Skip to main content
This section shows how to use FXCLI to perform the following tasks:
  1. Log in to the HSM.
  2. Create a new key pair on the Vectera Plus.
  3. Generate a CSR from that key pair.
  4. Create a CA
  5. Sign the CSR by using a CA that you also create on the HSM.

Log in to the HSM

Perform the following steps to connect and log in to the HSM through FXCLI:
1
Run the FXCLI application.
2
Configure TLS certificates for communication between FXCLI and the HSM by using the tls set of commands.
Run tls help to access syntax documentation.
3
Connect to the HSM by using the following command:
FXCLI
  connect tcp --connect hsm_ip:9009
4
Log in to the HSM with the default Admin1 and Admin2 identities by running the following command twice (entering the username and password when prompted):
FXCLI
  login user

Create a key pair

Perform the following steps to create a new key pair on the Vectera Plus:
1
Create a new key pair in the next available key slot on the HSM, modifying the key usage values to match your specific requirements:
FXCLI
  generate --algo RSA --bits 2048 --name IgDemoKeyPair --usage sign,verify --slot next
2
Confirm which key slot the private key was added to:
FXCLI
  keytable list
3
Assign a PKCS11 label to the key (certutil needs you to set this external data field so that it can find the key in a later section):
The PKCS11 label value should match the name that was set for the key pair in the generate command.
FXCLI
   keytable extdata --slot 0 --p11-attr label --p11-value IgDemoKeyPair

Generate a CSR

Perform the following steps to generate a CSR:
1
Generate a CSR from the new key pair that was created:
FXCLI
  x509 req --private-slot IgDemoKeyPair --out IgDemo.csr

Create a Certificate Authority

Perform the following steps to create a Certificate Authority:
1
Create a new key pair in the next available key slot on the HSM:
FXCLI
  generate --algo RSA --bits 2048 --usage mak --name CaKeyPair --slot next
2
Create a certificate from the new key pair that you created:
FXCLI
  x509 sign --private-slot CaKeyPair --key-usage DigitalSignature --key-usage KeyCertSign --ca true --pathlen 0 --dn 'O=Futurex\CN=Root' --out Ca.pem
Note that the CA certificate was output to a file called Ca.pem.
3
Confirm which key slot the private key was added to:
FXCLI
  keytable list
4
Assign a PKCS11 label to the key (certutil needs you to set this external data field so that it can find the key in a later section):
The PKCS11 label value should match the name that was set for the key pair in the generate command.
FXCLI
  keytable extdata --slot 1 --p11-attr label --p11-value CaKeyPair

Sign the CSR

Perform the following steps to sign the CSR by using the Certificate Authority:
1
Sign the CSR with the CA you just created, modifying the key usage values to match your specific certificate requirements:
FXCLI
  x509 sign --csr IgDemo.csr --issuer Ca.pem --private-slot CaKeyPair --ca false --key-usage DigitalSignature --key-usage KeyEncipherment --key-usage DataEncipherment --key-usage KeyAgreement --eku Client --dn 'O=Futurex\CN=IG-Demo' --out IgDemo.pem
Note that the signed leaf certificate was output to a file called IgDemo.pem.