Steps to load the Futurex PKCS #11 Library into Cert Agent
Perform the following steps to install and set up CertAgent. The web-based interface used by CertAgent is supported by Internet Explorer and Firefox.
Double-click the Certagent.7.0.5.x64.exe and follow the on-screen instructions.
When prompted, choose the listening port to be created for the HyperSQL database. If 9001 is already in use, you can use 9002 or 9003.
CertAgent will ask to create TLS ports and credentials for ‘Admin’ and the ‘Public’ web interfaces.
After installing, the following information will be required:
Information
Description
PKCS11 Library Path
Select “browse” and select the path where FXPKCS11.dll file is located in the hard drive. (Default PKCS11 install location is C:/Program Files/Futurex)
HSM Partition
Prompt to select one of the partitions found in the HSM
HSM PIN
This is the password for the identity created previously.
Common Name (CN)
Common Name for the CA Root certificate that will be created by CertAgent.
Organization Name
Organization Name for the CA Root certificate that will be created by CertAgent.
PKCS #12 Password
Password to be used for PKCS #12 files generated by CertAgent and the Vectera Plus.
Be sure to make note of the PKCS #12 password, admin TLS port (<admin port>) and public TLS port (<public port>) you enter during installation. This information will be required to import the Certificates for the web browsers to access the CertAgent sites (Administrator Site, Public Site, CA Site)
Next the SA password will be set along with a user account and password for the CertAgent database. Be sure to take note of these for future use.
The installer will create the credentials and will finalize the installation process.
During the installation process we will be able to check the following logs:
- C:\Temp\fxpkcs11.log - for status related to all actions through the PKCS11 library.
- C:\Program Files\CertAgent7\install.log - for CertAgent installation status.
- C:\Program Files\CertAgent7\install-hsql.log - for HyperSQL installation status.
At the end of the installation, CertAgent will create a Readme.txt file. It is strongly recommended to read and follow instructions for POST-installation steps.
The following section are steps that can be taken to ensure CertAgent is communicating correctly with the Vectera Plus.
The following requires the certificates installed by CertAgent to be added to the trusted list of your web browser.
Once the installation completes, you can login to the HSM via Excrypt Manager to verify the keys have been generated and stored on the HSM.
The Futurex CLI can also be used to validate this installation. Once connected using the "connect usb" command you will need to run the following commands to verify the keys exist in the Vectera:
If all 6 keys are present, the installation was successful.
Open a command terminal and navigate to the installation location of CertAgent. Then run the command "certagent setpin". You will then set a pin in the terminal.
Navigate to the System PIN Entry page shown in the Readme.txt and follow the instructions provided in the file.
Once you have done the System PIN Entry, the Readme.txt file also has the three links for the System Administrative Site, the CA Account Site, and the Public Site.
Site
Description
System Administrative Site
- Admin controls over the system and server. Configuration settings can be done here as well. Must connect with the Admin certificate.
CA Account Site
- Allows the certificate enrollment, management, CRL, and other settings to be set when connected with the Admin certificate.
- Allows CSRs to be approved, signed, revoked, and other certificate enrollment tasks to be completed when connected with the Operations certificate.
Public Site
- Allows users to enroll, upload, and retrieve certificates to and from the HSM when connected with the Client certificate.
Using the Public Site, send a certificate signing request using the “Enroll” function. Using Internet Explorer, you can generate a key for a certificate to be signed by the HSM. Firefox cannot generate a key for you
After sending in a CSR, login to the CA Account Site using the Operations certificate and find the certificate in the pending section and issue it. Proper configuration of the application with the HSM will allow the certificate to be issued and retrieved all from the web.