> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure TLS authentication

> Configure TLS authentication for secure HSM communication, including certificate creation and upload.

<Note>
  For this step, you must log in with an identity that has a role with the following permissions: Keys:All Slots, Management Commands:Certificates, Management Commands:Keys, Security:TLS Sign, and TLS Settings:Upload Key. You can use the default Administrator role and Admin identities.
</Note>

To configure TLS authentication, choose one of the following methods:

1. Enable server-side authentication.
2. Create connection certificates for mutual authentication.

We recommend option 2, mutual authentication.

## Enable server-side authentication

We recommend mutually authenticating to the HSM using client certificates, but the Vectera Plus also supports server-side authentication. The following steps outline the process for enabling server-side authentication.

Choose one of the following methods to enable server-side authentication:

### Excrypt Manager

To use Excrypt Manager to enable server-side authentication, go to the **SSL/TLS Setup** menu.

Then, select the **Excrypt Port** in the **Connection Pair** drop-down list, check the **Allow** **Anonymous** box, and select **\[ Save ]**.

### FXCLI

To use FXCLI to enable server-side authentication, run the **tls-ports set** FXCLI command to enable server-side authentication with the **Allow** **Anonymous** SSL/TLS setting:

```shell title="FXCLI" expandable lines wrap theme={null}
  tls-ports set -p "Excrypt Port" --anon
```

## Create connection certificates for mutual authentication

As mentioned previously, we recommend mutually authenticating to the HSM by using client certificates, and the system enforces mutual authentication by default. The following example shows how to use FXCLI to generate a CA to sign the HSM server certificate and a client certificate. Then, it shows how to generate the client keys and CSR by using OpenSSL.

<Note>
  * For this example, you must connect the computer that is running FXCLI to the front USB port of the HSM.
  * If you do not specify a file path for commands that create an output file, FXCLI saves the file to the current working directory.
  * Using user-generated certificates requires you to load a PMK on the HSM.
  * If you run help by itself, a full list of available commands displays. You can see all options for a command by running the command name followed by help.
</Note>

<Steps>
  <Step>
    Open the FXCLI prompt by running `fxcli-hsm` in a terminal.
  </Step>

  <Step>
    Connect your laptop to the HSM by using the USB port on the front, and run the following command.

    ```shell title="FXCLI" expandable lines wrap theme={null}
      connect usb
    ```
  </Step>

  <Step>
    Run the following command to log in with both default Admin identities. When prompted for the username and password, enter them. You must run this command twice.

    ```shell title="FXCLI" expandable lines wrap theme={null}
      login user
    ```
  </Step>

  <Step>
    Generate a TLS CA and store it in an available key slot on the HSM.

    ```shell title="FXCLI" expandable lines wrap theme={null}
      generate --algo RSA --bits 2048 --usage mak --name TlsCaKeyPair --slot next
    ```
  </Step>

  <Step>
    Create a root certificate.

    ```shell title="FXCLI" expandable lines wrap theme={null}
      x509 sign \
          --private-slot TlsCaKeyPair \
          --key-usage DigitalSignature --key-usage KeyCertSign \
          --ca true --pathlen 0 \
          --dn 'O=Futurex\CN=Root' \
          --out TlsCa.pem
    ```
  </Step>

  <Step>
    Generate the server keys for the HSM.

    ```shell title="FXCLI" expandable lines wrap theme={null}
      tls-ports request --pair "Excrypt Port" --file production.csr --pki-algo RSA
    ```
  </Step>

  <Step>
    Sign the server CSR with the newly created TLS CA.

    ```shell title="FXCLI" expandable lines wrap theme={null}
      x509 sign \
          --private-slot TlsCaKeyPair \
          --issuer TlsCa.pem \
          --csr production.csr \
          --eku Server --key-usage DigitalSignature --key-usage KeyAgreement \
          --ca false \
          --dn 'O=Futurex\CN=Production' \
          --out TlsProduction.pem
    ```
  </Step>

  <Step>
    Push the signed server PKI to the production port on the HSM.

