Configure Axway VA

10min
This section covers installing and configuring the AXway VA server.
Install Axway VA Server
Select your operating system and perform the steps to install the VA server:
Windows
Linux
VA Server is no longer installed as an interactive service on Windows. This applies to both the Admin UI service and the Validation Authority Service that is installed as part of VA Server.
1
Using an account in the Administrators group, log on to the computer on which you will install the VA Server.
2
Copy the Validation_Authority_Server_<Release Version>win-x86-64_BNXXX.exe file that you received from Axway Global Support to the Windows system.
3
Double-click Validation_Authority_Server_<Release Version>win-x86-64_BNXXX.exe. The Welcome page displays. Follow the on-screen instructions as you proceed through the installation.
Click [ Next ] to move forward to the next installation window.
Click [ Back ] to return to the previous installation window.
Click [ Cancel ] to close the installation program without installing any component of the VA Server. To install VA Server, re-run the installation program.
Click [ Next ]. The License Agreement page displays.
4
Click [ Accept ] to accept the license agreement and go to the next page in the installer. Click [ No ] to cancel the installation. The Customer Information page displays.
5
Type your User Name, Company Name, and Email Address in the text fields provided. These are required fields except for the Email Address. However, you should provide an email address because it is used by the VA administration server to perform email notifications.
6
Click [ Next ]. The Choose Destination Location page displays, showing the default destination folder where VA Server components are installed.
7
To select a different destination folder, click [ Browse ] and enter the folder location.
8
Click [ Next ]. The VA Server Information page displays.
9
Enter the requested information on the host name, port number, and user for the VA administration server.
Type the VA Server host name. The host name identifies the computer. The default host name is the name of the computer on which you are installing the VA Server.
Type the VA administration server port number. This port number identifies the port at which the VA administration server listens for HTTPS requests from the browser. If you use a port other than the default (13333), make a note of it for future reference.
Type the VA administration server user and password. This user is the initial user who can log in to the VA administration server. The default user name is "admin". If you type a different name, make a note of it. After completing the installation, you will log in to the VA administration server using this user name. The password must be at least eight characters long, contain at least one alphabetic character, one digit, one special character, one upper case character, one lower case character, and meet the requirements in the Manage VA administration server users section on page 77 of the Axway Validation Authority Administrator Guide. Re-type the password to confirm it. Click [ Next ] to continue.
Because you are using VA Server with an HSM device conforming to PKCS #11, you must configure VA Server to use the same password as the  identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
10
Select either the option to generate a self-signed certificate or import a PFX / P12 file. If you select Generate a Self-Signed Certificate, click [ Next ] and continue to step 11. If you select Import PFX / P12 from file:
Select the file to import from the file selection dialog box and then click [ Open ].
Enter a password to decrypt the file. This password was originally used to protect the PFX file.
By default, the Encrypt Admin UI Private Key option is selected. If you do not want this option, uncheck the box to disable the password field. Enter a password to encrypt the admin server key for the VA Server. The password must be at least eight characters long, contain at least one alphabetic character, one digit, one special character, one upper case character, one lower case character, and meet the requirements in the Manage VA administration server users section on page 77 of the Axway Validation Authority Administrator Guide. This encryption option, along with the provided password, will automatically call apachepassphrase for unattended startup.
Click [ Next ] to continue. The Start Copying Files page displays.
11
Check the current settings to ensure they are as desired. If you need to make any changes to the settings, use the [ Back ] button. Otherwise, click [ Next ] to continue.
12
Files are installed to the specified destination location. After the installation finishes, the InstallShield Wizard Complete page displays. The VA Server is successfully installed. This can be later verified using the Admin Server User Interface > Help > About page, which displays the current version.
13
Clear the Launch Administrative Server User Interface check box to start the VA administration server at a later time.
