Load the Futurex PKCS #11 Library into Cert Agent
Perform the following steps to install and set up CertAgent. Internet Explorer and Firefox support its web-based interface.
Double-click the Certagent.7.0.5.x64.exe and follow the on-screen instructions.
When prompted, choose the listening port to be created for the HyperSQL database. If port 9001 is already in use, you can use 9002 or 9003.
CertAgent prompts you to create TLS ports and credentials for Admin and Public web interfaces.
After installing, configure the following details:
Information
Description
PKCS11 Library Path
Select [ Browse ] and select the location of FXPKCS11.dll on the hard drive. (The default PKCS11 install location is C:/Program Files/Futurex.)
HSM Partition
Prompt to select one of the partitions found in the HSM.
HSM PIN
This is the password for the identity created previously.
Common Name (CN)
Common Name for the CA Root certificate that the CertAgent creates.
Organization Name
Organization Name for the CA Root certificate that CertAgent creates.
PKCS #12 Password
Password to be used for PKCS #12 files the CertAgent and the generate.
Be sure to note the PKCS #12 password, admin TLS port (<admin port>) and public TLS port (<public port>) you enter during installation. You need this information to import the certificates for the web browsers to access the CertAgent sites (Administrator site, Public site, CA site)
Next, set the SA password along with a user account and password for the CertAgent database. Be sure to note these for future use.
The installer creates the credentials and finalizes the installation process.
During the installation process, you can check the following logs:
- C:\Temp\fxpkcs11.log - for status related to all actions through the PKCS11 library.
- C:\Program Files\CertAgent7\install.log - for CertAgent installation status.
- C:\Program Files\CertAgent7\install-hsql.log - for HyperSQL installation status.
At the end of the installation, CertAgent creates a Readme.txt file. We recommend you read and follow the instructions for POST-installation steps.
Perform the following steps to ensure CertAgent communicates correctly with the :
The following procedure requires you to add the certificates installed by CertAgent to the trusted list of your web browser.
After the installation completes, you can log in to the HSM through Excrypt Manager to verify the keys generated and are stored on the HSM.
You can use FXCLI to validate this installation. After you connect by using the connect usb command, you must run the following commands to verify the keys exist in the :
If all six keys are present, the installation was successful.
Open a command terminal and go to the installation location of CertAgent. Then run the certagent setpin command.
To set a pin in the terminal, go to the System PIN Entry page shown in the Readme.txt and follow the instructions provided in the file.
After you set the System PIN Entry, review the Readme.txt file to find the links for the System Administrative site, the CA Account site, and the Public site.
Site
Description
System Administrative Site
- Admin controls over the system and server.
- Configuration settings can be done here as well.
- Must connect with the Admin certificate.
CA Account Site
- When connected with the Admin certificate, it allows you to set the certificate enrollment, management, CRL, and other settings.
- When connected with the Operations certificate, it allows you to approve, sign, and revoke CSRs and complete other certificate enrollment tasks.
Public Site
- When connected with the Client certificate, it allows you to enroll, upload, and retrieve certificates to and from the HSM.
Using the Public site, send a certificate signing request by using the Enroll function. Using Internet Explorer, you can generate a key for a certificate to be signed by the HSM. Firefox cannot generate a key for you.
After sending in a CSR, log in to the CA Account site using the Operations certificate, find the certificate in the pending section, and issue it. Proper application configuration with the HSM enables you to use the web to issue and retrieve the certificate.