Configure TLS authentication

for this step, you must log in with an identity that has a role with the following permissions keys\ all slots , management commands\ certificates , management commands\ keys , security\ tls sign , and tls settings\ upload key you can use the default administrator role and admin identities to configure tls authentication, choose one of the following methods enable server side authentication create connection certificates for mutual authentication we recommend option 2, mutual authentication enable server side authentication we recommend mutually authenticating to the hsm using client certificates, but the {{vectera}} also supports server side authentication the following steps outline the process for enabling server side authentication choose one of the following methods to enable server side authentication excrypt manager go to the ssl/tls setup menu then, select the excrypt port in the connection pair drop down list, check the allow anonymous box, and select \[ save ] fxcli run the tls ports set fxcli command to enable server side authentication with the allow anonymous ssl/tls setting fxcli tls ports set p "excrypt port" anon create connection certificates as mentioned previously, we recommend mutually authenticating to the hsm by using client certificates, and the system enforces mutual authentication by default the following example shows how to use fxcli to generate a ca to sign the hsm server certificate and a {{futurex}} cng ( fxcng ) client certificate then, it shows how to generate the client key pair and csr by using the windows certreq utility for this example, you must connect the computer running fxcli to the front usb port of the hsm if you do not specify a file path for commands that create an output file, fxcli saves the file to the current working directory using user generated certificates requires you to load a pmk on the hsm if you run help by itself, a full list of available commands displays you can see the options for a command by running the command name followed by help perform the following steps to create connection certificates for mutual authentication and generate a client key pair and csr for {{futurex}} cng from a certreq policy file create and sign the csrs create an association between the signed certificate and its corresponding key pair create and sign the csrs this section explains the necessary steps to generate a csr from a certreq policy file on the computer where you installed the {{futurex}} cng when you generate the csr file, the system creates a public/private key pair in the windows certificate store then, the section describes how to use fxcli to issue a signed certificate from the csr, which you later associate with the public/private key pair stored in the windows certificate store create a certreq policy file perform the following steps to create a certreq policy file on the computer where you installed {{futurex}} cng, open a text editor create a new file and copy and paste the following content into it \[version] signature = "$windows nt$" \[newrequest] subject = "cn=microsoft sql alwayenc" exportable = true keylength = 2048 machinekeyset = true save the file with the inf extension (such as certreq policy inf ) generate a csr perform the following steps to generate a csr from the certreq policy file open either command prompt or powershell go to the directory with the certreq policy inf file run the following command to generate a csr from the certreq policy inf file certreq new q config “your domain com\microsoft sql alwayenc" certreq policy inf client csr generate a key pair and csr perform the following steps to generate a key pair and csr for the excrypt port on the hsm enter the fxcli prompt by running fxcli hsm in a terminal connect your laptop to the hsm by using the usb port on the front, and run the following command fxcli connect usb use the following command to log in with the default admin1 and admin2 identities when prompted, enter the username and password run the command twice, once for each identity fxcli login user generate a key pair and csr for the excrypt port by using the following command fxcli tls ports request pair "excrypt port" file excrypt port csr pki algo rsa generate a key pair and certificate perform the following steps to generate a tls ca key pair and certificate with fxcli enter the fxcli prompt by running fxcli hsm in a terminal connect your laptop to the hsm by using the usb port on the front, and run the following command fxcli connect usb log in with the default admin1 and admin2 identities when prompted for the username and password, enter them run the following command twice, once for each identity fxcli login user generate a tls ca key pair and store it in an available slot on the hsm fxcli generate algo rsa bits 2048 usage mak name tlscakeypair slot next create a tls ca certificate from the key pair you created in step 4 fxcli x509 sign \\ \ private slot tlscakeypair \\ \ key usage digitalsignature key usage keycertsign \\ \ ca true pathlen 0 \\ \ dn 'o=futurex\cn=root' \\ \ out tlsca pem sign the csrs perform the following steps to sign the csrs for the excrypt port and {{futurex}} cng open the fxcli prompt by running fxcli hsm in a terminal connect your laptop to the hsm by using the usb port on the front, and run the following command fxcli connect usb log in with the default admin1 and admin2 identities when prompted for the username and password, enter them run the following command twice, once for each identity fxcli login user sign the csr for the excrypt port by using the ca you created in the previous section fxcli x509 sign \\ \ private slot tlscakeypair \\ \ issuer tlsca pem \\ \ csr excrypt port csr \\ \ eku server key usage digitalsignature key usage keyagreement \\ \ ca false \\ \ dn 'o=futurex\cn=excrypt port' \\ \ out signed excrypt cert pem push the signed server pki to the excrypt port on the hsm fxcli tls ports set pair "excrypt port" \\ \ enable \\ \ pki source generated \\ \ clear pki \\ \ ca tlsca pem \\ \ cert signed excrypt cert pem \\ \ no anon restart the ssl2tcp processor to apply the changes made to the excrypt port connection pair fxcli tls ports restart sign the client csr for microsoft adcs by using the ca you created in the previous section fxcli x509 sign \\ \ private slot tlscakeypair \\ \ issuer tlsca pem \\ \ csr client csr \\ \ eku client key usage digitalsignature key usage keyagreement \\ \ out signed client cert pem create an association this section explains the necessary steps to associate the signed microsoft adcs client tls certificate with its corresponding private key in the windows certificate store before making this association, you must import the ca certificate that issued the microsoft adcs client tls certificate into the trusted root certification authorities windows certificate store perform the following tasks to create an association between the signed certificate and its corresponding key pair import the ca certificate perform the following steps to import the ca certificate that issued the microsoft adcs client tls certificate into the trusted root certification authorities store on the computer with the {{futurex}} cng, open the manage computer certificates program right click the trusted root certification authorities store and select all tasks > import follow the steps in the certificate import wizard to import the tls ca root certificate file if the import succeeds, you see a confirmation message associate the certificate with the key perform the following steps to associate the signed microsoft adcs certificate with its corresponding private key in the windows certificate store open either command prompt or powershell go to the directory where you saved the signed microsoft adcs client tls certificate file run the following command to create an association between the signed microsoft adcs certificate and its corresponding key pair stored in the your windows account profile certreq accept machine signed client cert pem if the command succeeds, information about the installed certificate displays on the screen