14
Click [ Finish ]. The installation program adds the VA Server to your Start menu. If you access Control Panel > Administrative Tools > Services you will see Axway Validation Authority and Axway VA Admin included in the list of services. You can access the VA Server admin UI and this document from the Start menu. The installation also automatically creates an VA administrative server private key (adminserver.key) and SSL certificate (adminserver.crt) in the <VADataDir>\entserv directory. (Example: C:\ProgramData\Axway\VA\entserv in Windows.) You are now ready to use the VA administration server to configure, start, and manage the VA Server.
You do not have to be root in order to install the VA Server, but non-root users will not be able to configure the installation to use a port lower than 1024. When installing as root on a port lower than 1024, you will be asked whether to run the server in "setuid root" mode. This mode is required to start the server using the admin UI. In this case, the server will run as root, but only during initialization. Once the listening sockets have been established, the process will "step down" to that of the invoking user (for example, nobody).
The distributed installation file is digitally signed by the Axway generated GPG key and can be verified using the shipped GPG public key prior to installation.
1
Copy the Validation_Authority_Server_<Release Version>_linux-x86-64_BN<build number>.rpm file that you received from Axway Global Support to the Linux system. (Note: This RPM package is dependent on other RPM packages that are generally available from RHEL RPM repository(s). If these packages are not already installed on the system, the installation will report necessary missing package(s) and fail. If this happens, install the missing packages and install this RPM package again.
2
Extract the files with the following command. (Note: If a previous version of the RPM is installed on the system, this command will remove the previous version and install the new version to /opt/va_install/<Version><SPnumber>/VCeva. SPnumber is only applicable for Service Pack releases (example: SP1).)
Text
rpm -U Validation_Authority_Server_<Release Version>_linux-x86-64_BN<build number>.rpm
rpm -U Validation_Authority_Server_<Release Version>_linux-x86-64_BN<build number>.rpm
﻿
3
Change directories to the Validation Authority Server directory. (Important: Do not install under the va_install directory when running the install script. The rpm uninstall will erase the va_install directory.)
Text
cd /opt/va_install/<Version><SPnumber>/VCeva
cd /opt/va_install/<Version><SPnumber>/VCeva
﻿
4
Enter the following at the command line prompt to run the installation script:
Text
./install_eva
./install_eva
﻿
The installation script then prompts whether to install using ports 1024 and above, assuming you are not installing as root. You must install as root to select a port under 1024. You must also answer "yes" when prompted to run setuid root to start the server through the admin UI.
5
Enter y (yes) or n (no). The installation script displays the Axway software licensing agreement and prompts you with the following:
Text
Do you agree to the above terms? [y/n]
Default: [y]
Do you agree to the above terms? [y/n]
Default: [y]
﻿
6
Press [ Enter ] to accept the software licensing agreement. The installation script next prompts you for a location to install the VA Server.
Text
Enter the Validation Authority install directory
Default: [/opt/axway]
Enter the Validation Authority install directory
Default: [/opt/axway]
﻿
7
Press [ Enter ] to accept the default, or enter a location to install the VA Server, then press [ Enter ]. The installation script next prompts you to enter a port number for the VA administration server:
Text
Enter the port number for the Validation Authority Administration Server [1-65535].
Default: [13333]
Enter the port number for the Validation Authority Administration Server [1-65535].
Default: [13333]
﻿
8
The VA administration server is the administration component of the Validation Authority. This server, which is installed during the installation process, provides and administration user interface (admin UI) through which you configure and operate the VA validation server. If you choose to use a port other than the default, make a note of it for future reference. This port number identifies the port at which the VA administration server listens and exchanges information to perform configuration operations with the browser using HTTPS requests.
9
Press [ Enter ] to accept the default port number for the VA administration server, or enter a different number and press [ Enter ]. The script prompts you for the email address of the server administrator. It displays:
Text
Enter the email address of the server administrator:
Default: [sysadmin]
Enter the email address of the server administrator:
Default: [sysadmin]
﻿
The VA administration server uses this email address to send informational messages to the server administrator during configuration and administration performed at the VA dialog boxes.
