Quick Reference

Pre-implementation
Implementation
Post-implementation

This section offers a quick reference to key prerequisites and high-level implementation steps. For basic testing procedures for the integration, see Validate and test.

Pre-implementation

Ensure your environment complies with the following requirements:

Install dependencies
- OpenSC (from source or with package manager under opensc)
Check OpenSSL version (v3.0 or newer)
Admin privileges on the HSM

Implementation

Perform the following high-level steps to implement this integration:

You can complete most tasks in this section by using either Excrypt Manager or FXCLI. The exception is the second option of task 7 (Create connection certificates for mutual authentication), for which you must use FXCLI.You can optionally complete steps 4 through 6 by using the Guardian Series 3 (see the applicable guide for configuring HSMs for PKCS #11 integrations by using the Guardian Series 3).

If you use a virtual HSM for the integration, you must connect to it over the network through FXCLI, the Excrypt Touch, or the Guardian Series 3.

Install Futurex PKCS #11 module (FXPKCS11).
Install Futurex Excrypt Manager [Optional - If using Windows to configure the Vectera Plus for the integration]
Install Futurex Command Line Interface (FXCLI).
Configure Vectera Plus:
- Connect to the HSM with a USB to enable Excrypt Manager or FXCLI.
- Confirm that the Command Primary Mode is General Purpose (GP) and that the PKCS #11 feature is enabled.
- Configure the HSM network.
- Load FTK , PMK and BEK major keys.
- Configure the transaction processing connection.
- Create a new application partition for the integration.
- Create a new identity and give it access to the newly created application partition.
- Configure TLS with either server-side or mutual authentication.
Edit the FXPKCS11 configuration file.
Install and configure pkcs11-provider .

Post-implementation

After you complete the integration, perform the following tasks to validate it:

Using opensc, generate a key pair that will be stored on the Vectera Plus.
Using OpenSSL Provider architecture:
- Output the public key to a local file
- Encrypt and decrypt data
- Sign a file and verify the signature
- Create a self-signed Root CA
- Generate a CSR
- Signed a CSR

Changelog

Before you start

⌘I

Certificate Authority

Certificate management

Certificate validation

Code signing

Credential management

Data protection

Database

Digital signing

DNS

Firewall

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

TLS offloading

VPN

Pre-implementation

Implementation

Post-implementation

Certificate Authority

Certificate management

Certificate validation

Code signing

Credential management

Data protection

Database

Digital signing

DNS

Firewall

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

TLS offloading

VPN

​Pre-implementation

​Implementation

​Post-implementation

Pre-implementation

Implementation

Post-implementation