Skip to main content
Configure TLS authentication to secure the connection between the ADSS Server host and the Vectera Plus. You can enable server-side TLS or mutual TLS depending on your security requirements.

Enable server-side authentication

Excrypt Manager

1

Navigate to TLS settings

Go to the TLS configuration section in Excrypt Manager.
2

Enable server-side TLS

Enable TLS on the Excrypt port (9100). This encrypts traffic between the ADSS Server host and the HSM.

FXCLI

1

Enable server-side TLS

Configure the HSM to require TLS on the Excrypt port.

Create connection certificates for mutual authentication

For mutual TLS, create a TLS CA on the HSM and issue client certificates for the ADSS Server host.
1

Connect and log in

Run the following commands to connect and log in:
FXCLI
connect usb
login user <admin1> <password>
login user <admin2> <password>
2

Generate a TLS CA on the HSM

Generate an RSA 2048-bit key pair for the TLS CA.
3

Create a root certificate

Sign a self-signed root certificate with DigitalSignature and KeyCertSign usage.
4

Request a server CSR

Run the following command to request a server CSR:
FXCLI
tls-ports request ...
5

Sign the server CSR

Sign the server CSR using the TLS CA.
6

Push the signed server PKI

Run the following command to push the signed server PKI:
FXCLI
tls-ports set ...
7

Generate client keys with OpenSSL

On the ADSS Server host, generate a client key pair and CSR:
Shell
openssl genrsa -out client-key.pem 2048
openssl req -new -key client-key.pem -out client-csr.pem -subj "/CN=adss-server"
8

Sign the client CSR on the HSM

Use FXCLI to sign the client CSR with the TLS CA.
9

Create a PKCS #12 bundle

Run the following command to create the PKCS #12 bundle:
Shell
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -out PKI.p12
Place the PKI.p12 file and the CA certificate chain on the ADSS Server host where the Futurex PKCS #11 configuration file references them.