10
Press [ Enter ] to accept this email address, or enter a different address and then press [ Enter ]. The script prompts you for the server host name:
Text
Enter the server's hostname (either a DNS name or IP address):
Default: [computer_name.yourdomain.com]
Enter the server's hostname (either a DNS name or IP address):
Default: [computer_name.yourdomain.com]
﻿
Where computer_name is the name of your host computer, and yourdomain is the domain name for your host computer. The host name identifies the computer on which you have installed the Validation Authority.
11
Press [ Enter ] to accept the default server host name, or enter a different name and press [ Enter ]. The script prompts you for a user name to run the VA administration server. It displays:
Text
Enter the username to run the VA and Administration Servers as:
Default: []
Enter the username to run the VA and Administration Servers as:
Default: []
﻿
If you are not installing as root, the default username displayed will be the user ID.
12
Press [ Enter ] to use the default username, or enter a different name and press [ Enter ].
13
The following message displays:
Text
In order to start the VA via the web interface on a port less than 1024 ves must executre as setuid root. Do you wish to set this bit?
Default: [y]
In order to start the VA via the web interface on a port less than 1024 ves must executre as setuid root. Do you wish to set this bit?
Default: [y]
﻿
The name of the VA Server process is ves.
14
If you plan to use a validation port number of 1024 or greater, type n, otherwise accept the default and press [ Enter ]. The script prompts you to identify the VA administration server user. This user is the initial user who can log in to the VA administration server. The default user name is "admin".
Text
Please enter the Administration server user id
[admin]:
Please enter the Administration server user id
[admin]:
﻿
15
Press [ Enter ] to use the default VA administration server user name, or enter a different name and press [ Enter ]. If you type a different name, make a note of it. After completing the installation, you will log on to the VA administration server using this user name. The system configures the VA administration server user and then prompts for the VA administration server user password. Next confirm the password entry.
16
Enter and confirm the VA administration server user password.
Because you are using VA Server with an HSM device conforming to PKCS #11, you must configure VA Server to use the same password as the  identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
Text
Please enter the Administration Server user password:
Please confirm the Administration Server user password:
Please enter the Administration Server user password:
Please confirm the Administration Server user password:
﻿
The password must be at least 8 characters long and contain one uppercase, one lowercase, one digit, one special character.
17
The following message displays:
Text
Would you like to use an imported certificate, rather than generating a self-signed one, for the admin server's SSL certificate? [y|n]:
Default: [n]
Would you like to use an imported certificate, rather than generating a self-signed one, for the admin server's SSL certificate? [y|n]:
Default: [n]
﻿
Either enter [n] to generate a self-signed certificate, or [y] to import a PFX / P12 certificate. If [n], continue to Step 18. If [y]:
Optionally enter [y] to protect the private key. If you select [y], a password prompt is displayed when the admin server starts.
Enter the path to the certificate you are importing.
Enter the password to decrypt the file. This password was originally used to protect the PFX file.
At the PEM pass phrase prompt, enter a password to encrypt the admin server key for the admin UI. You will be prompted for this password when the admin server starts. The installation automatically creates a VA administration server private key (adminserver.key) and SSL certificate (adminserver.crt) in the /var/lib/va/entserv directory.
18
The installation process completes and you are prompted to start the admin server.
Text
Would you like to start the EVA Administration Server [y/n]?
Default: [y]
Would you like to start the EVA Administration Server [y/n]?
Default: [y]
﻿
VA Server is successfully installed. This can be verified using the Admin Server User Interface > Help > About page which displays the current version.
19
Press [ Enter ] to start the VA administration server.
Configure Axway VA Server
Perform the tasks in this section to configure the VA Server.
1 | Access the VA administration server UI
The admin UI requires an HTTPS server. This server is automatically installed and configured during VA Server installation. You can launch the admin UI automatically as the final step of installation, from the desktop icon created during the installation, or by accessing it directly from a browser using the VA administration server URL. For a standard connection, the URL is:
Text
https://<hostname>:<port>.
https://<hostname>:<port>.
