Skip to main content
The following example uses FXCLI to generate a new key on the Vectera Plus and assign it a PKCS11 label that Vault can reference when creating a new managed key.

Connect and log in

Perform the following steps to connect and log in to the HSM by using FXCLI:
1
Run the FXCLI application.
2
Configure TLS certificates for communication between FXCLI and the HSM by using the tls commands.
Run tls help to access syntax documentation.
3
Use the following command to connect to the HSM:
FXCLI
  connect tcp --connect hsm_ip:9009
4
Log in to the HSM with the default Admin1 and Admin2 identities by running the following command twice, entering the username and password when prompted:
FXCLI
  login user

Create a new key pair

Perform the following steps to create a new key pair on the Vectera Plus:
1
Create a new key pair in the next available key slot on the HSM:
FXCLI
  generate --algo RSA --bits 2048 --name VaultManualKey --slot next --tpk-slot next --usage encrypt,decrypt,sign,verify,wrap,unwrap
2
Confirm which key slot the private key was added to:
FXCLI
  keytable list
3
Assign a PKCS11 label to the key (Vault needs this external data field to be set so that it can find the key):
The number that you specify in the slot flag needs to match the slot number of the private key determined in the previous step. The PKCS11 label value should match the name set for the key pair in the generate command.
FXCLI
  keytable extdata --slot 0 --p11-attr label --p11-value VaultManualKey

Create a managed key in the Vault

This example creates a managed key in the Vault by referencing the PKCS11 label of the key that you manually generated on the Vectera Plus by using FXCLI. The vault command used to create a managed key from a manually generated key on the HSM is almost identical to the command you used to dynamically generate a key on the HSM in the Testing PKI operations section.
1
Run the following command to manually generate a 2048-bit RSA key in Vault with the key label, VaultManualKey:
Shell
vault write /sys/managed-keys/pkcs11/hsm-key library=hsm1 token_label=Futurex pin=$PIN key_label="VaultManualKey" allow_generate_key=false allow_store_key=false mechanism=0x0001 key_bits=2048 any_mount=false
In the key\label field, specify the PKCS11 label you assigned to the key by using the keytable extdata FXCLI command in the previous section. The main difference in the command in this step is that it sets allow\generate_key to false to tell Vault not to attempt to generate a key on the HSM if it cannot find the referenced key.
2
Verify that the key configuration has been written to Vault.
Shell
vault list /sys/managed-keys/pkcs11
3
Verify that the key configuration is valid by test-signing some data.
Shell
vault write -f /sys/managed-keys/pkcs11/hsm-key/test/sign