Verify your environment meets these requirements.

TLS inspection or SSL proxies can break mutual TLS handshakes. Exempt the 

Before you start

Deploy the service

Install and configure FXCL CNG

Install Active Directory certificate Services (ADCS)

Configure Active Directory Certificate Systems

Verify the integration

Microsoft ADCS

Zone Signing Key - A DNSSEC key used to sign all other zone data (e.g., A, MX, TXT records). It changes more frequently than the KSK.

Key Signing Key - A DNSSEC key used to sign the DNSKEY record set, which includes both the KSK and ZSK. It establishes trust with the parent zone (used in the DNSSEC chain of trust).

Domain Name System Security Extensions - Is a set of protocols that adds cryptographic authentication to DNS, ensuring that DNS responses are not tampered with and come from a legitimate source.

DNSSEC

Bulk Encryption Key - Is a data encryption key used to directly encrypt and decrypt user data. It is typically encrypted (wrapped) by a higher-level key, such as a KEK or PMK, for secure storage and access control.

Futurex Token Key - Wraps all keys stored on the HSM used with PKCS #11.

Is a plugin for OpenSSL 3 that allows OpenSSL to use cryptographic keys stored in PKCS#11-compatible hardware or software security modules (HSMs). Developed by Latchset, it acts as a bridge between OpenSSL and external key providers.

pkcs11-provider

Identity and Access Management — A framework of policies, tools, and processes that ensures the right individuals have the appropriate access to systems, data, and resources. 

Key Encryption Key — A cryptographic key used to encrypt and protect other encryption keys (such as Data Encryption Keys) during storage or transmission. The KEK ensures that the underlying keys remain secure even if stored in a less secure envir

Identity Provider – A service that authenticates users before they can encrypt or access client-side encrypted content.

Key Access Control List Service - A component of an external key service (such as CryptoHub) that communicates with Google Workspace through API to enforce policy control over the users or services accessing encryption keys stored externally.

KACLS

Encrypt, Decrypt, Sign, Verify, Wrap, and Unwrap

EDSVWU

An open-source toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-featured cryptographic library. It is widely used for securing communications and handling cryptographic operations 

OpenSSL

name daemon - The main DNS server daemon for BIND (Berkeley Internet Name Domain). It handles DNS queries, zone transfers, and other DNS server operations.

named

Domain Name System - A hierarchical system that resolves human-readable domain names (e.g., example.com) into IP addresses (e.g., 93.184.216.34) so that devices can locate and communicate with each other on a network.

Authorization framework for secure API access

OAuth2

Data Encryption Key - unique AES-256 key for each document

Hardware security module platform providing key management services

CryptoHub

Client-Side Encryption - encryption performed in user's browser before data transmission

URL where users are sent after authentication

Redirect_URI

Non-human identity used for system-to-system authentication

Service_account

CHTools

Permission to call a specific international command.

International_cmd

International_cmd_license

fpe_license

PIN Processing restricts PIN processing commands when clear PIN commands are enabled.

FX_RESTRICT_PIN_PROC_license

master_key_distribution_license

Platform Master Key -  Is a top-level encryption key used to encrypt data encryption keys. In client-side encryption systems, the PMK is typically managed by an external key management service and provides the highest level of cryptographic control.

BYOK

Host_card_emulation

cvv_management

Allows the HSM to use Multibanco commands.

Multibanco

Multibanco_license

Enables PIN and key printing functionality.

PIN_Key_printing

PIN_Key_printing_license

Period

Perm_check_license

Checks specific perm inside each function in combination with other restrictions based on tags

Perm_check

pin_printing

FX_Restrict_Print

FX_Restrict_Print_license

CHDirect

CHAppliance

Enables legacy POS device key injection for use in a Key Injection Facility.

