Generate a key pair and certificate on the CryptoHub

5min
This section describes the steps to generate a key pair,  CSR, and certificate and then sign the certificate.
Connect to the  
Perform the following steps to connect and log in to the  through FXCLI:
1
Run the FXCLI application.
2
Configure TLS certificates for communication between FXCLI and the  by using the tls set of commands.
Run tls help to access syntax documentation.
3
Connect to the  by using the following command:
FXCLI
$ connect --connect cryptohub_ip:2001
$ connect --connect cryptohub_ip:2001
﻿
4
Log in to the  with the default Admin1 and Admin2 identities by running the following command twice, entering the username and password when prompted:
FXCLI
$ login user
$ login user
﻿
Generate a new key pair on the  
Perform the following steps to generate a new key pair on the : 
1
Generate a new key pair in the next available key slot on the .
Modify the key usage values to match your specific requirements.
FXCLI
$ generate --algo RSA --bits 2048 --name IgDemoKeyPair --usage sign,verify --slot next
$ generate --algo RSA --bits 2048 --name IgDemoKeyPair --usage sign,verify --slot next
﻿
2
Confirm which key slot the private key was added to:
FXCLI
$ keytable list
$ keytable list
﻿
3
Assign a PKCS11 label to the key. You must set this field so certutil can find the key on the . 
The PKCS11 label value should match the name that you set for the key pair in the generate command.
FXCLI
$ keytable extdata --slot 0 --p11-attr label --p11-value IgDemoKeyPair
$ keytable extdata --slot 0 --p11-attr label --p11-value IgDemoKeyPair
﻿
Generate a CSR
Perform the following step to generate a Certificate Signing Request (CSR):
1
Generate a CSR from the new key pair that was created on the :
Shell
$ x509 req --private-slot IgDemoKeyPair --out IgDemo.csr
$ x509 req --private-slot IgDemoKeyPair --out IgDemo.csr
﻿
Create a CA
Perform the following steps to create a Certificate Authority (CA):
1
Create a new key pair in the next available key slot on the :
FXCLI
$ generate --algo RSA --bits 2048 --usage mak --name CaKeyPair --slot next
$ generate --algo RSA --bits 2048 --usage mak --name CaKeyPair --slot next
﻿
2
Create a CA certificate from the key pair that was created on the :
FXCLI
$ x509 sign --private-slot CaKeyPair --key-usage DigitalSignature --key-usage KeyCertSign --ca true --pathlen 0 --dn 'O=Futurex\CN=Root' --out Ca.pem
$ x509 sign --private-slot CaKeyPair --key-usage DigitalSignature --key-usage KeyCertSign --ca true --pathlen 0 --dn 'O=Futurex\CN=Root' --out Ca.pem
﻿
3
Confirm which key slot the private key was added to:
FXCLI
$ keytable list
$ keytable list
﻿
4
Assign a PKCS11 label to the key. You must set this field so certutil can find the key on the . 
The PKCS11 label value should match the name that you set for the key pair in the generate command.
Text
$ keytable extdata --slot 1 --p11-attr label --p11-value CaKeyPair
$ keytable extdata --slot 1 --p11-attr label --p11-value CaKeyPair
﻿
Sign the CSR by using the CA
Perform the following steps to sign the CSR by using the CA:
1
Sign the IgDemo CSR that you created by using the self-signed CA certificate:
FXCLI
$ x509 sign --csr IgDemo.csr --issuer Ca.pem --private-slot CaKeyPair --ca false --key-usage DigitalSignature --key-usage KeyEncipherment --key-usage DataEncipherment --key-usage KeyAgreement --eku Client --dn 'O=Futurex\CN=IG-Demo' --out IgDemo.pem
$ x509 sign --csr IgDemo.csr --issuer Ca.pem --private-slot CaKeyPair --ca false --key-usage DigitalSignature --key-usage KeyEncipherment --key-usage DataEncipherment --key-usage KeyAgreement --eku Client --dn 'O=Futurex\CN=IG-Demo' --out IgDemo.pem
﻿
Modify the key usage values to match your specific certificate requirements.
The signed leaf certificate is output to a file called IgDemo.pem.
﻿
Install and configure Futurex CNG
Import TLS certificates into Windows Certificate Store