    ```shell title="FXCLI" expandable lines wrap theme={null}
      tls-ports set --pair "Excrypt Port" \
          --enable \
          --pki-source Generated \
          --clear-pki \
          --ca TlsCa.pem \
          --cert TlsProduction.pem \
          --no-anon
    ```
  </Step>

  <Step>
    To generate client keys and CSR, run the following OpenSSL commands from Windows **PowerShell** rather than from the FXCLI program:

    ```powershell expandable lines wrap title="Powershell" theme={null}
    # Generate the client keys
    $ openssl genrsa -out privatekey.pem 2048
    ```

    ```powershell expandable lines wrap title="Powershell" theme={null}
    # Generate a client CSR
    $ openssl req -new -key privatekey.pem -out ClientPki.csr -days 365
    ```
  </Step>

  <Step>
    Using FXCLI, sign the client CSR that was just generated using OpenSSL.

    ```shell title="FXCLI" expandable lines wrap theme={null}
      x509 sign  \
       --private-slot TlsCaKeyPair \
       --issuer TlsCa.pem \
       --csr ClientPki.csr \
       --eku Client --key-usage DigitalSignature --key-usage KeyAgreement \
       --dn 'O=Futurex\CN=Client' \
       --out SignedPki.pem
    ```
  </Step>

  <Step>
    Run the following command from **PowerShell**. Use OpenSSL to create a PKCS #12 file that you can use to authenticate as a client by using our PKCS #11 library:

    ```powershell expandable lines wrap title="Powershell" theme={null}
    openssl pkcs12 -export -inkey privatekey.pem -in SignedPki.pem -certfile TlsCa.pem -out PKI.p12
    ```
  </Step>
</Steps>

<Note>
  For this step, you need to log in with an identity that has a role with the following permissions:

  * Keys:All Slots
  * Management Commands:Certificates
  * Management Commands:Keys
  * Security:TLS Sign
  * TLS Settings:Upload Key

  You can use the default Administrator role and Admin identities.
</Note>

To configure TLS authentication, choose one of the following methods:

1. Enable server-side authentication.
2. Create connection certificates for mutual authentication.

We recommend option 2, mutual authentication.

### Enable server-side authentication

We recommend mutually authenticating to the HSM using client certificates, but the Vectera Plus also supports server-side authentication. The following steps outline the process for enabling server-side authentication.

Choose one of the following methods to enable server-side authentication:

#### Excrypt Manager

To enable server-side authentication in Excrypt Manager, go to the **SSL/TLS Setup** menu. Then, select the **Excrypt Port** in the **Connection Pair** drop-down list, check the **Allow** **Anonymous** box, and select **\[ Save ]**.

#### FXCLI

To enable server-side authentication in FXCLI, run the **tls-ports set** FXCLI command to enable server-side authentication with the **Allow** **Anonymous** SSL/TLS setting:

```shell title="FXCLI" expandable lines wrap theme={null}
  tls-ports set -p "Excrypt Port" --anon
```

### Create connection certificates, client keypair, and a CSR

As mentioned previously, we recommend mutually authenticating to the HSM by using client certificates, and the system enforces mutual authentication by default. The following example shows how to use FXCLI to generate a CA to sign the HSM server certificate and a Futurex CNG (**FXCNG**) client certificate. Then, it shows how to generate the client key pair and CSR by using the Windows certreq utility.

<Note>
  * For this example, you must connect the computer running FXCLI to the front USB port of the HSM.
  * If you do not specify a file path for commands that create an output file, FXCLI saves the file to the current working directory.
  * Using user-generated certificates requires you to load a PMK on the HSM.
  * If you run help by itself, a full list of available commands displays. You can see the options for a command by running the command name followed by help.
</Note>

This section shows how to perform the following tasks:

1. Create a certreq policy file.
2. Generate a CSR from the certreq policy INF file.
3. Generate a key pair and CSR for the Excrypt Port on the HSM.
4. Sign the CSRs for the Excrypt Port and Futurex CNG.

