Skip to main content

Tutorial: OpenVPN Connect Integration with Futurex CryptoHub

Abstract

Integrate OpenVPN Connect with Futurex CryptoHub using PKCS #11. Store VPN client private keys on CryptoHub hardware, protect certificates from theft, and authenticate securely with OpenVPN Access Server.

Overview

This tutorial shows how to store OpenVPN client certificates and private keys on a Futurex CryptoHub and use them with OpenVPN Connect through PKCS #11 integration.

By storing the private key on the CryptoHub, the key never resides in the OpenVPN profile or local file system, reducing the risk of credential theft and unauthorized VPN access.

Even if an attacker obtains a user's OpenVPN profile, they still need access to the Futurex CryptoHub configuration and the required PIN to authenticate successfully.

The goal of this integration is to provide hardware-backed protection for VPN client credentials and add an additional layer of security to VPN authentication.

Architecture overview

In this integration:

  1. OpenVPN Connect uses a PKCS #11 module.

  2. The PKCS #11 module communicates with the Futurex CryptoHub.

  3. The client certificate and private key are stored on the CryptoHub.

  4. OpenVPN Connect uses the CryptoHub-hosted key to authenticate to Access Server.

This tutorial consists of the following phases:

  1. Deploy the OpenVPN Connect service in CryptoHub.

  2. Deploy a client endpoint.

  3. Install and validate the Futurex PKCS #11 module.

  4. Create an RSA certificate authority in Access Server.

  5. Generate a client profile and PKCS #12 package.

  6. Import the certificate and key into CryptoHub.

  7. Configure OpenVPN Connect to use the CryptoHub certificate.

  8. Test the VPN connection.

Prerequisites

OpenVPN Connect requirements

  • Windows or macOS

  • OpenVPN Connect 3.3 or newer

Access Server requirements

  • Console access with root privileges

  • Admin Web UI access

CryptoHub requirements

  • Futurex CryptoHub 7.0.3.x or newer

  • Platform Master Key loaded

  • Network configuration completed

  • Administrator access

Network requirements

  • Connectivity from the OpenVPN Connect host to the CryptoHub

  • Outbound TCP 2001 allowed

  • CryptoHub reachable by FQDN or CIDR

  • CryptoHub exempt from TLS inspection or proxy filtering

Step 1: Deploy the OpenVPN Connect service in CryptoHub

  1. Sign in to the CryptoHub under dual control using your administrator identities.

  2. In the left navigation panel, select Services, and find the service called OpenVPN Connect.

    Tip

    You can also find OpenVPN Connect using the search bar.

  3. Select Deploy.

  4. Configure the following Service Setup settings:

    • Service Name: Leave as default (application name).

    • Service Category: Leave as default.

  5. Select Next.

  6. Configure the following Access Control settings:

    • Authorized Resources: Your role has access to this service by default.

    • Add Additional Resources: Optional.

  7. Select Next.

  8. Configure the following Service Info setting:

    • Authentication Mechanisms: Leave as default.

  9. Select Deploy.

Step 2: Deploy a client endpoint

This endpoint is a device authorized to access the OpenVPN service you deployed in the previous step.

  1. In the left navigation panel, select Home.

  2. Under Deployed Services, locate and select OpenVPN Connect.

  3. Select ENDPOINTS.

  4. Under Manage Endpoints, select Add New.

  5. In the Add Endpoint dialog:

    • Endpoint Identifier: Enter an identifier or leave it empty for auto-generation.

    • CryptoHub Hostname: Leave as default.

    • Platform: Select the Platform for the endpoint.

  6. Select Add Endpoint.

    • The browser prompts you to download a ZIP file containing the Futurex PKCS #11 module, TLS certificates, and a preconfigured configuration file to connect to your CryptoHub instance.

  7. Save this ZIP file. You'll use it in the next step to install and configure the Futurex PKCS #11 module.

Tip

If you want to change an endpoint's PIN/password, go to Identity and Access → Applications & Partitions. Find the application you deployed, and under Manage, select Authentication. This opens a dialog where you can change the endpoint's PIN or password.

