The Generic Futurex CNG service template enables you to deploy 

 with Microsoft applications that support integration with an HSM or Key Management device through CNG but have not yet been officially tested and added to the 

 support team if you need us to add a specific Microsoft application to 

. Our dedicated Integration Engineering team tests and documents the integration by using the following process.

 certification process is a rigorous and standardized approach to testing and certifying integrations between third-party applications and 

 HSMs and key management servers (such as 

). The certification process ensures that we fully test and validate third-party application integrations in a lab environment before deploying them in a production environment. Our Integration Engineering team implements this process so you can be confident that third-party applications integrate seamlessly with our HSMs and 

 devices, and that all operations result in the expected behavior. The certification process involves research, testing, troubleshooting, and certification and is fully documented in individual integration guides by using the following process:

Following these steps helps ensure that the integration between the third-party application and the 

Before you start

Deploy the service

Install and configure Futurex FXCL CNG

Generic Futurex CNG

Install and configure Futurex PKCS11

Configure third-party application to use the Futurex PKCS11 (FXPKCS11) module

Generic Futurex PKCS #11

Install and configure Futurex PKCS #11

Configuring the JAVA_HOME environment variable

Configure SunPKCS11 to use the Futurex PKCS11 Module

Generic Futurex PKCS #11 with Java

Deploy new client endpoint on the CryptoHub

Configure KMIP client to integrate with CryptoHub

Generic KMIP

Generic

FX_Restrict_Print

FX_Restrict_Print_license

CHDirect

CHAppliance

Enables legacy POS device key injection for use in a Key Injection Facility.

Clear_Keyload

clear_keyload_license

Variable_Length_PVV

variable_length_pvv_license

host_card_emulation_license

emv_issuing_license

post_quantum_cryptography_license

clear_shared_secret_license

p2pe_and_tokenization_license

hsm_key_distribution_license

financial_processing_license

excrypt_ui_license

australian_command_set_license

general_purpose_license

clear_pin_license

format-preserving_encryption_license

emv_acquiring_license

ecc_license

key_strength_bypass_license

rsa_license

Enables Format-preserving Encryption (FPE) functionality.

Format-preserving_encryption

colon

permission_utility

comma

ampersand

exclamation_mark

binary_val

diebold

tr-34_rkl

mac_hash

Enabled by default on all Vectera Series HSMs and available as an add-on license for Excrypt Series

general_purpose

data_encrypt

mobile_payment

Supports domestic and int'l message formats for PIN translation, verification, and key management

Excrypt_ui

p2pe

Equal_sign

Enabled on all Futurex HSMs, regardless of their license or mode.

Core_license

Number_sign

utility

card_verification

authentication

key_management

RKMS3

SKI3

Ambiguous_PIN

Enables protecting a stronger key with a weaker key.

Key_Strength_Bypass

Enables payments-related commands per the AS2805 messaging standard, as defined by AusPayNet.

Australian_Command_Set

Enables the Europay Mastercard Visa (EMV) issuance command set.

EMV_Issuing

Enables Format Preserving Encryption (FPE) FF1 functionality.

FPEFF1

Enables Point-to-Point Encryption (P2PE) functionality. 

P2PE

Enabled by default on all Excrypt Series HSMs and as an add-on license for Vectera Series HSMs.

Financial_Processing

Allows the HSM to use host card emulation commands.

Host_Card_Emulation

Allows the HSM to support commands that will directly output the clear shared secret value.

Clear_Shared_Secret

Enables a host HSM to distribute allowed keys to another HSM.

HSM_key_distribution

Only required if using a Clear PIN rather than a PIN Block.

CPIN

Enables Format Preserving Encryption (FPE) functionality.

Enables Post-Quantum Cryptography (PQC) commands and functionality.

Enables commands requiring Elliptic Curve Cryptography (ECC) functionality.

Enables the Europay Mastercard Visa (EMV) acquiring command set. 

EMV_Acquiring

Enables commands requiring RSA functionality.

key_slot_index

Tilde

Asterisk

t_keyslot

ascii_int

Special_character

uuid_val

ascii_sta

base64

variable

alphanumeric

boolean

binary

integer

numeric

ascii

hexadecimal

alphabetic

base64_value

CH-HSMEX

CH-HSME

CH-HSMP

CryptoHub Integration Guides

CryptoHub integration guides overview

Configure Dogtag Certificate System

Dogtag Certificate System

Connect to the EJBCA environment

Configure EJBCA

EJBCA

Install and configure ISC CertAgent for Windows

Install and configure ISC CertAgent for Linux

ISC CertAgent

Install and configure FXCL CNG

Install Active Directory certificate Services (ADCS)

Configure Active Directory Certificate Systems

Verify the integration

Microsoft ADCS

Install and configure Futurex PKCS #11 (FXPKCS11)

Install Red Hat Certificate System and deploy the subsystem

Red Hat Certificate System (RHCS)

Configuring the Adaptable CA Driver

Configuring Venafi TPP to use the Futurex Adaptable CA Driver

Test a certificate request, approval, and issuance

Venafi Adaptable CA

Certificate Authority

Configure Venafi Control Plane Cryptohub integratation

Venafi Control Plane

Install and configure Futurex CNG

Generate a key pair and certificate on the CryptoHub

Import TLS certificates into Windows Certificate Store

Windows Certificate Store

Certificate management

Configure Axway VA

Test CRL Signing

Axway VA

Certificate validation

Set up the environment

Manage Security and Secrets

Configure pod parameters

Deploy CryptoHub

Manage deployments

Deploying CryptoHub in Google Kubernetes Engine (GKE)

Prerequisites

Identity and access management (IAM)

External key service setup for Google Workspace CSE

Validation and Testing

Appendix: Troubleshooting Google CSE

Google Workspace CSE

Identity and Access Management (IAM)

Gmail only: Upload encryption keys for client-side encryption

Google Workspace CSE for Gmail

Cloud key management

Create Java KeyStore

Sign APKs with Android APKSigner by using Futurex PKCS #11

Android APKSigner

Configure the JAVA_HOME environment variable

Configure SunPKCS11 to use the Futurex PKCS11 module

Assign the key pair to a certificate and apply an issuance policy

Jarsigner command examples

Java Jarsigner

Deploy the servi

Download and configure Jenkins  and test the FXCL Jenkins plugin

Jenkins Code Signing

Install and configure FXCL CNG module

Generate Microsoft SignTool Code Signing certificate on the CryptoHub

Import the Code Signing certificate into Windows Certificate Store

Associate a private key with a certificate

Test Microsoft SignTool commands

Microsoft SignTool

Code signing

Configure vSEC:CMS to integrate with CryptoHub

Create an OSKS with HSM in vSEC:CMS

Versasec CMS

Credential management

Install and configure OpenSSL Engine

Configure Apache HTTP Server

Apache HTTP Server

Data protection

Generic Futurex CNG

﻿ certification process

certification process