> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# AD CS operations with FXCNG

> Procedural guide for performing common AD CS operations using FXCNG, such as signing certificates and managing access control.

This section covers AD CS operations with **FXCNG**.

## Enforce Windows Access Control on an HSM level

<Note>
  For this step, you must log in with an Identity that has a role with the Keys:All Slots permission. You can use the default Administrator role and Admin identities.
</Note>

The Futurex CNG library enables Windows to associate an Access Control List (ACL) with an HSM key slot. Windows updates this ACL during key pair generation and permission updates. To lock the ACL from changing, perform the following steps:

<Steps>
  <Step>
    Connect the Excrypt Manager application to the Vectera Plus HSM.
  </Step>

  <Step>
    Log in under dual control.
  </Step>

  <Step>
    Go to the **Key** **Management** page
  </Step>

  <Step>
    Select **Edit** **Key** **Storage**.
  </Step>

  <Step>
    Locate the board slot containing the **CNG** private key. The CNG provider logs this information during key pair generation.
  </Step>

  <Step>
    Check the **Immutable** security checkbox.
  </Step>

  <Step>
    Select **\[ Apply** **Changes ]**.
  </Step>
</Steps>

## View certificate store

Use the following command to view the CA certificate store. The LDAP URI varies depending on your organizational Active Directory domain (for example, `fx.futurex.com`) and CA name (for example, **fx-FXCA**).

```powershell expandable lines wrap title="Powershell" theme={null}
certutil -viewstore "ldap:///CN=fx-FXCA,CN=Certification Authorities,
CN=Public Key Services,CN=Services,CN=Configuration,DC=fx,
DC=futurex,DC=com?cACertificate?base?objectClass=certificationAuthority"
```

Between tests, you can choose to clear the certificate store by using a command similar to the following example:

```powershell expandable lines wrap title="Powershell" theme={null}
certutil -delstore "ldap:///CN=fx-FXCA,CN=Certification Authorities,
CN=Public Key Services,CN=Services,CN=Configuration,DC=fx,
DC=futurex,DC=com?cACertificate?base?objectClass=certificationAuthority" fx-FXCA
```

## Sign the certificate by using the HSM

The following steps demonstrate one way to test using the HSM to sign a certificate for the CA server.

<Steps>
  <Step>
    Open the **Certificate** **Manager** on the CA server
  </Step>

  <Step>
    Right-click **Personal** > **All** **Tasks** > **Request New Certificate**.
  </Step>

  <Step>
    In the **Certificate** **Enrollment** window, select **\[ Next ]**.
  </Step>

  <Step>
    On the **Certificate** **Enrollment** **Policy** page, choose a certificate enrollment service associated with the CA server, such as **Active Directory Enrollment Policy** for an Enterprise CA. Select **\[ Next ]**.
  </Step>

  <Step>
    On the **Request** **Certificates** page, choose a certificate template and select **\[ Enroll ]**.

    <Check>
      If the HSM connects, a success message displays.

      If the HSM is offline, you get an error.
    </Check>
  </Step>

  <Step>
    To locate the issued certificate, perform the following steps:

    1. Open the **Active Directory Certificate Authority** tool from the **Server Manager**.
    2. Expand the node associated with your CA common name.
    3. Select **Issued** **Certificates**.

    <Check>
      A certificate matching your request should display on this page.
    </Check>
  </Step>
</Steps>