Step 3: Install and configure the Futurex PKCS #11 module

Use the endpoint package ZIP file downloaded in the previous step.

Choose the platform where OpenVPN Connect is installed:

  • Windows

  • macOS

Windows

Step 1: Extract the CryptoHub package

  1. Locate the endpoint package ZIP file downloaded in Step 2.

  2. Extract the ZIP file to a temporary directory.

  3. Verify that the package contains the following files:

    File

    Description

    PKCS11Manager.exe

    Tests connectivity to CryptoHub and performs basic PKCS #11 operations, such as signing in and generating random data.

    ca-chain.pem

    CA certificate bundle.

    client-cert.pem

    Client TLS certificate.

    client.p12

    Encrypted PKCS #12 bundle containing the client certificate, private key, and CA chain.

    configTest.exe

    Validates the PKCS #11 configuration and CryptoHub connectivity.

    fxpkcs11.cfg

    Futurex PKCS #11 configuration file.

    fxpkcs11.dll

    Futurex PKCS #11 library.

    CryptoHub <number>.cer

    Auto-generated CryptoHub CA certificate.

    Futurex Test Root CA (ECC.cer or Futurex Test Root SSL CA.cer

    Futurex test root certificate.

Step 2: Install the PKCS #11 files

  1. Create a Futurex directory as an administrator: C:\Program Files\Futurex\fxpkcs11.

  2. Copy all extracted files into: C:\Program Files\Futurex\fxpkcs11.

  3. Verify that fxpkcs11.cfg exists in the directory.

    Tip

    By default, the Futurex PKCS #11 library expects to find fxpkcs11.cfg in this location.

Optional: Use a custom configuration location

If you want to store the configuration file in a different location:

  1. Open PowerShell as Administrator.

  2. Set the environment variable for the current PowerShell session:

    $env:FXPKCS11_CFG = "C:\custom\path\to\fxpkcs11.cfg"

    Or, create a permanent machine-wide setting:

    [System.Environment]::SetEnvironmentVariable("FXPKCS11_CFG", "C:\custom\path\to\fxpkcs11.cfg", "Machine")

    Tip

    If you choose the permanent option, you will need to restart your PowerShell session for the changes to take effect.

  3. If you use a custom configuration location, ensure all TLS files referenced in the config are in the same directory.

Configure certificate locations

By default, the FXPKCS11 module expects the certificate files referenced in the configuration file to be located in the same directory. This applies regardless of the configuration file location.

If you store your certificate files elsewhere, you can update the certificate paths in the configuration file:

  1. Open fxpkcs11.cfg in a text editor.

  2. Review the following settings:

    • PROD-TLS-KEY: Path to the client.p12 PKCS#12 file.

    • PROD-TLS-CA: Path to the CryptoHub <number>.cer file.

    • PROD-TLS-CA: Path to the Futurex test Root CA (ECC).cer or Futurex Test Root SSL CA.cer file (depending on your CryptoHub connection type).

  3. Verify the paths point to the correct certificate files.

  4. If you moved the certificate files to another location, update the paths accordingly.

  5. Save the configuration file.

Step 3: Secure the PKCS #12 password

To improve security, store the PKCS #12 password as a machine-level environment variable instead of keeping it in plaintext (the default setting).

  1. Open PowerShell as an Administrator.

  2. Extract the password from fxpkcs11.cfg:

    $pass = (Get-Content "C:\Program Files\Futurex\fxpkcs11\fxpkcs11.cfg" | Select-String "PROD-TLS-KEY-PASS").Line -replace '.*<PROD-TLS-KEY-PASS>\s*(.*?)\s*<\/PROD-TLS-KEY-PASS>.*', '$1'

  3. Store the password as a machine-level environment variable:

    [System.Environment]::SetEnvironmentVariable("PKCS11_P12", $pass, "Machine")

  4. Close PowerShell and open a new PowerShell session as Administrator.

  5. Verify the variable was created successfully:

    [System.Environment]::GetEnvironmentVariable("PKCS11_P12", "Machine")

