This section shows how to generate a Certificate Signing Request (CSR) from a certreq policy file on the computer where you plan to install Microsoft AD RMS. Then, it describes creating a public/private key pair in your Windows account profile after you generate the CSR file. In a later section, the 

 issues a signed certificate from the CSR, for you to associate with the public/private key pair stored in the Windows Certificate Store.

Generate a CSR from the Certreq policy file

Before you start

Generate a CSR from a certreq policy file

ampersand

exclamation_mark

binary_val

diebold

tr-34_rkl

mac_hash

Enabled by default on all Vectera Series HSMs and available as an add-on license for Excrypt Series

general_purpose

data_encrypt

mobile_payment

Supports domestic and int'l. message formats for PIN translation, verification, and key management

Excrypt_ui

p2pe

Equal_sign

Enabled on all Futurex HSMs, regardless of their license or mode.

Core_license

Number_sign

utility

card_verification

authentication

key_management

RKMS3

SKI3

Ambiguous_PIN

Enables protecting a stronger key with a weaker key.

Key_Strength_Bypass

Enables payments-related commands per the AS2805 messaging standard, as defined by AusPayNet.

Australian_Command_Set

Enables the Europay Mastercard Visa (EMV) issuance command set.

EMV_Issuing

Enables Format Preserving Encryption (FPE) FF1 functionality.

FPEFF1

Enables Point-to-Point Encryption (P2PE) functionality. 

P2PE

Enabled by default on all Excrypt Series HSMs and as an add-on license for Vectera Series HSMs.

Financial_Processing

Allows the HSM to use host card emulation commands.

Host_Card_Emulation

Allows the HSM to support commands that will directly output the clear shared secret value.

Clear_Shared_Secret

Enables a host HSM to distribute allowed keys to another HSM.

HSM_key_distribution

Only required if using a Clear PIN rather than a PIN Block.

CPIN

Enables Format Preserving Encryption (FPE) functionality.

Enables Post-Quantum Cryptography (PQC) commands and functionality.

Enables commands requiring Elliptic Curve Cryptography (ECC) functionality.

Enables the Europay Mastercard Visa (EMV) acquiring command set. 

EMV_Acquiring

Enables commands requiring RSA functionality.

key_slot_index

Tilde

Asterisk

t_keyslot

ascii_int

Special_character

uuid_val

ascii_sta

base64

variable

alphanumeric

boolean

binary

integer

numeric

ascii

hexadecimal

alphabetic

base64_value

CH-HSMEX

CH-HSME

CH-HSMP

percent

semicolon

alphabetic_value

numeric_value

bdks

alphanum_value

ascii_exc

hex_value

Guard

test

Vectera

ESSP

Futurex

Configure KMES Series 3

KMES Integration Guides

KMES Integration Guides overview

Configure DigiCert

Configure the KMES Series 3

DigiCert

Configure offline Root CA functionality

Futurex Offline Root CA

Fundamental components of an Issuing CA

Certificate formats, profiles, and extensions

Certificate Authority (CA) workflow

Registration Authority (RA) functionality on the KMES

Integration with third-party tools

Revocation checking mechanisms

Java Keystore (JKS)

Protocols for certificate management

Futurex Online Issuing CA

Create an association between the signed AD CS certificate and the keypair in the Windows Certificate Store

Install and configure the FXCL CNG

Install and configure AD CS

Example of AD CS operations with the KMES Series 3

Appendix: Migrate an existing CA key from software storage to the KMES

Microsoft ADCS

Install  Futurex PKCS #11

Edit the Futurex PKCS #11 configuration file

Install RHCS and deploy the subsystem

Red Hat Certificate System (RHCS)

Configure general KMES Series 3 settings

Configure KMES TLS communication

Configure the Adaptable CA driver

Configure Venafi TPP to use the Futurex Adaptable CA driver

Test a certificate request, approval, and issuance

Appendix: Common errors

Venafi Adaptable CA

Certificate Authority

Install Futurex PKCS #11 (FXPKCS11)

Configure Venafi TPP to integrate with the KMES Series 3

Venafi Control Plane for Machine Identities

Certificate management

Set up communication between AWS Cloud Key Management and the KMES Series 3

Create a customer-managed key in AWS KMS

AWS Cloud Key Management integration and key operations

Job status and log management with the AWS Cloud Key Management integration

Appendix: Futurex certification process

AWS BYOK

Configure Azure credentials for communication with the KMES Series 3

Configure the KMES Series 3 for Integrating with Azure

Azure Key Vault integration and key operations

Job status and log management with the Azure Key Vault BYOK integration

Azure BYOK

Set up Google Cloud External Key Manager (EKM) initially

Set up TLS and authentication on the KMES Series 3

Configure manually managed keys

Configure Google Crypto Space managed keys

Create an externally managed key in Google Cloud

Test encryption and decryption with externally managed key

Appendix: Configure Google VPC and KMS infrastructure

Google Cloud EKM (External Key Manager)

Configure Identity and Access Management (IAM)

Set up the external key service for Google Workspace CSE

Validate and test the integration

Google Workspace Client-Side Encryption

Cloud key management

Install Futurex PKCS #11

Configuring the JAVA_HOME environment variable

Configure SunPKCS11 to use the Futurex PKCS #11 module

Create Java keystore

Use the jarsigner command

Java Jarsigner

Download and configure Jenkins and test the FXCL Jenkins plugin

Jenkins Code Signing

Install Futurex CNG (FXCNG)

Edit the Futurex CNG (FXCNG) configuration file

Import certificates into the Windows certificate store

Associate a private key with a certificate

Test Microsoft SignTool commands

Microsoft SignTool

Code signing

Configure the Futurex PKCS #11 library in vSEC:CMS

Create an Operator Service Key Store with HSM

Verasec vSEC:CMS

Credential management

Install and configure the OpenSSL Engine

Configure Apache HTTP Server

Apache HTTP Server

Install and configure the OpenSSL engine

Configure the Nginx Server

Nginx

Data protection

Data-at-rest encryption and Rapid Data Locking (RDL)

Initial setup

Configure certificates in the FlashArray CLI

Enable Rapid Data Locking (RDL)

Ongoing RDL operation

Pure Storage FlashArray

Configure TLS certificates

Import TLS certificates into TrueNAS and configure KMIP

Create an encrypted dataset

TrueNAS

Configure certificates for TLS authentication between Zettaset and the KMES

Configure authentication and permissions for Zettaset on the KMES Series 3

Zettaset XCrypt Full Disk deployment prerequisites

Configure a Java Keystore with Client PKI for TLS connection to an external KMIP server