Generate a PKI key pair and CSR for the Excrypt Touch

for byok, you must issue the excrypt touch a client certificate signed by a {{vc}} certificate authority for mutually authenticated communication between the two endpoints this section walks through the process for generating a new pki key pair and certificate signing request (csr) on the excrypt touch and submitting it to the {{vc}} support team to be validated, approved, and issued log in to the excrypt touch internal hsm the configuration steps in this section require you to be logged in to the internal hsm on the excrypt touch to do so, perform the following steps from the excrypt touch dashboard , open the excrypt touch menu by touching the vertical black bar on the right side of the screen and swiping left in the excrypt touch menu, select or touch the user management icon in the upper right corner, and select \[ login ] in the user management drop down menu log in with your administrator identities (such as admin1 and admin2) a message appears at the top of the screen indicating whether the authentication succeeded generate a pki key pair perform the following steps to generate a new pki key pair on the excrypt touch open the excrypt touch menu and select the key management icon to display options for key and certificate management, and select the manage pki keys menu item in the manage pki keys menu, select \[ add ] in the generate pki keys wizard, specify a name for the new key pair, such as byok , and select \[ generate ] a message should appear at the top of the screen indicating that the pki was generated successfully export a csr perform the following steps to export a certificate signing request (csr) on the excrypt touch from the manage pki keys menu, select the pki generated in the previous step, and select \[ create csr ] fill in the csr information fields, select an export location, specify a file name, then select \[ generate ] the common name for the excrypt touch csr cannot contain any spaces and must be in the following format excrypt touch logical sn virtucrypt account code you can find the logical sn (serial number) of the excrypt touch on the external label of the device and your {{ch}} account code by logging in to your virtucrypt intelligence portal (vip) account and going to the settings > general menu, where it is displayed in the user management section {{futurex}} uses the information contained in the common name of the csr to authenticate the excrypt touch a message appears at the top of the screen indicating that the csr was generated successfully send the csr file, sha 512 hash, and request form to {{futurex}} support to enforce data integrity verification, you must generate a sha 512 hash of the csr file include this in your request to the {{futurex}} support team, along with the csr file and a completed request form generate a sha 512 hash of the csr file to generate a sha 512 hash of the csr file, use the following openssl command terminal openssl req in your csr file csr noout pubkey | openssl pkey pubin outform der | openssl dgst sha512 complete the request form fill in the {{futurex}} mtls client certificate request form details similar the the following example field details customer name test customer virtucrypt account code d929b49f3b46 environment test or production product excrypt serial number serial number of 1 device interface web ui admin production / excrypt international rest api byok other (provide details) algorithm ecc or rsa requester name john doe request email customer\@test com requester phone +1 555 369 7410 approver details pkiapproval\@customer test internal request number 123456 send email to the support team send the csr, sha 512 hash, and request form to mailto\ support\@futurex com validation, approval, and issuance of the client certificate when we receive a request, our team carefully reviews it and creates a case we then assign the case to one of our {{vc}} support engineers, who undertakes the following steps sending a confirmation email with the assigned case number verifying the request authorization with the customer's assigned approval team validating the sha 512 hash and reviewing the request form with the customer requester our team then proceeds with the certificate issuance process, and after completing the process, we upload the signed certificate to https //share futurex com/ {{vc}} support provides the customer requester with instructions for downloading the signed certificate from https //share futurex com/ , and then helps test the client certificate to ensure that you can successfully connect to {{vc}}