Generate a key pair and certificate on the Vectera Plus

this section shows how to use fxcli to perform the following tasks log in to the hsm create a new key pair on the {{vectera}} generate a csr from that key pair create a ca sign the csr by using a ca that you also create on the hsm 1 | connect and log in to the hsm through fxcli run the fxcli application configure tls certificates for communication between fxcli and the hsm by using the tls set of commands run tls help to access syntax documentation connect to the hsm by using the following command fxcli connect tcp connect hsm ip 9009 log in to the hsm with the default admin1 and admin2 identities by running the following command twice (entering the username and password when prompted) fxcli login user 2 | create a new key pair on the vectera plus create a new key pair in the next available key slot on the hsm, modifying the key usage values to match your specific requirements fxcli generate algo rsa bits 2048 name igdemokeypair usage sign,verify slot next confirm which key slot the private key was added to fxcli keytable list assign a pkcs11 label to the key ( certutil needs you to set this external data field so that it can find the key in a later section) the pkcs11 label value should match the name that was set for the key pair in the generate command fxcli keytable extdata slot 0 p11 attr label p11 value igdemokeypair 3 | generate a csr generate a csr from the new key pair that was created fxcli x509 req private slot igdemokeypair out igdemo csr 4 | create a certificate authority create a new key pair in the next available key slot on the hsm fxcli generate algo rsa bits 2048 usage mak name cakeypair slot next create a certificate from the new key pair that you created fxcli x509 sign private slot cakeypair key usage digitalsignature key usage keycertsign ca true pathlen 0 dn 'o=futurex\cn=root' out ca pem note that the ca certificate was output to a file called ca pem confirm which key slot the private key was added to fxcli keytable list assign a pkcs11 label to the key ( certutil needs you to set this external data field so that it can find the key in a later section) the pkcs11 label value should match the name that was set for the key pair in the generate command fxcli keytable extdata slot 1 p11 attr label p11 value cakeypair 5 | sign the csr using the certificate authority sign the csr with the ca you just created, modifying the key usage values to match your specific certificate requirements fxcli x509 sign csr igdemo csr issuer ca pem private slot cakeypair ca false key usage digitalsignature key usage keyencipherment key usage dataencipherment key usage keyagreement eku client dn 'o=futurex\cn=ig demo' out igdemo pem note that the signed leaf certificate was output to a file called igdemo pem