  6. Update fxpkcs11.cfg to reference the environment variable:

    $config = Get-Content "C:\Program Files\Futurex\fxpkcs11\fxpkcs11.cfg" -Raw
$config = $config -replace '<PROD-TLS-KEY-PASS>.*?</PROD-TLS-KEY-PASS>', '<PROD-TLS-KEY-PASS> env:PKCS11_P12 </PROD-TLS-KEY-PASS>'
Set-Content "C:\Program Files\Futurex\fxpkcs11\fxpkcs11.cfg" $config

  7. Verify the update was applied successfully:

    Select-String -Path "C:\Program Files\Futurex\fxpkcs11\fxpkcs11.cfg" -Pattern "<PROD-TLS-KEY-PASS> env:PKCS11_P12 </PROD-TLS-KEY-PASS>"

Step 4: Remove plaintext credentials

The <CRYPTO-OPR-PASS> entry contains the plaintext password used to authenticate the crypto user. Comment out or remove this entry from the configuration file:

  • Comment out (prepend a #) or delete this entry in fxpkcs11.cfg:

    $configPath = "C:\Program Files\Futurex\fxpkcs11\fxpkcs11.cfg"
(Get-Content $configPath) -replace '^\s*(<CRYPTO-OPR-PASS>)', '# $1' | Set-Content $configPath

    Tip

    If you remove the password instead of commenting it out, store it securely because you'll need it later when connecting to the VPN.

Step 5: Register the PKCS #11 module

  1. Open PowerShell as Administrator.

  2. Add the Futurex directory to the system PATH:

    [Environment]::SetEnvironmentVariable("Path", [Environment]::GetEnvironmentVariable("Path", "Machine") + ";C:\Program Files\Futurex\fxpkcs11","Machine")

  3. Create the OpenVPN Connect PKCS #11 module directory:

    New-Item -Path "C:\Program Files\OpenVPN Connect\pkcs11_modules" -ItemType Directory

  4. Copy the Futurex PKCS #11 library:

    Copy-Item "C:\Program Files\Futurex\fxpkcs11\fxpkcs11.dll" -Destination "C:\Program Files\OpenVPN Connect\pkcs11_modules\fxpkcs11.dll"

  5. Continue to validation.

Step 6: Validate the installation with configTest

  1. Open PowerShell as Administrator.

  2. Run the validation tool:

    & "C:\Program Files\Futurex\fxpkcs11\configTest.exe"

  3. Confirm that the connection test succeeds.

    Tip

    If you see the message, "Windows protected your PC," select More info, then select Run anyway to allow the test to run.

Step 7: Validate the installation with PKCS11Manager

  1. Open PowerShell as Administrator.

  2. Run PKCS11Manager:

    & "C:\Program Files\Futurex\fxpkcs11\PKCS11Manager.exe"

  3. Confirm that the connection test succeeds.

  4. Perform a simple operation, such as generating random data (option 8).

    Tip

    If you see the message, "Windows protected your PC," select More info, then select Run anyway to allow the test to run.

macOS

Step 1: Extract the CryptoHub package

  1. On the macOS hosting OpenVPN Connect, open a terminal window.

  2. Create the fxpkcs11 directory:

    sudo mkdir -p /usr/local/lib/fxpkcs11

  3. Extract the ZIP file:

    sudo unzip /path/to/Identifier-OpenVPN.zip -d /usr/local/lib/fxpkcs11

    Update the path to the actual filepath and filename of your CryptoHub package.

  4. Verify that the package contains the following files:

    File

    Description

    PKCS11Manager

    Tests connectivity to CryptoHub and performs basic PKCS #11 operations, such as signing in and generating random data.

    ca-chain.pem

    CA certificate bundle.

    client-cert.pem

    Client TLS certificate.

    client.p12

    Encrypted PKCS #12 bundle containing the client certificate, private key, and CA chain.

    configTest

    Validates the PKCS #11 configuration and CryptoHub connectivity.

    fxpkcs11.cfg

    Futurex PKCS #11 configuration file.

    libfxpkcs11.dylib

    Futurex PKCS #11 library.

