Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

This section starts with general KMES configurations that enable Apache to integrate with the KMES to store the private key used for HTTPS connections. The second half of this section covers the steps to configure TLS communication between the KMES Series 3 and the Futurex PKCS #11 library that Apache uses to communicate with the KMES.

Create a role and identity

Perform the following steps to create a new role and identity for Apache on the device and assign the role to the identity that the Futurex PKCS #11 library uses to connect to the KMES:
1
Log in to the KMES application interface with the default Admin identities.
2
Go to the Identity Management > Roles menu and select [ Add ].
3
In the Role Editor window, specify a name for the role, select the Hardened checkbox, and set the number of logins required to 1.
4
On the Permissions tab, select the following permissions:
CategoryPermissions
Certificate AuthorityAdd, Export
Cryptographic OperationsSign
KeysAdd
5
On the Advanced tab, set the allowed ports field to Host API.
6
Select [ OK ] to finish creating the role.
7
Go to the Identity Management> Identities menu, then right-click the pane background and select Add > Client Application.
8
Change the storage type to HSM and specify a name for the identity.
9
On the Assigned Roles tab, select the hardened role that you just created.
10
On the Authentication tab, select [ Add ] to configure a new credential.
11
In the Configure Credential window, set the credential type to Password, enter a password for the credential, and select [ OK ].
The new Password credential now displays with the API Key credential that exists by default.
12
Select the API Key credential and select [ Remove ].
13
In the main Identity Editor dialog, select **[ OK ]***to save.
The new identity now displays in the list with the other identities that exist on the device.

Enable the Host API commands

Because the Futurex PKCS #11 library connects to the Host API port on the KMES, you must determine which Host API commands are eligible for execution by the FXPKCS11 library. To enable the commands required for the Apache HTTP Server Operation, perform the following steps:
1
Go to Administration > Configuration > Host API Options and enable the following commands:
CommandDescription and additional modifiers
ATKGManipulate HSM trusted asymmetric key group
  • Add: Add HSM trusted asymmetric key group.
  • Modify: Modify HSM trusted asymmetric key group.
  • Delete: Delete HSM trusted asymmetric key group.
  • Get: Retrieve HSM trusted asymmetric key group.
ECHOCommunication Test/Retrieve Version
RAFAFilter Issuance Policy
RANDGenerate Random Number
RKCKCreate HSM Trusted Key
RKCPGet Command Permissions
RKCSCreate Symmetric HSM Trusted Key Group
RKGPExport Asymmetric HSM Trusted Key
RKGSGenerate Signature
RKLNLookup Objects
RKLOLogin User
RKPKPop Generated Key
TIMESet Time
2
After enabling the preceding commands, select [ Save ].

Configure TLS communication

To configure TLS communication between the KMES and PKCS #11 library, you need to perform the following tasks:
  • Create a Certificate Authority
  • Create a CSR pair for the System/Host API connection pair
  • Sign the System/Host API CSR
  • Export the TLS Root CA certificate
  • Export the signed System/Host API TLS certificate
  • Load the exported TLS certificates into the System/Host API connection pair
  • Generate a TLS private key and certificate signing request for the Futurex PKCS #11 library by using OpenSSL
  • Sign the Certificate Signing Request (CSR) for the FXPKCS11 Library
  • Export the signed FXPKCS11 TLS certificate
The following sections detail these task procedures.

Create a Certificate Authority

1
Go to the PKI> Certificate Authorities menu and select [ Add CA ] at the bottom of the window.
2
In the Certificate Authority dialog, enter a name for the certificate container, leave all other fields set to the default values, and select [ OK ].
3
Right-click the certificate container that you created and select Add Certificate > New Certificate.
4
On the Subject DN tab, select the Classic preset and set a Common Name for the certificate, such as System TLS CA Root.
5
On the Basic Info tab, leave all fields set to the default values.
6
On the V3 Extensions tab, select the Certificate Authority profile and select [ OK ].
The root CA certificate now displays under the previously created certificate container.

Generate a CSR

Perform the following steps to generate a CSR for the System/Host API connection pair:
1
Go to Administration> Configuration> Network Options.
2
In the Network Options dialog, go to the TLS/SSL Settings tab.
3
Under the System/Host API connection pair, uncheck the Use Futurex Certificates checkbox and select [ Edit ] next to the PKI keys in the User Certificates section.
4
In the Application Public Keys window, select [ Generate ].
5
When the SSL will not be functional until new certificates are imported warning displays, select [ Yes ] to continue.
6
In the PKI Parameters window, leave the default settings and select [ OK ].
7
When you see that a PKI Key Pair is loaded in the Application Public Keys dialog, select [ Request ].
8
On the Subject DN tab, set a Common Name for the certificate, such as KMES.
9
On the V3 Extensions tab, select the TLS Server Certificate profile.
10
On the PKCS #10 Info tab, select a save location for the CSR and select [ OK ].
11
When the save successful message displays, select [ OK ].
12
Select [ OK ] again to save the Application Public Keys settings.
The main Network Options dialog now shows Loaded next to PKI Keys for the System/Host API connection pair.

