Skip to main content
For BYOK, you must issue the Excrypt Touch a client certificate signed by a VirtuCrypt Certificate Authority for mutually authenticated communication between the two endpoints. This section walks through the process for generating a new PKI key pair and certificate signing request (CSR) on the Excrypt Touch and submitting it to the VirtuCrypt support team to be validated, approved, and issued.

Log in to the Excrypt Touch internal HSM

The configuration steps in this section require you to be logged in to the internal HSM on the Excrypt Touch. To do so, perform the following steps:
1
From the Excrypt Touch Dashboard, open the Excrypt Touch menu by touching the vertical black bar on the right side of the screen and swiping left.
2
In the Excrypt Touch menu, select or touch the User Management icon in the upper-right corner, and select [ Login ] in the User Management drop-down menu.
3
Log in with your administrator identities (such as Admin1 and Admin2).
A message appears at the top of the screen indicating whether the authentication succeeded.

Generate a PKI key pair

Perform the following steps to generate a new PKI key pair on the Excrypt Touch:
1
Open the Excrypt Touch Menu and select the Key Management icon to display options for key and certificate management, and select the Manage PKI Keys menu item.
2
In the Manage PKI Keys menu, select [ ADD ].
3
In the Generate PKI Keys wizard, specify a name for the new key pair, such as BYOK, and select [ GENERATE ].
A message should appear at the top of the screen indicating that the PKI was generated successfully.

Export a CSR

Perform the following steps to export a Certificate Signing Request (CSR) on the Excrypt Touch:
1
From the Manage PKI Keys menu, select the PKI generated in the previous step, and select [ CREATE CSR ].
2
Fill in the CSR information fields, select an export location, specify a file name, then select [ GENERATE ].
The Common Name for the Excrypt Touch CSR cannot contain any spaces and must be in the following format: ExcryptTouchLogicalSN-VirtuCryptAccount_Code
You can find the Logical SN (Serial Number) of the Excrypt Touch on the external label of the device and your CryptoHub account code by logging in to your VirtuCrypt Intelligence Portal (VIP) account and going to the Settings > General menu, where it is displayed in the User Management section.
Futurex uses the information contained in the Common Name of the CSR to authenticate the Excrypt Touch.
A message appears at the top of the screen indicating that the CSR was generated successfully.

Send the CSR file, SHA-512 Hash, and request form to Futurex support

To enforce data integrity verification, you must generate a SHA-512 hash of the CSR file. Include this in your request to the Futurex support team, along with the CSR file and a completed request form.

Generate a SHA-512 hash of the CSR file

To generate a SHA-512 hash of the CSR file, use the following OpenSSL command:
Terminal
  openssl req -in your_csr_file.csr -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha512

Complete the request form

Fill in the Futurex mTLS Client Certificate request form details similar the the following example:
FieldDetails
Customer NameTest Customer
VirtuCrypt Account CodeD929B49F3B46
EnvironmentTest or Production
ProductExcrypt
Serial NumberSerial number of 1 device
InterfaceWeb UI
Admin
Production / Excrypt
International
REST API
BYOK
Other (provide details)
AlgorithmECC or RSA
Requester NameJohn Doe
Request Emailcustomer@test.com
Requester Phone+1 555 369 7410
Approver Detailspkiapproval@customer.test
Internal Request Number: 123456

Send email to the support team

Send the CSR, SHA-512 hash, and request form to support@futurex.com.

Validation, approval, and issuance of the client certificate

When we receive a request, our team carefully reviews it and creates a case. We then assign the case to one of our VirtuCrypt support engineers, who undertakes the following steps:
  • Sending a confirmation email with the assigned case number
  • Verifying the request authorization with the customer’s assigned Approval Team
  • Validating the SHA-512 hash and reviewing the request form with the Customer Requester.
Our team then proceeds with the certificate issuance process, and after completing the process, we upload the signed certificate to https://share.futurex.com/. VirtuCrypt support provides the Customer Requester with instructions for downloading the signed certificate from https://share.futurex.com/, and then helps test the client certificate to ensure that you can successfully connect to VirtuCrypt.