Skip to main content
Verify that IIS serves HTTPS and that the TLS private key operation is performed in CryptoHub.
This is the critical verification for the entire integration. The handshake below is the first point at which Schannel, rather than certreq, drives the FXCL CNG provider.

Prerequisites

  • The client machine can reach the IIS server on port 443.
  • The issuing CA’s certificate is trusted on the client machine (imported into Trusted Root Certification Authorities, or the CA chains to an existing trusted root).

Option A: Verify from Linux

1
Perform a TLS handshake and inspect the presented certificate:
Bash
The output should show the certificate chain with your site certificate’s subject and the CA as issuer, and end with Verify return code: 0 (ok).
2
Confirm content is served over HTTPS:
Bash
The response returns the site content with HTTP/1.1 200 (or the site’s expected status).

Option B: Verify from Windows

1
Request the site over HTTPS:
PowerShell
The output shows StatusCode : 200 with no certificate trust errors.

Confirm the handshake used the CryptoHub

1
On the IIS server, check the FXCL log for the private key operation performed at handshake time:
PowerShell
With log_level set to traffic, the log shows a private key operation exchanged with the CryptoHub on port 2001, timestamped to the moment of the handshake. Expect a handshake to your CryptoHub followed by a private key (signing) command and its response, for example:
The key point is that a signing command reaches the CryptoHub at the moment IIS answers the client, which proves the private key operation ran in the HSM and not on the web server. Set log_level back to info for production after you confirm this. The exact command mnemonic Schannel drives can vary by CryptoHub build, so treat the lines above as representative rather than exact.
2
Correlate with the IIS access log to confirm the request was served:
PowerShell
An entry for your request exists with status 200 on port 443, matching the timestamp of the FXCL log activity. This confirms the full chain: the client completed a TLS handshake with IIS, and the server’s private key operation was performed in the CryptoHub HSM.