Sign the CSR

Perform the following steps to sign the System/Host API CSR:
1
Go to the PKI> Certificate Authorities menu.
2
Right-click the System TLS CA Root certificate created previously and select Add Certificate > From Request.
3
In the file browser, select the CSR generated for the System/Host API connection pair.
4
After it loads, you don’t need to modify any certificate settings. Select [ OK ].
The signed System/Host API TLS certificate should now show under the TLS root CA certificate on the Certificate Authorities page.

Export the certificate

Perform the following steps to export the TLS Root CA certificate:
1
Go to the PKI > Certificate Authorities menu.
2
Right-click the System TLS CA Root certificate and select Export> Certificate(s).
3
In the Export Certificate window, select the PEM encoding and select [ Browse ].
4
In the file browser, navigate to the location where you want to save the TLS root CA certificate. Specify a name for the file and select [ Open ].
5
Select [ OK ].
A message box says that the PEM file was successfully written to the location that you specified.

Export the TLS certificate

Perform the following steps to export the signed System/Host API TLS certificate:
1
Go to the PKI> Certificate Authorities menu.
2
Right-click the KMES certificate and select Export > Certificates(s).
3
In the Export Certificate dialog, select the PEM encoding and select [ Browse ].
4
In the file browser, go to the location where you want to save the signed System/Host API TLS certificate. Specify a name for the file and select [ Open ].
5
Select [ OK ].
A message box says that the PEM file was successfully written to the location that you specified.

Load the exported certificates

Perform the following steps to load the exported TLS certificates into the System/Host API connection pair:
1
Go to Administration> Configuration> Network Options.
2
In the Network Options dialog, go to the TLS/SSL Settings tab.
3
Select [ Edit ] next to Certificates in the User Certificates section.
4
Right-click the System/Host API SSL CA X.509 certificate container and then select [ Import ].
5
Select [ Add ] at the bottom of the Import Certificates window.
6
In the file browser, select the TLS Root CA certificate and the signed System/Host API TLS certificate, and select [ Open ].
The certificate chain appears in the Verified section.
7
Select [ OK ] to save the changes.
In the Network Options window, the System/Host API connection pair now shows Signed loaded next to Certificates in the User Certificates section
8
Select [ OK ] to save and exit the Network Options window.

Generate a private key and CSR

Execute the following commands from a terminal application with OpenSSL to generate a TLS private key and certificate signing request (CSR) for the Futurex PKCS #11 library:
1
Open a terminal and run the following command to generate a TLS private key for the FXPKCS11 library:
Shell
$ openssl genrsa -out fxpkcs11_tls_privatekey.pem 2048
2
Run the following command to generate a CSR for the FXPKCS11 library:
Shell
$ openssl req -new -key fxpkcs11_tls_privatekey.pem -out fxpkcs11_tls_cert_req.pem -days 365
It prompts you to enter certificate information. The CSR outputs to a file named fxpkcs11_tls_cert_req.pem in the same directory where you ran the command.
3
Move or copy the CSR file to the storage medium configured on the KMES.

Sign the CSR

Perform the following steps to sign the CSR for the FXPKCS11 Library:
1
Go to the PKI> Certificate Authorities menu.
2
Right-click the System TLS CA Root certificate and select Add Certificate > From Request.
3
In the file browser, locate and select the FXPKCS11 CSR. Certificate information populates in the Create X.509 From CSR window.
4
On the Subject DN tab, change the preset drop-down option to Classic, and set a Common Name for the certificate, such as FXPKCS11.
5
On the Basic Info tab, leave all settings set to the default values.
6
On the V3 Extensions tab, select the TLS Client Certificate profile, and then select [ OK ].
The signed FXPKCS11 certificate now displays in the list under the TLS Root Certificate.

Export the signed certificate

Perform the following steps to export the signed FXPKCS11 TLS certificate:
1
Go to the PKI > Certificate Authorities menu.
2
Right-click the FXPKCS11 certificate and select Export> Certificate(s).
3
In the Export Certificate dialog, change the PEM encoding and select [ Browse ].
4
In the file browser, go to the location where you want to save the FXPKCS11 TLS certificate. Specify a name for the file and select [ Open ].
5
Select [ OK ].
A Message box says that the PEM file was successfully written to the location that you specified.
6
Move both the signed FXPKCS11 TLS certificate and the TLS Root CA certificate to the computer that hosts the Apache HTTP Server instance.The next section shows how to configure and use them for TLS communication with the KMES Series 3.