt to install and register the provider.
    Options: `-Name` (provider name, default `Futurex FXCL KMES CNG`), `-Path` (module, default
    `libfxcl-cng.dll`), `-Overwrite`, `-Top`.

    <Warning>
      The installer copies **only `libfxcl-cng.dll`** into `System32`. It does **not** copy the
      configuration bundle. Until the rest of the extracted files are present at
      `C:\Program Files\Futurex\fxcl\kmes\cng`, `certutil -csplist` reports **"An internal
      consistency check failed"** for the provider. As an administrator, create
      `C:\Program Files\Futurex\fxcl\kmes\cng` and copy the full extracted bundle (`config.json`,
      `client.p12`, `ca*.crt`, `ca-chain.pem`, and the DLL) into it, then re-check.
    </Warning>
  </Step>
</Steps>

## Verify the provider is installed

Confirm the provider is installed and CryptoHub is reachable:

```powershell expandable lines wrap title="PowerShell" theme={null} theme={null}
certutil -csplist
```

<Check>
  The output should list:

  ```text theme={null} theme={null}
  Provider Name: Futurex FXCL KMES CNG
  Loading Futurex Provider.
  ```

  If instead you see `Futurex FXCL KMES CNG: An internal consistency check failed`, the
  configuration bundle is not yet in `C:\Program Files\Futurex\fxcl\kmes\cng`. See the warning in
  the install step above. After placing it, `certutil -csplist` shows a clean `Loading Futurex
      Provider.` line.

  If the provider loads but reports `NTE_DEVICE_NOT_READY` for an unrelated provider (such as the
  Microsoft Smart Card Key Storage Provider), that error refers to the smart card provider and can
  be ignored.
</Check>

## Confirm the provider reaches the CryptoHub

`certutil -csplist` only proves the module loaded. Confirm a live appliance round-trip before proceeding. Set `log_level` to `traffic` in `config.json` first (see [Configure the log file location](/Integrations/CryptoHub/TLS_offloading/Microsoft_IIS/Configure_the_log_file_location)), then run:

```powershell expandable lines wrap title="PowerShell" theme={null} theme={null}
certutil -csptest -csp "Futurex FXCL KMES CNG"
```

<Check>
  The command output ends with `CertUtil: -csptest command completed successfully.`. The real
  proof is that `C:\Program Files\Futurex\fxcl\kmes\cng\fxcl.log` shows a mutual-TLS handshake to
  your CryptoHub on port 2001 and a live command exchange, for example:

  ```text theme={null} theme={null}
  INFO   <cryptohub-host>:2001 handshake successful.
  TRAFFIC [<cryptohub-host>:2001] [Send] [AOECHO;...]
  TRAFFIC [<cryptohub-host>:2001] [Recv] [AOECHO;...BC<version>;...PNCryptoHub;...]
  ```

  The `BC` field echoes the appliance version, confirming the provider is talking to your
  CryptoHub.

  <Warning>
    With `log_level: traffic`, `fxcl.log` records the API key (a `JWAPI:` token) in every `[Send]`
    line. Mask these before sharing logs, and set `log_level` back to `info` for production.
  </Warning>
</Check>
