Import the client certificate and private key into the CryptoHub

in this section, we'll import the client certificate, client private key, and ca certificate into an x 509 certificate container on the cryptohub import the client pkcs #12 into the cryptohub in this sub section, we'll import the pkcs #12 file containing the ca certificate, client certificate, and client private key into the cryptohub if you started with the docid\ zivwj9qwitr9rhjg5xrrj guide and are now here, you should have a client p12 file that you generated using openssl at the end of the docid\ qij8wdokgtblzhsxnk9rr section create an approval group log in to the cryptohub with your administrator identities go to pki and ca > pki signing approvals select \[ add approval group ] enter a name for the approval group and select \[ ok ] right click the new approval group and select permission in the dropdown menu towards the top of the dialog box, select service openvpn , then click \[ add ] grant the use permission to the openvpn service, then click \[ save ] create an x 509 certificate container go to pki and ca > certificate management select \[ add ca ] at the bottom in the certificate container creation dialog name enter a name for the certificate container, such as "openvpn" host none type x 509 owner group select the openvpn fxpkcs11 role select \[ ok ] enable the option to allow importing certificates using passwords before importing the pkcs #12 file created above with openssl, it is necessary to enable an option on the cryptohub to allow importing certificates using passwords go to classic tools > administration > configuration tasks > options in the main tab of the options menu, select the allow import of certificates using passwords checkbox select \[ save ] import the pkcs #12 file into the x 509 certificate container go to pki and ca > certificate management right click the x 509 certificate container you created above, and select import > pkcs#12 click \[ browse ] and select your pkcs #12 file for import select \[ next ] enter the password for the pkcs #12 file and select \[ next ] select \[ finish ] add an issuance policy to the client certificate we must add an issuance policy to the client certificate so that the futurex pkcs #11 library can find the certificate on the cryptohub go to pki and ca > certificate management right click the client certificate in the tree (the one under the ca certificate) and select issuance policy > add in the basic info tab set approvals to 0 a message will appear stating, "zero approval policy requires anonymous signing security usage " we'll set this after creating the issuance policy in the x 509 tab assign a default approval group by clicking \[ select ] , selecting the approval group you created above, and clicking \[ ok ] in the object signing tab select the allow object signing checkbox select \[ ok ] change security usage on the client certificate to allow anonymous signing go to pki and ca > certificate management right click the client certificate and select change security usage in the dropdown menu select anonymous signing select \[ ok ]