Generate a key pair and certificate on the Vectera Plus

6min
This section shows how to use FXCLI to perform the following tasks:
Log in to the HSM.
Create a new key pair on the .
Generate a CSR from that key pair.
Create a CA
Sign the CSR by using a CA that you also create on the HSM.
1 | Connect and log in to the HSM through FXCLI
1
Run the FXCLI application.
2
Configure TLS certificates for communication between FXCLI and the HSM by using the tls set of commands.
Run tls help to access syntax documentation.
3
Connect to the HSM by using the following command:
FXCLI
connect tcp --connect hsm_ip:9009
connect tcp --connect hsm_ip:9009
﻿
4
Log in to the HSM with the default Admin1 and Admin2 identities by running the following command twice (entering the username and password when prompted):
FXCLI
login user
login user
﻿
2 | Create a new key pair on the Vectera Plus
1
Create a new key pair in the next available key slot on the HSM, modifying the key usage values to match your specific requirements:
FXCLI
generate --algo RSA --bits 2048 --name IgDemoKeyPair --usage sign,verify --slot next
generate --algo RSA --bits 2048 --name IgDemoKeyPair --usage sign,verify --slot next
﻿
2
Confirm which key slot the private key was added to:
FXCLI
keytable list
keytable list
﻿
3
Assign a PKCS11 label to the key (certutil needs you to set this external data field so that it can find the key in a later section):
The PKCS11 label value should match the name that was set for the key pair in the generate command.
FXCLI
 keytable extdata --slot 0 --p11-attr label --p11-value IgDemoKeyPair
 keytable extdata --slot 0 --p11-attr label --p11-value IgDemoKeyPair
﻿
3 | Generate a CSR
1
Generate a CSR from the new key pair that was created:
FXCLI
x509 req --private-slot IgDemoKeyPair --out IgDemo.csr
x509 req --private-slot IgDemoKeyPair --out IgDemo.csr
﻿
4 | Create a Certificate Authority
1
Create a new key pair in the next available key slot on the HSM:
FXCLI
generate --algo RSA --bits 2048 --usage mak --name CaKeyPair --slot next
generate --algo RSA --bits 2048 --usage mak --name CaKeyPair --slot next
﻿
2
Create a certificate from the new key pair that you created:
FXCLI
x509 sign --private-slot CaKeyPair --key-usage DigitalSignature --key-usage KeyCertSign --ca true --pathlen 0 --dn 'O=Futurex\CN=Root' --out Ca.pem
x509 sign --private-slot CaKeyPair --key-usage DigitalSignature --key-usage KeyCertSign --ca true --pathlen 0 --dn 'O=Futurex\CN=Root' --out Ca.pem
﻿
Note that the CA certificate was output to a file called Ca.pem.
3
Confirm which key slot the private key was added to:
FXCLI
keytable list
keytable list
﻿
4
Assign a PKCS11 label to the key (certutil needs you to set this external data field so that it can find the key in a later section):
The PKCS11 label value should match the name that was set for the key pair in the generate command.
FXCLI
keytable extdata --slot 1 --p11-attr label --p11-value CaKeyPair
keytable extdata --slot 1 --p11-attr label --p11-value CaKeyPair
﻿
5 | Sign the CSR using the Certificate Authority
1
Sign the CSR with the CA you just created, modifying the key usage values to match your specific certificate requirements:
FXCLI
x509 sign --csr IgDemo.csr --issuer Ca.pem --private-slot CaKeyPair --ca false --key-usage DigitalSignature --key-usage KeyEncipherment --key-usage DataEncipherment --key-usage KeyAgreement --eku Client --dn 'O=Futurex\CN=IG-Demo' --out IgDemo.pem
x509 sign --csr IgDemo.csr --issuer Ca.pem --private-slot CaKeyPair --ca false --key-usage DigitalSignature --key-usage KeyEncipherment --key-usage DataEncipherment --key-usage KeyAgreement --eku Client --dn 'O=Futurex\CN=IG-Demo' --out IgDemo.pem
﻿
Note that the signed leaf certificate was output to a file called IgDemo.pem.
﻿
Updated 26 Aug 2024
Did this page help you?
Edit the Futurex CNG configuration file
Import certificates into Windows Certificate Store and associate them with the private keys