﻿
Where <hostname> and <port> are the VA Server host name and VA administration server port number you provided during installation (13333 by default).
The VA administration server is, by default, only available using SSL (https). Operating the VA administration server using non-SSL (http) disables certificate-based authentication for users.
When the web interface opens for the first time, you will receive an SSL certificate warning. Bypass this warning and proceed to the login page.
At the Administrative Login prompt, log in with Basic Authentication using the credentials set during installation.
After successful login it will load the home page of the admin UI.
2 | Install the Responder product license
1
Select the Enter License menu on the left. You will see a blank text area where you can paste in a product license.
2
In the file manager for your system, find the "VA Responder Temp" license file that was provided by Axway Global Support.
3
Double-click the "VA Responder Temp" license file to open it. Then type Ctrl+A to Select All, then Ctrl+C to copy to the clipboard.
4
Paste the license information into the blank text area on the Enter License page in the admin UI, then click [ Submit License ].
5
Enter the SAC ID that was provided by Axway Global Support, then click [ Verify License ].
6
If the submission is successful, the license information will be detailed to review on the Axway Validation Authority License page. Click [ Next Step ] once you have finished reviewing the information.
3 | Bypass optional configurations
1
On the Import Configuration File page, click [ Skip ].
2
On the Install Custom Extensions page, select [ NO ], then click [ Submit ].
4 | Change the server password
To prevent unauthorized access to the VA Server, change the server password.
1
If you already created a server password matching the } identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file, leave the field blank and proceed to step 3. If you did not, you must do this now. Type the server password you set during installation into the Enter Current Server Password field.
2
Type the  identity password in Enter New Password. The password must be at least 8 characters long and contain one uppercase, one lowercase, one digit, and one special character.
3
Verify the new password by typing it into Confirm New Password and click [ Submit ].
4
Click [ Next Step ] to continue with the initial configuration. The Key Type Selection page displays.
5 | Create an OCSP and SCVP signing key pair
Because you must generate a public/private key pair to sign OCSP and SCVP responses when operating as a Responder, this key type is assigned as the default.
1
Select [ Submit Key Type ].
2
The Key Generation/Import Mechanism page displays.
3
Select the Generate/Import Hardware Key on custom PKCS11 provider option, set the Vendor as "Other", and type in the location of the Futurex PKCS #11 library. Then click [ Submit Key Generation Technique ].
4
Fill in all of the required information, then click [ Submit ].
In the User PIN field you must specify the  identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
All of the Certificate Options should be left as their default values.
5
If Axway VA was able to successfully create the OCSP/SCVP Response Signing key on the HSM you will see the following message:
6 | Configure SSL communication for the admin server
In this section, before performing any configurations in the Axway VA admin UI, we'll first be completing the following actions directly on the  using FXCLI.
1
Run the  CLI program.
2
Set the TLS configuration to Anonymous using the following command:
Text
$ tls config --anonymous=true
result:
    status: success
    statusCode: 0
tlsConfig:
    anonymous: false
    enabled: false
    verifyDepth: 1
$ tls config --anonymous=true
result:
    status: success
    statusCode: 0
tlsConfig:
    anonymous: false
    enabled: false
    verifyDepth: 1
﻿
Anonymous TLS is being used here to help simplify the demonstration. Using Anonymous is not recommended in a production setting. If you choose to connect to the HSM anonymously, you must enable the "Anonymous" setting for the HSM's production port.
﻿
3
Connect to the  via TCP.
Text
$ connect tcp -c 10.0.5.223:2001
[2023-12-07 16:57:12]   INFO   Connected to 10.0.5.223:2001.
[2023-12-07 16:57:12]   INFO   10.0.5.223:2001 handshake successful.
Connected to '10.0.5.223:2001'.
result:
    status: success
    statusCode: 0
$ connect tcp -c 10.0.5.223:2001
[2023-12-07 16:57:12]   INFO   Connected to 10.0.5.223:2001.
[2023-12-07 16:57:12]   INFO   10.0.5.223:2001 handshake successful.