    CryptoHub <number>.cer

    Auto-generated CryptoHub CA certificate.

    Futurex Test Root CA (ECC.cer or Futurex Test Root SSL CA.cer

    Futurex test root certificate.

  5. Remove the macOS quarantine attribute from the extracted files:

    sudo xattr -dr com.apple.quarantine /usr/local/lib/fxpkcs11

    Tip

    macOS may block the Futurex PKCS #11 files because they were downloaded from a web browser. This command removes the quarantine attribute so OpenVPN Connect and the validation tools can run without additional approval prompts.

    If you skip this step, you may need to manually approve the files in System Settings → Privacy & Security and restart OpenVPN Connect for the integration to work.

Step 2: Install the PKCS #11 files

  1. Navigate to the FXPKCS11 directory:

    cd /usr/local/lib/fxpkcs11

  2. Move the following files to /etc (default, expected location):

    • CryptoHub <number>.cer

    • Futurex Test Root CA (ECC) or Futurex Test Root SSL CA.cer

    • client.p12

    • fxpkcs11.cfg

    sudo mv 'CryptoHub '*.cer 'Futurex Test Root '*.cer client.p12 fxpkcs11.cfg /etc/
Optional: Use a custom configuration location

If you want to store the configuration files in a different location:

  1. Open a terminal window.

  2. Define the environment variable for the current terminal session:

    export FXPKCS11_CFG=/path/to/your/fxpkcs11.cfg
Configure certificate locations

By default, the FXPKCS11 module expects the certificate files referenced in the configuration file to be located in the same directory. This applies regardless of the configuration file location.

If you store your certificate files elsewhere, you can update the certificate paths in the configuration file:

  1. Open fxpkcs11.cfg in a text editor.

  2. Review the following settings:

    • PROD-TLS-KEY: Path to the client.p12 PKCS#12 file.

    • PROD-TLS-CA: Path to the CryptoHub <number>.cer file.

    • PROD-TLS-CA: Path to the Futurex test Root CA (ECC).cer or Futurex Test Root SSL CA.cer file (depending on your CryptoHub connection type).

  3. Verify the paths point to the correct certificate files.

  4. If you moved the certificate files to another location, update the paths accordingly.

  5. Save the configuration file.

Step 3: Secure the PKCS #12 password

To improve security, store the PKCS #12 password separately from within the configuration file in plaintext (the default setting). On macOS, you can use either:

  • Session environment variable: Temporary and only available for the current shell session.

  • macOS Keychain: Persistent across sessions and available after the shell loads it into the environment.

Important

If you changed the default location for the configuration file, ensure you use the correct path in the commands below.

Option 1: Use a session environment variable

Use this option for temporary testing.

  1. Extract the password from fxpkcs11.cfg and store it as a session environment variable:

    export PKCS11_P12=$(grep PROD-TLS-KEY-PASS /etc/fxpkcs11.cfg | sed 's/.*<PROD-TLS-KEY-PASS>\s*\(.*\)\s*<\/PROD-TLS-KEY-PASS>.*/\1/')

  2. Confirm the environment variable was set correctly:

    echo $PKCS11_P12

  3. Update the <PROD-TLS-KEY-PASS> entry in fxpkcs11.cfg to reference the environment variable:

    sudo sed -i '' 's|<PROD-TLS-KEY-PASS>.*</PROD-TLS-KEY-PASS>|<PROD-TLS-KEY-PASS> env:PKCS11_P12 </PROD-TLS-KEY-PASS>|' /etc/fxpkcs11.cfg

  4. Confirm the change was applied:

    grep "PROD-TLS-KEY-PASS" /etc/fxpkcs11.cfg

    • The configuration file should now reference env:PKCS11_P12 instead of storing the PKCS #12 password directly.

Option 2: Use macOS Keychain

Use this option for a persistent setup.

