Configure TLS authentication - Futurex Documentation

For this step, you need to log in with an identity that has a role with the following permissions: Keys:All Slots, Management Commands:Certificates, Management Commands:Keys, Security:TLS Sign, and TLS Settings:Upload Key. You can use the default Administrator role and Admin identities.

To configure TLS authentication, choose one of the following methods:

Enable server-side authentication.
Create connection certificates for mutual authentication.

We recommend option 2, mutual authentication.

Option 1 | Enable server-side authentication

We recommend mutually authenticating to the HSM using client certificates, but the Vectera Plus also supports server-side authentication. The following steps outline the process for enabling server-side authentication. Choose one of the following methods to enable server-side authentication: Excrypt Manager:

Go to the SSL/TLS Setup menu. Then, select the Excrypt Port in the Connection Pair drop-down list, check the Allow Anonymous box, and select [ Save ].

FXCLI:

Run the tls-ports set FXCLI command to enable server-side authentication with the Allow Anonymous SSL/TLS setting:

FXCLI

  tls-ports set -p "Excrypt Port" --anon

Option 2 | Create connection certificates for mutual authentication and generate a client keypair and CSR for Futurex CNG from a certreq policy file

As mentioned previously, we recommend mutually authenticating to the HSM by using client certificates, and the system enforces mutual authentication by default. The following example shows how to use FXCLI to generate a CA to sign the HSM server certificate and a Futurex CNG (FXCNG) client certificate. Then, it shows how to generate the client key pair and CSR by using the Windows certreq utility.

For this example, you must connect the computer running FXCLI to the front USB port of the HSM.
If you do not specify a file path for commands that create an output file, FXCLI saves the file to the current working directory.
Using user-generated certificates requires you to load a PMK on the HSM.
If you run help by itself, a full list of available commands displays. You can see the options for a command by running the command name followed by help.

Create and sign the CSRs

This section explains the necessary steps to generate a CSR from a certreq policy file on the computer where you installed the Futurex CNG. When you generate the CSR file, the system creates a public/private key pair in the Windows Certificate Store. Then, the section describes how to use FXCLI to issue a signed certificate from the CSR, which you later associate with the public/private key pair stored in the Windows Certificate Store.

Create a certreq policy file

Perform the following steps to create a certreq policy file:

On the computer where you installed the Futurex CNG, open a text editor.

Create a new file and copy and paste the following content into it:

None

[Version]
Signature = "$Windows NT$"

[NewRequest]
Subject = "CN=Microsoft ADCS"
Exportable = TRUE
KeyLength = 2048
MachineKeySet = TRUE

Save the file with the .inf extension (for example, certreq_policy.inf).

Generate a CSR

Perform the following steps to generate a CSR from the certreq policy INF file:

Open either Command Prompt or PowerShell.

Go to the directory with the certreq policy .inf file.

Run the following command to generate a CSR from the certreq policy .inf file:

Powershell

certreq -new -q -config "your.domain.com\Microsoft ADCS" certreq_policy.inf client.csr

Generate a key pair and CSR

Perform the following steps to generate a key pair and CSR for the Excrypt Port on the HSM:

Open the FXCLI prompt by running fxcli-hsm in a terminal.

Connect your laptop to the HSM through the USB port on the front, and run the following command:

FXCLI

  connect usb

Use the following command to log in with the default Admin1 and Admin2 identities. When prompted, enter the username and password. Run the command twice, once for each identity.

FXCLI

  login user

Generate a key pair and CSR for the Excrypt Port by using the following command:

FXCLI

  tls-ports request --pair "Excrypt Port" --file excrypt_port.csr --pki-algo RSA

Generate a keypair and certificate

Perform the following steps to generate a TLS CA keypair and certificate with FXCLI:

Open the FXCLI prompt by running fxcli-hsm in a terminal.

Connect your laptop to the HSM through the USB port on the front, and run the following command:

FXCLI

  connect usb

Log in with the default Admin1 and Admin2 identities. When prompted, enter the username and password. Run this command twice, once for each identity.

FXCLI

  login user

Generate a TLS CA key pair and store it in an available slot on the HSM.