Connected to '10.0.5.223:2001'.
result:
    status: success
    statusCode: 0
﻿
4
Log in with the default Admin1 and Admin2 identities.
Text
$ login user
  Username> Admin1
  Password>[2023-12-03 10:53:58]   INFO   Successfully logged in user 'Admin1'.
Successfully logged in as 'Admin1'.
result:
    status: success
    statusCode: 0
dualFactor:
    wanted: false
loggedIn: true
fullyLoggedIn: false
numLogins: 1
loginsRemaining: 1
identities: "Admin1"
roles: "Single Admin"
[2023-12-03 10:53:58]   INFO   Successfully seeded local OpenSSL context with random data.


$ login user
  Username> Admin2
  Password>[2023-12-03 10:54:07]   INFO   Successfully logged in user 'Admin2'.
Successfully logged in as 'Admin2'.
result:
    status: success
    statusCode: 0
dualFactor:
    wanted: false
loggedIn: true
fullyLoggedIn: true
numLogins: 2
loginsRemaining: 0
identities:
    - "Admin1"
    - "Admin2"
roles:
    - "Administrator"
    - "Key Manager"
    - "Operations"
    - "Settings Manager"
    - "Single Admin"
$ login user
  Username> Admin1
  Password>[2023-12-03 10:53:58]   INFO   Successfully logged in user 'Admin1'.
Successfully logged in as 'Admin1'.
result:
    status: success
    statusCode: 0
dualFactor:
    wanted: false
loggedIn: true
fullyLoggedIn: false
numLogins: 1
loginsRemaining: 1
identities: "Admin1"
roles: "Single Admin"
[2023-12-03 10:53:58]   INFO   Successfully seeded local OpenSSL context with random data.


$ login user
  Username> Admin2
  Password>[2023-12-03 10:54:07]   INFO   Successfully logged in user 'Admin2'.
Successfully logged in as 'Admin2'.
result:
    status: success
    statusCode: 0
dualFactor:
    wanted: false
loggedIn: true
fullyLoggedIn: true
numLogins: 2
loginsRemaining: 0
identities:
    - "Admin1"
    - "Admin2"
roles:
    - "Administrator"
    - "Key Manager"
    - "Operations"
    - "Settings Manager"
    - "Single Admin"
﻿
5
Create a new key pair on the .
Text
$ generate --algo RSA --bits 2048 --name AxwaySslKeyPair --slot next --usage mak
Generated key in board slot.
result:
    status: success
    statusCode: 0
keySlot:
    slot: 2
    name: "AxwaySslKeyPair"
    kcv: "26484FC3"
    algorithm: RSA
    bits: 2048
    usage: Sign,Verify
    startValidity: "1971-01-01 00:00:00"
    endValidity: "2999-01-01 00:00:00"
    exportable: true
    clearExportable: false
    passwordExportable: false
    requiresAuth: false
    modifiable: true
$ generate --algo RSA --bits 2048 --name AxwaySslKeyPair --slot next --usage mak
Generated key in board slot.
result:
    status: success
    statusCode: 0
keySlot:
    slot: 2
    name: "AxwaySslKeyPair"
    kcv: "26484FC3"
    algorithm: RSA
    bits: 2048
    usage: Sign,Verify
    startValidity: "1971-01-01 00:00:00"
    endValidity: "2999-01-01 00:00:00"
    exportable: true
    clearExportable: false
    passwordExportable: false
    requiresAuth: false
    modifiable: true
﻿
6
Add a PKCS #11 label to the private key.
Text
$ keytable extdata --slot 2 --p11-attr label --p11-value "AxwaySslForAdminServer"
$ keytable extdata --slot 2 --p11-attr label --p11-value "AxwaySslForAdminServer"
﻿
The generate command in step 5 set "AxwaySslKeyPair" as the HSM label for the key pair. However, Axway VA cannot find the key using the HSM label. It must find it using a PKCS #11 label. That is why it is necessary to run the keytable extdata command above, which sets the PKCS #11 label in a separate field from where the HSM label is set.