  1. Extract the password from fxpkcs11.cfg and store it in the macOS Keychain:

    security add-generic-password -a "pkcs12" -s "fxpkcs11" -w "$(grep PROD-TLS-KEY-PASS /etc/fxpkcs11.cfg | sed 's/.*<PROD-TLS-KEY-PASS>\s*\(.*\)\s*<\/PROD-TLS-KEY-PASS>.*/\1/')"

  2. Add a command to ~/.zshrc to load the password from Keychain automatically:

    echo 'export PKCS11_P12=$(security find-generic-password -a "pkcs12" -s "fxpkcs11" -w)' >> ~/.zshrc
source ~/.zshrc

    Tip

    If you're using a bash shell, replace ~/.zshrc with ~/.bash_profile.

  3. Confirm the environment variable was set correctly:

    echo $PKCS11_P12

  4. Update the <PROD-TLS-KEY-PASS> entry in fxpkcs11.cfg to reference the environment variable:

    sudo sed -i '' 's|<PROD-TLS-KEY-PASS>.*</PROD-TLS-KEY-PASS>|<PROD-TLS-KEY-PASS> env:PKCS11_P12 </PROD-TLS-KEY-PASS>|' /etc/fxpkcs11.cfg

  5. Confirm the change was applied:

    grep "PROD-TLS-KEY-PASS" /etc/fxpkcs11.cfg

Step 4: Remove plaintext credentials

The <CRYPTO-OPR-PASS> entry contains the plaintext password used to authenticate the crypto user. Comment out or remove this entry from the configuration file:

  1. Comment out the <CRYPTO-OPR-PASS> entry:

    sudo sed -i '' '/<CRYPTO-OPR-PASS>.*<\/CRYPTO-OPR-PASS>/s/^/#/' /etc/fxpkcs11.cfg

  2. Verify the line was commented out successfully:

    grep "CRYPTO-OPR-PASS" /etc/fxpkcs11.cfg

  3. Confirm the output begins with #:

    #<CRYPTO-OPR-PASS>password</CRYPTO-OPR-PASS>

Tip

If you remove the password instead of commenting it out, store it securely because you'll need it later when connecting to the VPN.

Step 5: Register the PKCS #11 module

OpenVPN Connect needs to find the Futurex PKCS #11 library before it can use the CryptoHub certificate.

  1. Locate the library:

    /usr/local/lib/fxpkcs11/libfxpkcs11.dylib

  2. Open the terminal.

  3. Create the OpenVPN Connect PKCS #11 module directory if it doesn't already exist:

    mkdir -p ~/.pkcs11_modules

  4. Create a symlink to the library:

    ln -s /usr/local/lib/fxpkcs11/libfxpkcs11.dylib ~/.pkcs11_modules/libfxpkcs11.dylib

  5. Confirm the symlink was created:

    ls -al ~/.pkcs11_modules

    • Example output:

      lrwxr-xr-x  1 username  staff  45 Jan 1 12:00 libfxpkcs11.dylib -> /usr/local/lib/fxpkcs11/libfxpkcs11.dylib

Step 6: Validate the installation with configTest

  1. Run the configuration test tool:

    /usr/local/lib/fxpkcs11/configTest

  2. Confirm the connection test succeeds.

  3. If you see this permission error:

    -bash: /usr/local/lib/fxpkcs11/configTest: Permission denied

    make the file executable:

    sudo chmod +x /usr/local/lib/fxpkcs11/configTest

  4. Run the test again:

    /usr/local/lib/fxpkcs11/configTest

Step 7: Validate the installation with PKCS11Manager

  1. Run PKCS11Manager:

    /usr/local/lib/fxpkcs11/PKCS11Manager

  2. Confirm the connection test succeeds.

  3. If you see this permission error:

    -bash: /usr/local/lib/fxpkcs11/PKCS11Manager: Permission denied

    make the file executable:

    sudo chmod +x /usr/local/lib/fxpkcs11/PKCS11Manager

  4. Run PKCS11Manager again:

    /usr/local/lib/fxpkcs11/PKCS11Manager

  5. Perform a simple operation, such as generating random data (option 8).

Step 8: Troubleshoot validation issues

Use this section if configTest or PKCS11Manager fails.

  1. Check the FXPKCS11 log file:

    • Default location: same directory as fxpkcs11.cfg.