#### Create a certreq policy file

Perform the following steps to create a certreq policy file:

<Steps>
  <Step>
    On the computer where you installed the Futurex CNG, open a text editor.
  </Step>

  <Step>
    Create a new file and copy and paste the following content into it:

    ```none expandable lines wrap title="None" theme={null}
    [Version]
    Signature = "$Windows NT$"

    [NewRequest]
    Subject = "CN=Microsoft ADCS"
    Exportable = TRUE
    KeyLength = 2048
    MachineKeySet = TRUE
    ```
  </Step>

  <Step>
    Save the file with the `.inf` extension (for example, `certreq_policy.inf`).
  </Step>
</Steps>

#### Generate a CSR

Perform the following steps to generate a CSR from the certreq policy INF file:

<Steps>
  <Step>
    Open either Command Prompt or PowerShell.
  </Step>

  <Step>
    Go to the directory with the certreq policy `.inf` file.
  </Step>

  <Step>
    Run the following command to generate a CSR from the certreq policy `.inf` file:

    ```powershell expandable lines wrap title="Powershell" theme={null}
    certreq -new -q -config "your.domain.com\Microsoft ADCS" certreq_policy.inf client.csr
    ```
  </Step>
</Steps>

#### Generate a key pair and CSR

Perform the following steps to generate a key pair and CSR for the Excrypt Port on the HSM:

<Steps>
  <Step>
    Open the FXCLI prompt by running `fxcli-hsm` in a terminal.
  </Step>

  <Step>
    Connect your laptop to the HSM through the USB port on the front, and run the following command:

    ```shell title="FXCLI" expandable lines wrap theme={null}
      connect usb
    ```
  </Step>

  <Step>
    Use the following command to log in with the default Admin1 and Admin2 identities. When prompted, enter the username and password. Run the command twice, once for each identity.

    ```shell title="FXCLI" expandable lines wrap theme={null}
      login user
    ```
  </Step>

  <Step>
    Generate a key pair and CSR for the Excrypt Port by using the following command:

    ```shell title="FXCLI" expandable lines wrap theme={null}
      tls-ports request --pair "Excrypt Port" --file excrypt_port.csr --pki-algo RSA
    ```
  </Step>
</Steps>

#### Generate a keypair and certificate

Perform the following steps to generate a TLS CA keypair and certificate with FXCLI:

<Steps>
  <Step>
    Open the FXCLI prompt by running `fxcli-hsm` in a terminal.
  </Step>

  <Step>
    Connect your laptop to the HSM through the USB port on the front, and run the following command:

    ```shell title="FXCLI" expandable lines wrap theme={null}
      connect usb
    ```
  </Step>

  <Step>
    Log in with the default Admin1 and Admin2 identities. When prompted, enter the username and password. Run this command twice, once for each identity.

    ```shell title="FXCLI" expandable lines wrap theme={null}
      login user
    ```
  </Step>

  <Step>
    Generate a TLS CA keypair and store it in an available slot on the HSM

    ```shell title="FXCLI" expandable lines wrap theme={null}
      generate --algo RSA --bits 2048 --usage mak --name TlsCaKeyPair --slot next
    ```
  </Step>

  <Step>
    Create a TLS CA certificate from the key pair you created in step 4.

