This is the critical verification for the entire integration. The handshake below is the first
point at which Schannel, rather than
certreq, drives the FXCL CNG provider.Prerequisites
- The client machine can reach the IIS server on port 443.
- The issuing CA’s certificate is trusted on the client machine (imported into Trusted Root Certification Authorities, or the CA chains to an existing trusted root).
Option A: Verify from Linux
1
Perform a TLS handshake and inspect the presented certificate:
Bash
The output should show the certificate chain with your site certificate’s subject and the CA
as issuer, and end with
Verify return code: 0 (ok).2
Confirm content is served over HTTPS:
Bash
The response returns the site content with
HTTP/1.1 200 (or the site’s expected status).Option B: Verify from Windows
1
Request the site over HTTPS:
PowerShell
The output shows
StatusCode : 200 with no certificate trust errors.Confirm the handshake used the CryptoHub
1
On the IIS server, check the FXCL log for the private key operation performed at handshake time:
PowerShell
With The key point is that a signing command reaches the CryptoHub at the moment IIS answers the
client, which proves the private key operation ran in the HSM and not on the web server. Set
log_level set to traffic, the log shows a private key operation exchanged with the
CryptoHub on port 2001, timestamped to the moment of the handshake. Expect a handshake to
your CryptoHub followed by a private key (signing) command and its response, for example:log_level back to info for production after you confirm this. The exact command mnemonic
Schannel drives can vary by CryptoHub build, so treat the lines above as representative rather
than exact.2
Correlate with the IIS access log to confirm the request was served:
PowerShell
An entry for your request exists with status
200 on port 443, matching the timestamp of
the FXCL log activity. This confirms the full chain: the client completed a TLS handshake with
IIS, and the server’s private key operation was performed in the CryptoHub HSM.
