Skip to main content
For this step, you must log in with an identity that has a role with the following permissions: Keys:All Slots, Management Commands:Certificates, Management Commands:Keys, Security:TLS Sign, and TLS Settings:Upload Key. You can use the default Administrator role and Admin identities.
To configure TLS authentication, choose one of the following methods:
  1. Enable server-side authentication.
  2. Create connection certificates for mutual authentication.
We recommend option 2, mutual authentication.

Enable server-side authentication

We recommend mutually authenticating to the HSM using client certificates, but the Vectera Plus also supports server-side authentication. The following steps outline the process for enabling server-side authentication. Choose one of the following methods to enable server-side authentication:

Excrypt Manager

To use Excrypt Manager to enable server-side authentication, go to the SSL/TLS Setupmenu. Then, select the Excrypt Portin the Connection Pair drop-down list, check the Allow Anonymous box, and select [ Save ].

FXCLI

To use FXCLI to enable server-side authentication, run the tls-ports set FXCLI command to enable server-side authentication with the Allow Anonymous SSL/TLS setting:
FXCLI
  tls-ports set -p "Excrypt Port" --anon

Create connection certificates for mutual authentication

As mentioned previously, we recommend mutually authenticating to the HSM by using client certificates, and the system enforces mutual authentication by default. The following example shows how to use FXCLI to generate a CA to sign the HSM server certificate and a client certificate. Then, it shows how to generate the client keys and CSR by using OpenSSL.
  • For this example, you must connect the computer that is running FXCLI to the front USB port of the HSM.
  • If you do not specify a file path for commands that create an output file, FXCLI saves the file to the current working directory.
  • Using user-generated certificates requires you to load a PMK on the HSM.
  • If you run help by itself, a full list of available commands displays. You can see all options for a command by running the command name followed by help.
1
Open the FXCLI prompt by running fxcli-hsm in a terminal.
2
Connect your laptop to the HSM by using the USB port on the front, and run the following command.
FXCLI
  connect usb
3
Run the following command to log in with both default Admin identities. When prompted for the username and password, enter them. You must run this command twice.
FXCLI
  login user
4
Generate a TLS CA and store it in an available key slot on the HSM.
FXCLI
  generate --algo RSA --bits 2048 --usage mak --name TlsCaKeyPair --slot next
5
Create a root certificate.
FXCLI
  x509 sign \
      --private-slot TlsCaKeyPair \
      --key-usage DigitalSignature --key-usage KeyCertSign \
      --ca true --pathlen 0 \
      --dn 'O=Futurex\CN=Root' \
      --out TlsCa.pem
6
Generate the server keys for the HSM.
FXCLI
  tls-ports request --pair "Excrypt Port" --file production.csr --pki-algo RSA
7
Sign the server CSR with the newly created TLS CA.
FXCLI
  x509 sign \
      --private-slot TlsCaKeyPair \
      --issuer TlsCa.pem \
      --csr production.csr \
      --eku Server --key-usage DigitalSignature --key-usage KeyAgreement \
      --ca false \
      --dn 'O=Futurex\CN=Production' \
      --out TlsProduction.pem
8
Push the signed server PKI to the production port on the HSM.
FXCLI
  tls-ports set --pair "Excrypt Port" \
      --enable \
      --pki-source Generated \
      --clear-pki \
      --ca TlsCa.pem \
      --cert TlsProduction.pem \
      --no-anon
9
To generate client keys and CSR, run the following OpenSSL commands from Windows PowerShell rather than from the FXCLI program:
Powershell
# Generate the client keys
$ openssl genrsa -out privatekey.pem 2048
Powershell
# Generate a client CSR
$ openssl req -new -key privatekey.pem -out ClientPki.csr -days 365
10
Using FXCLI, sign the client CSR that was just generated using OpenSSL.
FXCLI
  x509 sign  \
   --private-slot TlsCaKeyPair \
   --issuer TlsCa.pem \
   --csr ClientPki.csr \
   --eku Client --key-usage DigitalSignature --key-usage KeyAgreement \
   --dn 'O=Futurex\CN=Client' \
   --out SignedPki.pem
11
Run the following command from PowerShell. Use OpenSSL to create a PKCS #12 file that you can use to authenticate as a client by using our PKCS #11 library:
Powershell
openssl pkcs12 -export -inkey privatekey.pem -in SignedPki.pem -certfile TlsCa.pem -out PKI.p12