7
Generate a certificate signing request (CSR).
Text
$ x509 req --private-slot AxwaySslKeyPair --out AxwaySslCSR.pem --dn 'O=Futurex\CN=AxwaySslForAdminServer'
Saved CSR file 'AxwaySslCSR.pem'.
result:
    status: success
    statusCode: 0
request: |-
    -----BEGIN CERTIFICATE REQUEST-----
    MIICeDCCAWACAQAwMzEQMA4GA1UEChMHRnV0dXJleDEfMB0GA1UEAxMWQXh3YXlT
    c2xGb3JBZG1pblNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
    AMbHeWpulBU5gcZywKJRTAXgu0+aPCSGzORe6K1CDNkFXZ0g2zfYcONCZ6dG5F60
    6M1piEaEHkMNzLBaSn2F1bBvj5ecFBxyAoWmqYsF7R7o+Q7hFr7Qudz0anT09Qqt
    pt885wWcfH6lFhDwtpoT2bMcEmcEUgrlJYgg7NHkJKournhkjBA2CJ06UAHE/qOC
    DXIptWeJOws9mUaU7sNXEDfuwuy9qAoRP4H0dRhT+NL/GUcwu2zcnAMr+UgVXvnw
    NIpIp22/zCDiUyGJmP3mMcBurk9sjnaE3OgCWvbU30crMBtJyUhXFJAlnqcjEHtt
    1v+CxzoZikYimFEors/k+vsCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQC0ugsT
    p3MgfmT8VBMCF51M4Dh5J8U3iKNqOESYcr7hCHASzn6jpeom5o5tdZVxnzTfRS5x
    VY0MSSm6WOZUjDJqpAtWczaKJ46Dlfy2kabwec/MZfurgJfcjTRGHnPTuipdwXTk
    0GUTuAraEU+Jg287QHbnMmPyPBWskEKdWT7rgYVvzvF5H6LvtWYPUfHAUTk7OQjW
    MvRE2B5eoe9iDKlD1TjfHXuaqA+bFLyadM/iTLtfRTRoangO6WinRrPDEG8AZwja
    IfyUfmxHalSdInsqefY2u8VGlE4q81V7j1Gsgzc4M3Uq4wkk4zUnT7kpDlCvBTvB
    WcmHLxk2N+bdz/ho
    -----END CERTIFICATE REQUEST-----
$ x509 req --private-slot AxwaySslKeyPair --out AxwaySslCSR.pem --dn 'O=Futurex\CN=AxwaySslForAdminServer'
Saved CSR file 'AxwaySslCSR.pem'.
result:
    status: success
    statusCode: 0
request: |-
    -----BEGIN CERTIFICATE REQUEST-----
    MIICeDCCAWACAQAwMzEQMA4GA1UEChMHRnV0dXJleDEfMB0GA1UEAxMWQXh3YXlT
    c2xGb3JBZG1pblNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
    AMbHeWpulBU5gcZywKJRTAXgu0+aPCSGzORe6K1CDNkFXZ0g2zfYcONCZ6dG5F60
    6M1piEaEHkMNzLBaSn2F1bBvj5ecFBxyAoWmqYsF7R7o+Q7hFr7Qudz0anT09Qqt
    pt885wWcfH6lFhDwtpoT2bMcEmcEUgrlJYgg7NHkJKournhkjBA2CJ06UAHE/qOC
    DXIptWeJOws9mUaU7sNXEDfuwuy9qAoRP4H0dRhT+NL/GUcwu2zcnAMr+UgVXvnw
    NIpIp22/zCDiUyGJmP3mMcBurk9sjnaE3OgCWvbU30crMBtJyUhXFJAlnqcjEHtt
    1v+CxzoZikYimFEors/k+vsCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQC0ugsT
    p3MgfmT8VBMCF51M4Dh5J8U3iKNqOESYcr7hCHASzn6jpeom5o5tdZVxnzTfRS5x
    VY0MSSm6WOZUjDJqpAtWczaKJ46Dlfy2kabwec/MZfurgJfcjTRGHnPTuipdwXTk
    0GUTuAraEU+Jg287QHbnMmPyPBWskEKdWT7rgYVvzvF5H6LvtWYPUfHAUTk7OQjW
    MvRE2B5eoe9iDKlD1TjfHXuaqA+bFLyadM/iTLtfRTRoangO6WinRrPDEG8AZwja
    IfyUfmxHalSdInsqefY2u8VGlE4q81V7j1Gsgzc4M3Uq4wkk4zUnT7kpDlCvBTvB
    WcmHLxk2N+bdz/ho
    -----END CERTIFICATE REQUEST-----
﻿
8
Sign the CSR with a certificate authority (CA) certificate.
