Certificate management
...
Microsoft Windows Certificate ...
Configure the Vectera Plus

Configure TLS authentication

12min

For this step, you must log in with an identity that has a role with the following permissions: Keys:All Slots, Management Commands:Certificates, Management Commands:Keys, Security:TLS Sign, and TLS Settings:Upload Key. You can use the default Administrator role and Admin identities.

To configure TLS authentication, choose one of the following methods:

  1. Enable server-side authentication.
  2. Create connection certificates for mutual authentication.

We recommend option 2, mutual authentication.

Option 1 | Enable server-side authentication

We recommend mutually authenticating to the HSM using client certificates, but the also supports server-side authentication. The following steps outline the process for enabling server-side authentication.

Choose one of the following methods to enable server-side authentication:

Excrypt Manager
FXCLI
1

Go to the SSL/TLS Setup menu. Then, select the Excrypt Port in the Connection Pair drop-down list, check the Allow Anonymous box, and select [ Save ].

Option 2 | Create connection certificates for mutual authentication

As mentioned previously, we recommend mutually authenticating to the HSM by using client certificates, and the system enforces mutual authentication by default. The following example shows how to use FXCLI to generate a CA to sign the HSM server certificate and a client certificate. Then, it shows how to generate the client keys and CSR by using OpenSSL.

  • For this example, you must connect the computer that is running FXCLI to the front USB port of the HSM.
  • If you do not specify a file path for commands that create an output file, FXCLI saves the file to the current working directory.
  • Using user-generated certificates requires you to load a PMK on the HSM.
  • If you run help by itself, a list of available commands displays. You can see all options for a command by running the command name followed by help.

2.1 | Create and sign the CSRs

This section explains the steps required to generate a CSR from a certreq policy file on the computer where you installed CNG. When the CSR file generates, the system creates a public/private key pair in the Windows Certificate Store. Then, you use FXCLI to issue a signed certificate from the CSR, which you later associate with the public/private key pair stored in the Windows Certificate Store.

a | Create a certreq policy file

1

On the computer with Futurex CNG, open a text editor.

2

Create a new file and copy and paste the following content into it:

Text

3

Save the file with the .inf extension (for example, certreq_policy.inf).

b | Generate a CSR from the certreq policy INF file

1

Open either Command Prompt or PowerShell.

2

Go to the directory that has the certreq policy .inf file.

3

Run the following command to generate a CSR from the certreq policy .inf file:

PowerShell


c | Generate a key pair and CSR for the Excrypt Port on the HSM

1

Enter the FXCLI prompt by running fxcli-hsm in a terminal.

2

Connect your laptop to the HSM by using the USB port on the front, and run the following command:

FXCLI

3

Log in with the default Admin1 and Admin2 identities. When prompted for the username and password, enter them. Run the following command twice, once for each identity.

FXCLI

4

Generate a key pair and CSR for the Excrypt Port by running the following command:

FXCLI


d | Generate a TLS CA key pair and certificate with FXCLI

1

Enter the FXCLI prompt by running fxcli-hsm in a terminal.

2

Connect your laptop to the HSM by using the USB port on the front, and run the following command:

FXCLI

3

Log in with the default Admin1 and Admin2 identities. When prompted for the username and password, enter them. Run the following command twice, once for each identity.

FXCLI

4

Generate a TLS CA key pair and store it in an available slot on the HSM.

FXCLI

5

Create a TLS CA certificate from the key pair you created in step 4.

FXCLI


e | Sign the CSRs for the Excrypt Port and Futurex CNG

1

Enter the FXCLI prompt by running fxcli-hsm in a terminal.

2

Connect your laptop to the HSM by using the USB port on the front, and run the following command:

FXCLI

3

Log in with the default Admin1 and Admin2 identities. When prompted for the username and password, enter them. Run the following command twice, once for each identity.

FXCLI

4

Sign the CSR for the Excrypt Port by using the CA you created in the previous section.

FXCLI

5

Push the signed server PKI to the Excrypt Port on the HSM.

FXCLI

6

Restart the SSL2TCP processor to apply the changes made to the Excrypt Port connection pair.

FXCLI

7

Sign the client CSR for CNG using the CA you created in the previous section.

FXCLI


2.2 | Create an association between the signed certificate and its corresponding key pair

This section explains the necessary steps to associate the signed CNG client TLS certificate with its corresponding private key in the Windows Certificate Store. Before making this association, you must import the CA certificate that issued the CNG client TLS certificate into the Trusted Root Certification Authorities Windows Certificate Store.

a | Import the CA certificate that issued the Futurex CNG client TLS certificate into the Trusted Root Certification Authorities store

1

On the computer with CNG, open the Manage computer certificates program.

2

Right-click the Trusted Root Certification Authorities store and select All Tasks > Import.

3

Follow the steps in the Certificate Import Wizard to import the TLS CA root certificate file.

If it succeeds, you see a confirmation message.

b | Associate the signed Futurex CNG certificate with its corresponding private key in the Windows Certificate Store

1

Open either Command Prompt or PowerShell.

2

Go to the directory with the signed CNG client TLS certificate file.

3

Run the following command to create an association between the signed CNG certificate and its corresponding key pair stored in your Windows account profile:

PowerShell


If the command succeeds, information about the installed certificate displays.