> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure TLS authentication

> Configure TLS authentication on the Vectera Plus for secure communication with the ADSS Server host.

*Configure TLS authentication to secure the connection between the ADSS Server host and the Vectera Plus. You can enable server-side TLS or mutual TLS depending on your security requirements.*

## Enable server-side authentication

### Excrypt Manager

<Steps>
  <Step title="Navigate to TLS settings">
    Go to the TLS configuration section in Excrypt Manager.
  </Step>

  <Step title="Enable server-side TLS">
    Enable TLS on the Excrypt port (9100). This encrypts traffic between the ADSS Server host and the HSM.
  </Step>
</Steps>

### FXCLI

<Steps>
  <Step title="Enable server-side TLS">
    Configure the HSM to require TLS on the Excrypt port.
  </Step>
</Steps>

## Create connection certificates for mutual authentication

For mutual TLS, create a TLS CA on the HSM and issue client certificates for the ADSS Server host.

<Steps>
  <Step title="Connect and log in">
    Run the following commands to connect and log in:

    ```shell title="FXCLI" theme={null}
    connect usb
    login user <admin1> <password>
    login user <admin2> <password>
    ```
  </Step>

  <Step title="Generate a TLS CA on the HSM">
    Generate an RSA 2048-bit key pair for the TLS CA.
  </Step>

  <Step title="Create a root certificate">
    Sign a self-signed root certificate with DigitalSignature and KeyCertSign usage.
  </Step>

  <Step title="Request a server CSR">
    Run the following command to request a server CSR:

    ```shell title="FXCLI" theme={null}
    tls-ports request ...
    ```
  </Step>

  <Step title="Sign the server CSR">
    Sign the server CSR using the TLS CA.
  </Step>

  <Step title="Push the signed server PKI">
    Run the following command to push the signed server PKI:

    ```shell title="FXCLI" theme={null}
    tls-ports set ...
    ```
  </Step>

  <Step title="Generate client keys with OpenSSL">
    On the ADSS Server host, generate a client key pair and CSR:

    ```shell title="Shell" theme={null}
    openssl genrsa -out client-key.pem 2048
    openssl req -new -key client-key.pem -out client-csr.pem -subj "/CN=adss-server"
    ```
  </Step>

  <Step title="Sign the client CSR on the HSM">
    Use FXCLI to sign the client CSR with the TLS CA.
  </Step>

  <Step title="Create a PKCS #12 bundle">
    Run the following command to create the PKCS #12 bundle:

    ```shell title="Shell" theme={null}
    openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -out PKI.p12
    ```

    Place the `PKI.p12` file and the CA certificate chain on the ADSS Server host where the Futurex PKCS #11 configuration file references them.
  </Step>
</Steps>