Text
$ x509 sign --private-slot 2 --issuer C:\Futurex\sandbox\AxwayTlsCa.pem --csr C:\Futurex\sandbox\AxwaySslCSR.pem --eku Server --key-usage DigitalSignature --key-usage KeyAgreement --ca false --dn 'O=Futurex\CN=AxwaySignedSslForAdminServer' --out C:\Futurex\sandbox\AxwaySignedSsl.pem
Output certificate to 'AxwaySignedSsl.pem'.
result:
    status: success
    statusCode: 0
certificate: |-
    -----BEGIN CERTIFICATE-----
    MIIDBTCCAe2gAwIBAgIJAMWV+GNGM+vSMA0GCSqGSIb3DQEBCwUAMCExEDAOBgNV
    BAoTB0Z1dHVyZXgxDTALBgNVBAMTBFJvb3QwIhgPMjAyMDEyMDIxOTIxMDhaGA8y
    MDIxMTIwMzE5MjEwOFowKzEQMA4GA1UEChMHRnV0dXJleDEXMBUGA1UEAxMOQXh3
    YXlUbHNTZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/mUfV
    Pj+DWM9q1iz0k/TbJCWP9OxDIbJ5y4Lg7hVUb5wT3bZ+UrZ57t7bvyR5tQLtFwgj
    fbHrQxwAwPPc3G3AoU0crRPpmA86AXOvVHPm/R4Up5LpweO4AezCZlrGwetkop5z
    QMA824R581p0zxULu5HrpS0Ye0qBcCFJnAKuWUG5HDV0TFLLwyfhRFnOnIvM666Z
    incWYVRTxgrgjMtRKN84M1qqOldF8VuO4ba/CcdVLbIlkMRIfS4S69cTw1r5kYVx
    Do6xrEocgG4NR5nD//mC8oh0jgNRnFMbAEEHOUdOQICdJJ5onjNGq6LcnuOdmP3v
    nR2wzJr1OOOHi9ZZAgMBAAGjMjAwMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgOI
    MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQC1HlPjr5qV
    kgcGaqDKZmLMJnMstDJzvjZmTv3fV/p15k5Lg8/P14g755PbGmgzC74PntuFAu+A
    GReiIwXxY6hgA6l2+xLA6wigv+HGpuswKO1Q0Q4s3RYqeUwWWFQawE2d/LxK0XVp
    IrkzfzxbuPvHR/Ofy+B0CzHKXFwcckt4lY0TmWqkvWNjrGSY8am6UI8ZPbTnkX5R
    4mN0rqrQ9rJEsvjC06R40AhpC5JFcB5Vvgux7mOf1lEBmry4f+INufQTdT7yQf/3
    8Cur17QNX1E5ImUzG+DwJ9SncJ3hl44fBYLG1pAy7uUyhnATOWcPMC4k6RZkacXk
    ZgPGY1XbWRWM
    -----END CERTIFICATE-----
$ x509 sign --private-slot 2 --issuer C:\Futurex\sandbox\AxwayTlsCa.pem --csr C:\Futurex\sandbox\AxwaySslCSR.pem --eku Server --key-usage DigitalSignature --key-usage KeyAgreement --ca false --dn 'O=Futurex\CN=AxwaySignedSslForAdminServer' --out C:\Futurex\sandbox\AxwaySignedSsl.pem
Output certificate to 'AxwaySignedSsl.pem'.
