Import the client certificate and private key into the CryptoHub

in this section, we'll import the client certificate and private key into an x 509 certificate container on the cryptohub before we can do that, we must combine the client certificate and private key into an encrypted and password protected pkcs #12 file using openssl create pkcs #12 file containing the client certificate and private key in this sub section, we'll use openssl to package the client certificate and private key into an encrypted and password protected pkcs #12 file run the following openssl command openssl pkcs12 export out futurex p12 inkey futurex private key in futurex rsa crt certfile rsa ca crt this command will prompt you set an export password this password will be required to import the pkcs #12 file into the cryptohub in the next sub section import the client pkcs #12 into the cryptohub in this sub section, we'll import the pkcs #12 file containing the ca certificate, client certificate, and client private key into the cryptohub create an approval group log in to the cryptohub with your administrator identities go to pki and ca > pki signing approvals select \[ add approval group ] enter a name for the approval group and select \[ ok ] right click the new approval group and select permission in the dropdown menu towards the top of the dialog box, select service openvpn , then click \[ add ] grant the use permission to the openvpn service, then click \[ save ] create an x 509 certificate container go to pki and ca > certificate management select \[ add ca ] at the bottom in the certificate container creation dialog name enter a name for the certificate container, such as "openvpn" host none type x 509 owner group select the openvpn fxpkcs11 role select \[ ok ] enable option to allow importing certificates using passwords before importing the pkcs #12 file created above with openssl, it is necessary to enable an option on the cryptohub to allow importing certificates using passwords go to classic tools > administration > configuration tasks > options in the main tab of the options menu, select the allow import of certificates using passwords checkbox select \[ save ] import the client pkcs #12 file into the x 509 certificate container go to pki and ca > certificate management right click the x 509 certificate container you created above, and select import > pkcs#12 click \[ browse ] and select your pkcs #12 file for import select \[ next ] enter the password for the pkcs #12 file and select \[ next ] select \[ finish ] add an issuance policy to the client certificate we must add an issuance policy to the client certificate so that the futurex pkcs #11 library can find the certificate on the cryptohub go to pki and ca > certificate management right click the client certificate in the tree (the one under the ca certificate) and select issuance policy > add in the basic info tab set approvals to 0 a message will appear stating, "zero approval policy requires anonymous signing security usage " we'll set this after creating the issuance policy in the x 509 tab assign a default approval group by clicking \[ select ] , selecting the approval group you created above, and clicking \[ ok ] in the object signing tab select the allow object signing checkbox select \[ ok ] change security usage on the client certificate to allow anonymous signing go to pki and ca > certificate management right click the client certificate and select change security usage in the dropdown menu select anonymous signing select \[ ok ]