Configure TLS authentication

5 min

for this step, you must log in with an identity that has a role with the following permissions keys\ all slots , management commands\ certificates , management commands\ keys , security\ tls sign , and tls settings\ upload key you can use the default administrator role and admin identities to configure tls authentication, choose one of the following methods enable server side authentication create connection certificates for mutual authentication we recommend option 2, mutual authentication enable server side authentication we recommend mutually authenticating to the hsm using client certificates, but the {{vectera}} also supports server side authentication the following steps outline the process for enabling server side authentication choose one of the following methods to enable server side authentication excrypt manager to use excrypt manager to enable server side authentication, go to the ssl/tls setup menu then, select the excrypt port in the connection pair drop down list, check the allow anonymous box, and select \[ save ] fxcli to use fxcli to enable server side authentication, run the tls ports set fxcli command to enable server side authentication with the allow anonymous ssl/tls setting fxcli tls ports set p "excrypt port" anon create connection certificates for mutual authentication as mentioned previously, we recommend mutually authenticating to the hsm by using client certificates, and the system enforces mutual authentication by default the following example shows how to use fxcli to generate a ca to sign the hsm server certificate and a client certificate then, it shows how to generate the client keys and csr by using openssl for this example, you must connect the computer that is running fxcli to the front usb port of the hsm if you do not specify a file path for commands that create an output file, fxcli saves the file to the current working directory using user generated certificates requires you to load a pmk on the hsm if you run help by itself, a full list of available commands displays you can see all options for a command by running the command name followed by help open the fxcli prompt by running fxcli hsm in a terminal connect your laptop to the hsm by using the usb port on the front, and run the following command fxcli connect usb run the following command to log in with both default admin identities when prompted for the username and password, enter them you must run this command twice fxcli login user generate a tls ca and store it in an available key slot on the hsm fxcli generate algo rsa bits 2048 usage mak name tlscakeypair slot next create a root certificate fxcli x509 sign \\ \ private slot tlscakeypair \\ \ key usage digitalsignature key usage keycertsign \\ \ ca true pathlen 0 \\ \ dn 'o=futurex\cn=root' \\ \ out tlsca pem generate the server keys for the hsm fxcli tls ports request pair "excrypt port" file production csr pki algo rsa sign the server csr with the newly created tls ca fxcli x509 sign \\ \ private slot tlscakeypair \\ \ issuer tlsca pem \\ \ csr production csr \\ \ eku server key usage digitalsignature key usage keyagreement \\ \ ca false \\ \ dn 'o=futurex\cn=production' \\ \ out tlsproduction pem push the signed server pki to the production port on the hsm fxcli tls ports set pair "excrypt port" \\ \ enable \\ \ pki source generated \\ \ clear pki \\ \ ca tlsca pem \\ \ cert tlsproduction pem \\ \ no anon to generate client keys and csr, run the following openssl commands from windows powershell rather than from the fxcli program # generate the client keys $ openssl genrsa out privatekey pem 2048# generate a client csr $ openssl req new key privatekey pem out clientpki csr days 365 using fxcli, sign the client csr that was just generated using openssl fxcli x509 sign \\ \ private slot tlscakeypair \\ \ issuer tlsca pem \\ \ csr clientpki csr \\ \ eku client key usage digitalsignature key usage keyagreement \\ \ dn 'o=futurex\cn=client' \\ \ out signedpki pem run the following command from powershell use openssl to create a pkcs #12 file that you can use to authenticate as a client by using our pkcs #11 library openssl pkcs12 export inkey privatekey pem in signedpki pem certfile tlsca pem out pki p12