result:
    status: success
    statusCode: 0
certificate: |-
    -----BEGIN CERTIFICATE-----
    MIIDBTCCAe2gAwIBAgIJAMWV+GNGM+vSMA0GCSqGSIb3DQEBCwUAMCExEDAOBgNV
    BAoTB0Z1dHVyZXgxDTALBgNVBAMTBFJvb3QwIhgPMjAyMDEyMDIxOTIxMDhaGA8y
    MDIxMTIwMzE5MjEwOFowKzEQMA4GA1UEChMHRnV0dXJleDEXMBUGA1UEAxMOQXh3
    YXlUbHNTZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/mUfV
    Pj+DWM9q1iz0k/TbJCWP9OxDIbJ5y4Lg7hVUb5wT3bZ+UrZ57t7bvyR5tQLtFwgj
    fbHrQxwAwPPc3G3AoU0crRPpmA86AXOvVHPm/R4Up5LpweO4AezCZlrGwetkop5z
    QMA824R581p0zxULu5HrpS0Ye0qBcCFJnAKuWUG5HDV0TFLLwyfhRFnOnIvM666Z
    incWYVRTxgrgjMtRKN84M1qqOldF8VuO4ba/CcdVLbIlkMRIfS4S69cTw1r5kYVx
    Do6xrEocgG4NR5nD//mC8oh0jgNRnFMbAEEHOUdOQICdJJ5onjNGq6LcnuOdmP3v
    nR2wzJr1OOOHi9ZZAgMBAAGjMjAwMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgOI
    MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQC1HlPjr5qV
    kgcGaqDKZmLMJnMstDJzvjZmTv3fV/p15k5Lg8/P14g755PbGmgzC74PntuFAu+A
    GReiIwXxY6hgA6l2+xLA6wigv+HGpuswKO1Q0Q4s3RYqeUwWWFQawE2d/LxK0XVp
    IrkzfzxbuPvHR/Ofy+B0CzHKXFwcckt4lY0TmWqkvWNjrGSY8am6UI8ZPbTnkX5R
    4mN0rqrQ9rJEsvjC06R40AhpC5JFcB5Vvgux7mOf1lEBmry4f+INufQTdT7yQf/3
    8Cur17QNX1E5ImUzG+DwJ9SncJ3hl44fBYLG1pAy7uUyhnATOWcPMC4k6RZkacXk
    ZgPGY1XbWRWM
    -----END CERTIFICATE-----
﻿
The CA certificate that is being used to sign the Axway VA certificate was also created using FXCLI. Next, we will import the signed certificate in the Axway VA admin UI.
7 | Configure Axway VA
1
First, install the CA that signed the certificate you're importing on the machine where you installed the Axway VA Server. Install the CA in the Trusted Root Certificate Authorities store for Windows or the equivalent store on your browser.
2
Log in to the VA admin UI
3
Go to the Create/Import Private Key menu, select SSL Communication For Admin Server, then click [ Submit Key Type ].
4
For the key generation/import mechanism, select Hardware Key Generation/Import using Other, then click [ Submit Key Generation Technique ].
5
Select Import previously generated private key, then click [ Submit Key Generation Or Import ].
6
Fill in all of the PKCS11 Token Information fields, paste in the PEM/BASE64 Certificate that we signed in the previous section, and select [ Submit Hardware Key to Import ].
7
Start a command prompt as administrator and call apachepassphrase.
Text
$ apachepassphrase -set "<VA Server password>"
$ apachepassphrase -set "<VA Server password>"
﻿
This sets the password in the registry. The Apache HTTP Server will read it from there using apachepassphrase during startup automatically.
8
Restart the Axway VA Admin service in the Service Control Panel for changes to take effect.
﻿
Updated 06 Dec 2024
Did this page help you?
Install and configure Futurex PKCS11
Test CRL Signing