> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Generate a signing key and certificate

> Generate an RSA signing key on the HSM and create a certificate for use in ADSS signing profiles.

*Generate a signing key on the Futurex HSM and create a certificate for use in ADSS signing profiles.*

## Generate a signing key on the HSM

<Steps>
  <Step title="Navigate to the Service Keys menu">
    In the ADSS Admin Console, go to **Key Manager** > **Service Keys**.
  </Step>

  <Step title="Generate a new key">
    Click **New** and configure the following:

    | Setting                                                   | Value                                                                             |
    | --------------------------------------------------------- | --------------------------------------------------------------------------------- |
    | **Key Alias**                                             | A descriptive name (e.g., `SigningKey`)                                           |
    | **Purpose**                                               | Select a purpose for the key                                                      |
    | **Crypto Profile**                                        | Select "Futurex HSM" or the alias you set                                         |
    | **Key Algorithm**                                         | Choose **RSA** or **ECDSA**                                                       |
    | **Key Length** (and **Curve Type** if you selected ECDSA) | Choose a key length (and curve type if applicable)                                |
    | **Description** (optional)                                | Add a description                                                                 |
    | **Private key export settings**                           | Choose whether the private key can be exported from the HSM as a PFX/PKCS#12 file |
  </Step>

  <Step title="Confirm key generation">
    Click **OK**. The Vectera Plus HSM generates the key directly on hardware. The private key never leaves the HSM.

    <Check>
      You should see the key in the **Service Keys** list with the Futurex HSM crypto source.
    </Check>
  </Step>
</Steps>

## Create a certificate using the HSM key

<Steps>
  <Step title="Navigate to the Service Keys menu">
    In the ADSS Admin Console, return to the **Key Manager** > **Service Keys** menu.
  </Step>

  <Step title="Select the HSM key">
    Select the key created in the previous step and click the **Certificates** button.
  </Step>

  <Step title="Create a CSR or self-signed certificate">
    You should see information about the HSM key you selected. Click the **Create CSR/Certificate** button.
  </Step>

  <Step title="Configure the certificate details">
    Configure the required certificate fields (Certificate Template, Certificate Alias, Common Name, Organization, etc.) as required by your certificate policy.
  </Step>

  <Step title="Choose the certificate type">
    Select one of:

    * **Use External CA** - This is the **Certificate Signing Request (CSR)** option. Submit to your CA for production use.
    * **Create Self-Signed Certificate** — for testing and development environments
  </Step>

  <Step title="Generate the CSR or self-signed certificate">
    Click **OK** and follow the steps for the option you chose.

    **If you chose CSR:** You will see the PKCS#10 certificate request on the screen. Click **Save As** to download the CSR file, then submit it to your CA to issue the certificate. Once your CA returns the signed certificate, go back to the Certificate Manager, select the **Pending** certificate entry, and click **Import Certificate**. Browse to your signed certificate file and click **OK** to import it.

    <Note>
      If you have not already imported your CA certificate in **Trust Manager**, you will see the message, "The certificate is not trusted - do you still want to import this certificate?" Please refer to Ascertia's ADSS [Trust Manager documentation](https://manuals.ascertia.com/ADSS-Server/v8.4/Admin-Guide/trust_manager.html) for guidance on how to register Trust Authorities (TAs).
    </Note>

    **If you chose self-signed certificate:** You should see a message confirming the key pair was generated successfully. To apply the changes, restart the Unity Console manually via its GUI.

    <Check>
      The certificate appears in the Certificate Manager with a Status of **Active**, associated with the HSM-backed signing key.
    </Check>
  </Step>
</Steps>
