Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

This section covers the following tasks:
  1. Install haproxy.
  2. Generate a key pair on the Vectera Plus by using pkcs11-tool.
  3. Generate a self-signed certificate for HAProxy by using OpenSSL.
  4. Store a reference to the HSM-stored private key inside a special PEM object with the label PKCS#11 PROVIDER URI. This object is a container for the PKCS #11 URI and contains no keying material.

Install OpenSC

To generate a new key pair on the Vectera Plus, use pkcs11-tool, which is included in the OpenSC package available through the default package manager in most Linux distributions. In a terminal, run the following commands to update the package index and install haproxy:
Shell
sudo apt update

sudo apt install opensc

Generate a key pair

Perform the following steps to generate a key pair on the Vectera Plus using pkcs11-tool:
1
In a terminal, run the following command:
Shell
pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type rsa:2048 --label "HAProxy" --id "123456" --usage-sign --usage-decrypt --usage-wrap
If you haven’t set the FXPKCS11_MODULE environment variable to the location of the FXPKCS11 library file, update the --module parameter to specify the full path to the module (such as /usr/local/bin/fxpkcs11/libfxpkcs11.so).
2
Enter the identity password configured in the fxpkcs11.cfg file when prompted for the User PIN.
If the command succeeds, the keys display in the output, as shown in the following example:
Shell
Key pair generated:
Private Key Object; RSA
  label:      HAProxy
  ID:         123456
  Usage:      decrypt, sign, signRecover, unwrap
  Access:     sensitive, local
Public Key Object; RSA 2048 bits
  label:      HAProxy
  ID:         123456
  Usage:      encrypt, verify, verifyRecover, wrap
  Access:     local
The command creates the following keys:
  • A private RSA 2048 key with asymmetric decrypt, sign, signRecover, and unwrap usage
  • A public RSA 2048 key with encrypt, verify, verifyRecover, and wrap usage.

3 | Generate a self-signed certificate

Use OpenSSL to perform the following steps to use OpenSSL to generate a self-signed certificate for HAProxy from the key pair stored on the HSM.
1
In a terminal, run the following command:
Shell
openssl req -new -x509 -provider pkcs11 -key "pkcs11:object=HAProxy;type=private" -out haproxy-cert.pem -subj "/CN=HAProxy" -days 365
If the command is successful, your current directory contains a new file named haproxy-cert.pem.

Create a reference to the private key

Perform the following steps to create a reference to the HSM-store private key by using the uri2pem.py script:
1
Download the uri2pem.py script (gist.github.com/space88man/22ef88c506fc84ae5f333ee7268e0e14).
2
Install the asn1crypto dependency, which you need to run the uri2pem.py script.
Shell
sudo apt install python3-asn1crypto
3
Run the script with the following command:
Shell
python3 uri2pem.py 'pkcs11:object="HAProxy;type=private'
If the script completes without any errors, the special PEM stanza outputs to the terminal in the following format:
None
-----BEGIN PKCS#11 PROVIDER URI-----
MEcaGVBLQ1MjMTEgUHJvdmlkZXIgVVJJIHYxLjAMKnBrY3MxMTpvYmplY3Q9Im15
X3JzYTIwNDhfa2V5O3R5cGU9cHJpdmF0ZQ==
-----END PKCS#11 PROVIDER URI-----
The preceding stanza decodes to the PKCS #11 URI of the private key stored on the HSM. This object is a container for the PKCS #11 URI and contains no keying material.
4
Copy and paste the PKCS#11 PROVIDER URI output into a new file and name it haproxy-cert.pem.key. Be sure to include the BEGIN and END lines.