    • To customize, modify the LOG-FILE setting in fxpkcs11.cfg.

  2. Verify the following:

    • The PKCS #11 PIN is correct.

    • fxpkcs11.cfg is in the correct location.

    • PKCS11_P12 has the correct value.

    • The referenced TLS files are in the expected location:

      • client.p12

      • CryptoHub <number>.cer

      • Futurex Test Root CA (ECC).cer for ECC connections, or Futurex Test Root SSL CA.cer for RSA connections

  3. If you customized the certificate paths in fxpkcs11.cfg, verify each file exists in its configured location.

  4. If macOS blocks libfxpkcs11.dylib, configTest, or PKCS11Manager, remove the quarantine attribute again:

    sudo xattr -dr com.apple.quarantine /usr/local/lib/fxpkcs11

  5. Restart OpenVPN Connect and test again.

Step 4: Create an RSA CA in Access Server

Futurex PKCS #11 integration requires an RSA certificate authority (CA). In this step, you'll create a new RSA 2048-bit or 4096-bit CA in Access Server.

Choose one of the following methods:

  • Admin Web UI

  • Command-line interface (CLI)

Create an RSA CA from the Admin Web UI

  1. Sign in to the Access Server Admin Web UI.

  2. Select Certificate Management → VPN Server Certificate Authority.

  3. Select New CA Certificate.

  4. Configure the certificate authority:

    • Common name: Enter a name for the CA.

    • Signing algorithm: Under RSA (best compatibility), select either:

      • rsa2048

      • rsa4096

  5. Select Add New CA and Restart.

    • Access Server creates the new RSA certificate authority and restarts its services.

Create an RSA CA from the command line

  1. Connect to the console and get root privileges.

  2. Create the certificate authority:

    /usr/local/openvpn_as/scripts/sa --key_algorithm=rsa --keysize=2048 --newca_cn=Futurex_CA AddCAGeneration

    Parameter

    Value

    key_algorithm

    rsa

    keysize

    2048 or 4096

    newca_cn

    Enter the name for the CA Certificate (replace Futurex_CA with your desired name)

  3. Restart Access Server:

    systemctl restart openvpnas

  4. Verify the new certificate authority:

    sacli showCAs

    • The newly created RSA certificate authority appears in the command output.

Step 5: Generate a client profile and PKCS #12 package

In this step, you'll create an OpenVPN connection profile, extract the certificate components, and package the client certificate and private key into a PKCS #12 file for import into the CryptoHub.

Create the client profile

  1. Connect to your Access Server console and get root privileges.

  2. Generate a user-locked profile:

    sacli --prefer-tls-crypt-v2 --user brandonqa GetUserlogin > brandonqa_futurex.ovpn

    Replace brandonqa with your VPN username and brandonqa_futurex.ovpn with your preferred connection profile name.

Result: A new OpenVPN connection profile is created.

Extract the certificate components

  1. Extract the CA certificate:

    sed -n '/<ca>/,/<\/ca>/p' brandonqa_futurex.ovpn | sed '1d;$d' > ca.crt

  2. Extract the client certificate:

    sed -n '/<cert>/,/<\/cert>/p' brandonqa_futurex.ovpn | sed '1d;$d' > client.crt

  3. Extract the client private key:

    sed -n '/<key>/,/<\/key>/p' brandonqa_futurex.ovpn | sed '1d;$d' > client.key

  4. Remove the client's certificate and private key from the connection profile:

    sed -i '/<cert>/,/<\/cert>/d' brandonqa_futurex.ovpn
sed -i '/<key>/,/<\/key>/d' brandonqa_futurex.ovpn

Result: The certificate authority certificate, client certificate, and client private key are extracted into separate files.

Create the PKCS #12 package

  1. Create a PKCS #12 package containing the client certificate, private key, and CA certificate.

    openssl pkcs12 -export -inkey client.key -in client.crt -certfile ca.crt -out futurex.p12 -name "brandonqa"

  2. When prompted, create an export password.

  3. Record the password securely.

Result: A PKCS #12 package (futurex.p12) is created and ready for import into the CryptoHub.