Clear_Keyload

clear_keyload_license

Variable_Length_PVV

variable_length_pvv_license

host_card_emulation_license

emv_issuing_license

post_quantum_cryptography_license

clear_shared_secret_license

p2pe_and_tokenization_license

hsm_key_distribution_license

financial_processing_license

excrypt_ui_license

australian_command_set_license

general_purpose_license

clear_pin_license

format-preserving_encryption_license

emv_acquiring_license

ecc_license

key_strength_bypass_license

rsa_license

Enables Format-preserving Encryption (FPE) functionality.

Format-preserving_encryption

colon

permission_utility

comma

ampersand

exclamation_mark

binary_val

diebold

tr-34_rkl

mac_hash

Enabled by default on all Vectera Series HSMs and available as an add-on license for Excrypt Series

general_purpose

data_encrypt

mobile_payment

Supports domestic and int'l message formats for PIN translation, verification, and key management

Excrypt_ui

p2pe

Equal_sign

Enabled on all Futurex HSMs, regardless of their license or mode.

Core_license

Number_sign

utility

card_verification

authentication

key_management

RKMS3

SKI3

CryptoHub Integration Guides

Managing services

Service logs

Service guides

Deploy client endpoint

Install and configure Futurex PKCS #11

Configure Dogtag Certificate System

Dogtag Certificate System

Connect to the EJBCA environment

Configure EJBCA

EJBCA

Install and configure ISC CertAgent for Windows

Install and configure ISC CertAgent for Linux

ISC CertAgent

Install Red Hat Certificate System and deploy the subsystem

Red Hat Certificate System (RHCS)

Configuring the Adaptable CA Driver

Configuring Venafi TPP to use the Futurex Adaptable CA Driver

Test a certificate request, approval, and issuance

Venafi Adaptable CA

Certificate Authority

Configure Venafi Control Plane Cryptohub integratation

Venafi Control Plane

Generating certificates in CryptoHub

Import TLS certificates into Windows Certificate Store

Windows Certificate Store

Certificate management

Configure Axway VA

Test CRL Signing

Axway VA

Certificate validation

Changelog

XKS architecture

Quick reference

Amazon XKS (External Key Store)

Initial setup in Google Cloud External Key Manager (EKM)

Deploy the Google Cloud EKM service in CryptoHub

Create an external key in Google Cloud EKM

Test encryption and decryption

Appendix A: Google VPC and KMS infrastructure setup

Appendix B: Monitoring Google EKM

Google Cloud EKM (External Key Manager)

Cloud key management

Configuring the JAVA_HOME environment variable

Configure SunPKCS11 to use the Futurex PKCS11 Module

Create Java KeyStore

Sign APKs with Android APKSigner by using Futurex PKCS #11

Android APKSigner

Configure the JAVA_HOME environment variable

Configure SunPKCS11 to use the Futurex PKCS11 module

Assign the key pair to a certificate and apply an issuance policy

Jarsigner command examples

Java Jarsigner

Download and configure Jenkins and test the FXCL Jenkins plugin

Jenkins Code Signing

Install and configure FXCL CNG module

Generate Microsoft SignTool Code Signing certificate on the CryptoHub

Import the Code Signing certificate into Windows Certificate Store

Associate a private key with a certificate

Test Microsoft SignTool commands

Microsoft SignTool

Code signing

Configure vSEC:CMS to integrate with CryptoHub

Create an OSKS with HSM in vSEC:CMS

Versasec vSEC:CMS

Credential management

Install and configure OpenSSL Engine

Configure Apache HTTP Server

Apache HTTP Server

Configure Active Directory (only for Kerberos authentication)

Create a new service endpoint

Install the TDP file encryption agent on a Windows machine

Confirm that TDP successfully encrypts files

Futurex Transparent Data Protection (TDP)

Quick Reference

Integration Workflow

Post-Implementation Tasks

Google Workspace CSE

Google Service-Level Requirements for CSE

Identity and Access Management

External key service setup for Google Workspace CSE

Gmail only: Upload encryption keys for client-side encryption

Google Workspace CSE for Gmail

Test OpenSSL Engine

Configure the NGINX server

NGINX

Data protection