Documentation Index
Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
Use this file to discover all available pages before exploring further.
Configure TLS authentication to secure the connection between the ADSS Server host and the Vectera Plus. You can enable server-side TLS or mutual TLS depending on your security requirements.
Enable server-side authentication
Excrypt Manager
Navigate to TLS settings
Go to the TLS configuration section in Excrypt Manager.
Enable server-side TLS
Enable TLS on the Excrypt port (9100). This encrypts traffic between the ADSS Server host and the HSM.
FXCLI
Enable server-side TLS
Configure the HSM to require TLS on the Excrypt port.
Create connection certificates for mutual authentication
For mutual TLS, create a TLS CA on the HSM and issue client certificates for the ADSS Server host.
Connect and log in
Run the following commands to connect and log in:connect usb
login user <admin1> <password>
login user <admin2> <password>
Generate a TLS CA on the HSM
Generate an RSA 2048-bit key pair for the TLS CA.
Create a root certificate
Sign a self-signed root certificate with DigitalSignature and KeyCertSign usage.
Request a server CSR
Run the following command to request a server CSR: Sign the server CSR
Sign the server CSR using the TLS CA.
Push the signed server PKI
Run the following command to push the signed server PKI: Generate client keys with OpenSSL
On the ADSS Server host, generate a client key pair and CSR:openssl genrsa -out client-key.pem 2048
openssl req -new -key client-key.pem -out client-csr.pem -subj "/CN=adss-server"
Sign the client CSR on the HSM
Use FXCLI to sign the client CSR with the TLS CA.
Create a PKCS #12 bundle
Run the following command to create the PKCS #12 bundle:openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -out PKI.p12
PKI.p12 file and the CA certificate chain on the ADSS Server host where the Futurex PKCS #11 configuration file references them. 