Important

You'll need this password when importing the PKCS #12 package in the next step.

Step 6: Import the client certificate and private key into CryptoHub

In this step, you'll import the client certificate, private key, and CA certificate into a CryptoHub X.509 Certificate Container.

Create an approval group

  1. Sign in to the CryptoHub using your administrator identities.

  2. Navigate to PKI and CA → PKI Signing Approvals.

  3. Select Add Approval Group.

  4. Enter a name for the approval group, then select OK.

  5. Right-click the new approval group and select Permission.

  6. From the drop-down list, select Service - OpenVPN.

  7. Select Add.

  8. Grant the Use permission.

  9. Select Save.

Result: An approval group is created and assigned to the OpenVPN service.

Create an X.509 Certificate Container

  1. Navigate to PKI and CA → Certificate Management.

  2. Select Add CA.

  3. Configure the container:

    • Name: OpenVPN (or another name of your choice)

    • Host: None

    • Type: X.509

    • Owner Group: Select the OpenVPN service created above.

  4. Select OK.

Result: An X.509 Certificate Container is created.

Allow importing certificates using passwords

  1. Navigate to Classic Tools → Administration → Configuration Tasks → Options.

  2. On the Main tab of the Options menu:

    • Select the Allow import of certificates using passwords checkbox.

  3. Select Save.

Result: CryptoHub now allows importing certificates using passwords.

Import the PKCS #12 package

  1. Navigate to PKI and CA → Certificate Management.

  2. Right-click the X.509 Certificate Container.

  3. Select: Import → PKCS#12.

  4. Browse to and select the futurex.p12 file.

  5. Select Next.

  6. Enter the password for the PKCS #12 and select Next.

  7. Select Finish.

Result: The client certificate, private key, and certificate chain are imported into the Certificate Container.

Create an issuance policy

The Futurex PKCS #11 library uses the issuance policy to locate the client certificate stored on the CryptoHub.

  1. Navigate to PKI and CA → Certificate Management.

  2. Right-click the client certificate beneath the CA certificate.

  3. Select: Issuance Policy → Add.

  4. On the Basic Info tab:

    • Set Approvals to 0.

  5. On the X.509 tab:

    • Select Default approval group.

    • Select the approval group created earlier.

  6. On the Object Signing tab:

    • Enable Allow object signing.

  7. Select OK.

Result: The client certificate is assigned an issuance policy.

Allow anonymous signing

  1. Navigate to PKI and CA → Certificate Management.

  2. Right-click the client certificate.

  3. Select Change Security Usage.

  4. Select: Anonymous Signing.

  5. Select OK.

Result: The client certificate can now be accessed by the Futurex PKCS #11 library.

Step 7: Configure OpenVPN Connect to use the Futurex PKCS #11 token

Assign the CryptoHub certificate to the profile

  1. Close OpenVPN Connect if it's running.

  2. Launch OpenVPN Connect v3.

  3. Import the profile created in Step 5.

  4. Navigate to Menu → My Profiles.

  5. Select the edit icon next to the imported profile.

  6. Under Certificates, select Select.

  7. Under Hardware Tokens, select the CryptoHub device. The name appears similar to HSM 1830884596.

  8. Select Authorize.

  9. Enter the PIN configured in the Futurex PKCS #11 configuration.

    Tip

    The value between <CRYPTO-OPR-PASS> and </CRYPTO-OPR-PASS> in the fxpkcs11.cfg file.

  10. Select Enter.

  11. Select the imported client certificate and private key.

    Important

    Select the client certificate and private key only. Don't select the CA certificate.

  12. Select Select.

  13. Select Save Changes.

Result: The OpenVPN profile is configured to use the certificate and private key stored in CryptoHub.

Test the VPN connection

  1. Select Connect for the connection profile.

  2. Enter the VPN user password.

  3. Enter the CryptoHub PIN.

  4. Select Enter.

Result: The VPN connection succeeds and OpenVPN Connect displays connection statistics.

In this section:

Access Server's web server used by the administrator to configure the VPN server.

A file with the information for a VPN client to securely connect to Access Server.