FXCLI

  generate --algo RSA --bits 2048 --usage mak --name TlsCaKeyPair --slot next

Create a TLS CA certificate from the key pair you created in step 4.

FXCLI

  x509 sign \
      --private-slot TlsCaKeyPair \
      --key-usage DigitalSignature --key-usage KeyCertSign \
      --ca true --pathlen 0 \
      --dn 'O=Futurex\CN=Root' \
      --out TlsCa.pem

Sign the CSRs

Perform the following steps to sign the CSRs for the Excrypt Port and Futurex CNG:

Open the FXCLI prompt by running fxcli-hsm in a terminal.

Connect your laptop to the HSM through the USB port on the front, and run the following command:

FXCLI

  connect usb

Log in with the default Admin1 and Admin2 identities. When prompted, enter the username and password. Run the following command twice, once for each identity:

FXCLI

  login user

Sign the CSR for the Excrypt Port by using the CA you created in the previous section.

FXCLI

  x509 sign \
      --private-slot TlsCaKeyPair \
      --issuer TlsCa.pem \
      --csr excrypt_port.csr \
      --eku Server --key-usage DigitalSignature --key-usage KeyAgreement \
      --ca false \
      --dn 'O=Futurex\CN=Excrypt Port' \
      --out signed_excrypt_cert.pem

Push the signed server PKI to the Excrypt Port on the HSM.

FXCLI

  tls-ports set --pair "Excrypt Port" \
      --enable \
      --pki-source Generated \
      --clear-pki \
      --ca TlsCa.pem \
      --cert signed_excrypt_cert.pem \
      --no-anon

Restart the SSL2TCP processor to apply the changes made to the Excrypt Port connection pair.

FXCLI

  tls-ports restart

Sign the client CSR for Microsoft ADCS by using the CA you created in the previous section.

FXCLI

  x509 sign  \
   --private-slot TlsCaKeyPair \
   --issuer TlsCa.pem \
   --csr client.csr \
   --eku Client --key-usage DigitalSignature --key-usage KeyAgreement \
   --out signed_client_cert.pem

Create an association between the signed certificate and its corresponding key pair

This section explains the necessary steps to associate the signed Microsoft ADCS client TLS certificate with its corresponding private key in the Windows Certificate Store. Before making this association, you must import the CA certificate that issued the Microsoft ADCS client TLS certificate into the Trusted Root Certification Authorities Windows Certificate Store.

Import the CA certificate

Perform the following steps to import the CA certificate that issued the Microsoft ADCS client TLS certificate into the Trusted Root Certification Authorities store:

On the computer where you installed Futurex CNG, open the Manage computer certificates program.

Right-click the Trusted Root Certification Authorities store and select All Tasks> Import.

Follow the steps in the Certificate Import Wizard to import the TLS CA root certificate file.

If the import succeeds, you get a confirmation message.

Associate the signed certificate

Perform the following steps to associate the signed Microsoft ADCS certificate with its corresponding private key in the Windows Certificate Store:

Open either Command Prompt or PowerShell.

Go to the directory where you saved the signed Microsoft ADCS client TLS certificate file.

Run the following command to create an association between the signed Microsoft ADCS certificate and its corresponding key pair stored in your Windows account profile:

Powershell

certreq -accept -machine signed_client_cert.pem

If the command succeeds, information about the installed certificate displays.

Documentation Index

​Option 1 | Enable server-side authentication

​Option 2 | Create connection certificates for mutual authentication and generate a client keypair and CSR for Futurex CNG from a certreq policy file

​Create and sign the CSRs

​Create a certreq policy file

​Generate a CSR

​Generate a key pair and CSR

​Generate a keypair and certificate

​Sign the CSRs

​Create an association between the signed certificate and its corresponding key pair

​Import the CA certificate

​Associate the signed certificate

Option 1 | Enable server-side authentication

Option 2 | Create connection certificates for mutual authentication and generate a client keypair and CSR for Futurex CNG from a certreq policy file

Create and sign the CSRs

Create a certreq policy file

Generate a CSR

Generate a key pair and CSR

Generate a keypair and certificate

Sign the CSRs

Create an association between the signed certificate and its corresponding key pair

Import the CA certificate

Associate the signed certificate