    ```shell title="FXCLI" expandable lines wrap theme={null}
      x509 sign \
          --private-slot TlsCaKeyPair \
          --key-usage DigitalSignature --key-usage KeyCertSign \
          --ca true --pathlen 0 \
          --dn 'O=Futurex\CN=Root' \
          --out TlsCa.pem
    ```
  </Step>
</Steps>

#### **Sign the CSRs**

Perform the following steps to sign the CSRs for the Excrypt Port and Futurex CNG:

<Steps>
  <Step>
    Open the FXCLI prompt by running `fxcli-hsm` in a terminal.
  </Step>

  <Step>
    Connect your laptop to the HSM through the USB port on the front, and run the following command:

    ```shell title="FXCLI" expandable lines wrap theme={null}
      connect usb
    ```
  </Step>

  <Step>
    Log in with the default Admin1 and Admin2 identities. When prompted, enter the username and password. Run the following command twice, once for each identity:

    ```shell title="FXCLI" expandable lines wrap theme={null}
      login user
    ```
  </Step>

  <Step>
    Sign the CSR for the Excrypt Port by using the CA you created in the previous section.

    ```shell title="FXCLI" expandable lines wrap theme={null}
      x509 sign \
          --private-slot TlsCaKeyPair \
          --issuer TlsCa.pem \
          --csr excrypt_port.csr \
          --eku Server --key-usage DigitalSignature --key-usage KeyAgreement \
          --ca false \
          --dn 'O=Futurex\CN=Excrypt Port' \
          --out signed_excrypt_cert.pem
    ```
  </Step>

  <Step>
    Push the signed server PKI to the Excrypt Port on the HSM.

    ```shell title="FXCLI" expandable lines wrap theme={null}
      tls-ports set --pair "Excrypt Port" \
          --enable \
          --pki-source Generated \
          --clear-pki \
          --ca TlsCa.pem \
          --cert signed_excrypt_cert.pem \
          --no-anon
    ```
  </Step>

  <Step>
    Restart the SSL2TCP processor to apply the changes made to the Excrypt Port connection pair.

    ```shell title="FXCLI" expandable lines wrap theme={null}
      tls-ports restart
    ```
  </Step>

  <Step>
    Sign the client CSR for Futurex CNG by using the CA you created in the previous section.

    ```shell title="FXCLI" expandable lines wrap theme={null}
      x509 sign  \
       --private-slot TlsCaKeyPair \
       --issuer TlsCa.pem \
       --csr client.csr \
       --eku Client --key-usage DigitalSignature --key-usage KeyAgreement \
       --out signed_client_cert.pem
    ```
  </Step>
</Steps>

### Create an association between the signed certificate and its corresponding key pair

This section explains the necessary steps to associate the signed Futurex CNG client TLS certificate with its corresponding private key in the Windows Certificate Store. Before making this association, you must import the CA certificate that issued the Futurex CNG client TLS certificate into the Trusted Root Certification Authorities Windows Certificate Store.

#### Import the CA certificate

Perform the following steps to import the CA certificate that issued the Futurex CNG client TLS certificate into the Trusted Root Certification Authorities store:

<Steps>
  <Step>
    On the computer where you installed Futurex CNG, open the **Manage computer certificates** program.
  </Step>

  <Step>
    Right-click the **Trusted Root Certification Authorities** store and select **All Tasks**> **Import**.
  </Step>

  <Step>
    Follow the steps in the **Certificate Import Wizard** to import the TLS CA root certificate file.

    <Check>
      If the import succeeds, you get a confirmation message.
    </Check>
  </Step>
</Steps>

#### Associate the certificate with the key

Perform the following steps to associate the signed Futurex CNG certificate with its corresponding private key in the Windows Certificate Store:

<Steps>
  <Step>
    Open either Command Prompt or **PowerShell**.
  </Step>

  <Step>
    Go to the directory where you saved the signed Futurex CNG client TLS certificate file.
  </Step>

  <Step>
    Run the following command to create an association between the signed Futurex CNG certificate and its corresponding key pair stored in your Windows account profile:

    ```powershell expandable lines wrap title="Powershell" theme={null}
    certreq -accept -machine signed_client_cert.pem
    ```

    <Check>
      If the command succeeds, information about the installed certificate displays.
    </Check>
  </Step>
</Steps>
