Sign and upload the Authentication Suite Server SDK FM module (aal2sdk)

  • Published on Jul 9, 2025
  • 1 minute(s) read
Prev Next

Follow the steps described in this section to sign and upload the Authentication Suite Server SDK FM module.

To sign and upload the FM module

  1. Generate a self-signed certificate and key pair in the user slot:

    ctcert c -s UserSlotID -k -z KeySize -l CertificateName

    ctcert c -s 0 -k -z 2048 -l fmcert

  2. If required, type the user PIN.

  3. Sign the aal2sdk FM module.

    mkfm -k "UserSlotLabel(UserPIN)/CertificateName" -f aal2sdk -o aal2sdk.fm

    mkfm -k "vasco(1234)/fmcert" -f aal2sdk -o aal2sdk.fm

    The mkfm binary has been part of the FM SDK included in the Thales ProtectServer PTK (Thales ProtectServer Toolkit) since version 5.0.0. Prior to PTK 5.0.0, the mkfm binary was part of the PPO SDK (Protect Processing Orange) delivered separately from the PTK. The PPO SDK package was available for Windows, Linux and Solaris only.

  4. Export the certificate from the user slot.

    ctcert x -l CertificateName -s UserSlotID -f CertExportFileName

    ctcert x -l fmcert -s 0 -f fmcert.crt

  5. Import the certificate to the admin slot.

    ctcert i -f CertExportFileName -s AdminSlotID -l CertificateName

    ctcert i -f fmcert.crt -s 1 -l fmcert

  6. If required, type the admin PIN.

  7. Mark the certificate as trusted in the admin slot.

    ctcert t -l CertificateName -s AdminSlotID

    ctcert t -l fmcert -s 1

  8. Upload the signed module to the HSM.

    ctconf -b CertificateName -j aal2sdk.fm

    ctconf -b fmcert -j aal2sdk.fm

  9. If required, type the admin PIN.