Skip to main content
In this section, we’ll import the client certificate, client private key, and CA certificate into an X.509 Certificate Container on the CryptoHub using the futurex.p12 file generated in Edit the Client Profile. If you do not have this file, complete that section before continuing.

Import the client PKCS #12 into the CryptoHub

In this sub-section, we’ll import the PKCS #12 file containing the CA certificate, client certificate, and client private key into the CryptoHub.

Create an Approval Group

1
Log in to the CryptoHub with your administrator identities.
2
Go to PKI and CA > PKI Signing Approvals.
3
Select [ Add Approval Group ].
4
Enter a name for the Approval Group and select [ OK ].
5
Right-click the new Approval Group and select Permission.
6
In the dropdown menu towards the top of the dialog box, select Service - OpenVPN, then click [ Add ].
7
Grant the Use permission to the OpenVPN service, then click [ Save ].

Create an X.509 Certificate Container

1
Go to PKI and CA > Certificate Management.
2
Select [ Add CA ] at the bottom.
3
In the Certificate Container creation dialog:
  • Name: Enter a name for the Certificate Container, such as “OpenVPN”.
  • Host: None
  • Type: X.509
  • Owner Group: Select the OpenVPN FXPKCS11 role.
4
Select [ OK ].

Enable the option to allow importing certificates using passwords

Before importing the PKCS #12 file created above with OpenSSL, it is necessary to enable an option on the CryptoHub to allow importing certificates using passwords.
1
Go to Classic Tools > Administration > Configuration Tasks > Options.
2
In the Main tab of the Options menu, select the Allow import of certificates using passwords checkbox.
3
Select [ Save ].

Import the PKCS #12 file into the X.509 Certificate Container

1
Go to PKI and CA > Certificate Management.
2
Right-click the X.509 Certificate Container you created above, and select Import > PKCS#12.
3
Click [ Browse ] and select your PKCS #12 file for import.
4
Select [ Next ].
5
Enter the password for the PKCS #12 file and select [ Next ].
6
Select [ Finish ].

Add an Issuance Policy to the client certificate

We must add an Issuance Policy to the client certificate so that the Futurex PKCS #11 library can find the certificate on the CryptoHub.
1
Go to PKI and CA > Certificate Management.
2
Right-click the client certificate in the tree (the one under the CA certificate) and select Issuance Policy > Add.
3
In the Basic Info tab:
  • Set Approvals to 0.
A message will appear stating, “Zero approval policy requires Anonymous Signing security usage.” We’ll set this after creating the Issuance Policy.
4
In the X.509 tab:
  • Assign a Default approval group by clicking [ Select ], selecting the Approval Group you created above, and clicking [ OK ].
5
In the Object Signing tab:
  • Select the Allow object signing checkbox.
6
Select [ OK ].

Change security usage on the client certificate to allow Anonymous Signing

1
Go to PKI and CA > Certificate Management.
2
Right-click the client certificate and select Change Security Usage.
3
In the dropdown menu select Anonymous Signing.
4
Select [ OK ].