> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure the KMIP server certificate

> Configure the CryptoHub KMIP connection pair to use an RSA certificate for the TLS connection with Veeam.

Per [Veeam's official documentation](https://helpcenter.veeam.com/docs/vbr/userguide/kms_certificates.html), the KMS server certificate must meet the following requirements:

* The **Subject** extension must be equal to the fully qualified domain name (FQDN) or IP of the KMS server.
* The server certificate must have valid CRL distribution points specified in the **CRL Distribution Points** extension.
* If the Veeam Backup & Replication server does not trust the Certificate Authority (CA) of the server certificate, it should be added to the Trusted Root Certification Authority store.

This section explains how to configure the KMIP server certificate on the CryptoHub, as required for this integration.

## Generate a Certificate Signing Request (CSR) for the KMIP server connection pair

<Steps>
  <Step>
    Log in to CryptoHub with your administrator identities.
  </Step>

  <Step>
    Go to **Classic Tools** > **Administration** > **Configuration Tasks**.
  </Step>

  <Step>
    In the **Configuration Tasks** view, double-click **Network Options**.
  </Step>

  <Step>
    Go to the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    In the **Connection** drop-down menu, select **KMIP**.
  </Step>

  <Step>
    Uncheck **Use System/Host API SSL Parameters**.
  </Step>

  <Step>
    Uncheck **Use Futurex certificates**.
  </Step>

  <Step>
    In the **User Certificates** section, select **\[ Edit ]** next to **PKI Keys**.
  </Step>

  <Step>
    In the Application Public Keys window, select **\[ Generate ]**.
  </Step>

  <Step>
    When prompted that *SSL will not be functional until new certificates are imported*, select **\[ Yes ]**.
  </Step>

  <Step>
    In the PKI Parameters window, select **RSA** as the **Key Type**, and **2048** as the **Key Size**. Then, select **\[ OK ]**.

    <Check>
      The Application Public Keys window now shows that a PKI Key Pair is Loaded.
    </Check>
  </Step>

  <Step>
    Select **\[ Request ]**.
  </Step>

  <Step>
    In the **Subject DN** tab, select **Classic** as the preset, and enter the FQDN or IP address of the CryptoHub as the **Common Name**.
  </Step>

  <Step>
    In the **V3 Extensions** tab, select the **TLS Server Certificate** profile. Then, select **\[ Add ]**. You must add the necessary extensions to the certificate, including the CRL Distribution Points extension.
  </Step>

  <Step>
    Select the **CRL Distribution Points** extension and select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ Add ]**. Enter the URL for the CRL distribution point. Use the format `http://HOSTNAME-OR-IP_ADDRESS/cryptohub.crl`, where `HOSTNAME-OR-IP_ADDRESS` is the hostname or IP address of the server hosting the CRL. Then, select **\[ OK ]**.

    <Check>
      Be sure to include the protocol (http\://) in the URL, because the CRL Distribution Points extension requires it.
    </Check>
  </Step>

  <Step>
    Select **\[ Add ]** again to add another extension.
  </Step>

  <Step>
    This time, select **Subject Alternative Name** and select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ Add ]**.
  </Step>

  <Step>
    Depending on if the CryptoHub is accessed by hostname or IP address, change the **Type** to **DNS Name** or **IP Address**, and enter the corresponding value. Then, select **\[ OK ]**.
  </Step>

  <Step>
    Confirm the changes by selecting **\[ OK ]**.
  </Step>

  <Step>
    In the **PKCS #10 Info** tab, select **\[ Browse ]**, which allows you to set a name for the certificate signing request (CSR) file. Then, select **\[ OK ]**.
  </Step>

  <Step>
    Specify a name for the CSR file or leave the default name and select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ OK ]** to submit the certificate signing request. You should see a confirmation message that the CSR was successfully written. Select **\[ OK ]** to close the confirmation message. Your browser then downloads the file, and you choose where to save it locally.
  </Step>

  <Step>
    Select **\[ OK ]** in the Application Public Keys window to return to the TLS/SSL Settings tab.
  </Step>

  <Step>
    Select **\[ OK ]** to save the changes to the KMIP connection pair.
  </Step>
</Steps>

## Use the Client App TLS CA to sign the KMIP server certificate

<Steps>
  <Step>
    Go to **PKI and CA** > **Certificate Management**.
  </Step>

  <Step>
    Select the **plus (+)** icon to expand the "Client App TLS CA" X.509 Certificate Container.

    <Note>
      A randomly-generated 10-digit number is appended to the end of the "Client App TLS CA" name.
    </Note>
  </Step>

  <Step>
    Right-click the **CryptoHub \[10\_digit\_number]** self-signed CA certificate, and select **Add Certificate** > **From Request**.
  </Step>

  <Step>
    In the file browser, select the CSR file you generated for the KMIP server connection pair, and select **\[ Open ]**.
  </Step>

  <Step>
    The certificate details are displayed. Select **\[ OK ]** to submit the request to the CA.
  </Step>
</Steps>

## Export the signed KMIP server certificate and CryptoHub App TLS CA certificate

<Steps>
  <Step>
    Go to **PKI and CA** > **Certificate Management**.
  </Step>

  <Step>
    Select the **plus (+)** icons to expand the "Client App TLS CA" X.509 Certificate Container.
  </Step>

  <Step>
    Right-click the signed KMIP server certificate, and select **Export** > **Certificate(s)**.
  </Step>

  <Step>
    Change the encoding to PEM and select **\[ Browse ]**.
  </Step>

  <Step>
    Specify a name for the file or leave the default name and select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ OK ]**. You should see a confirmation message that the CSR was successfully written. Select **\[ OK ]** to close the confirmation message. Your browser then downloads the file, and you choose where to save it locally.
  </Step>

  <Step>
    Repeat the export process for the CryptoHub App TLS CA certificate, which is the CA that issued the KMIP client and server certificates. This CA certificate must be imported to the Trusted Root Certification Authority store on the Veeam Backup & Replication server.
  </Step>
</Steps>

## Configure the KMIP server connection pair to use the signed certificate

<Steps>
  <Step>
    Go to **Classic Tools** > **Administration** > **Configuration Tasks**.
  </Step>

  <Step>
    In the **Configuration Tasks** view, double-click **Network Options**.
  </Step>

  <Step>
    Go to the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Select the **KMIP** in the **Connection** drop-down menu.
  </Step>

  <Step>
    In the **User Certificates** section, select **\[ Edit ]** next to **Certificates**.
  </Step>

  <Step>
    Right-click the **KMIP SSL CA** X.509 certificate container and select **\[ Import ]**.
  </Step>

  <Step>
    Select **\[ Add ]** at the bottom of the window.
  </Step>

  <Step>
    In the local file browser, select the CryptoHub App TLS CA certificate and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ Add ]** at the bottom of the window.
  </Step>

  <Step>
    In the local file browser, select the signed KMIP server certificate and select **\[ Open ]**.

    <Check>
      The certificates are listed in the **Verified** section.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ OK ]**.

    <Check>
      You now see "Signed loaded" next to **Certificates**.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save the changes.
  </Step>
</Steps>

After completing these steps, the KMIP server connection pair is configured to use the signed certificate for TLS communication with Veeam Backup & Replication. Be sure to also import the CryptoHub App TLS CA certificate to the Trusted Root Certification Authority store on the Veeam server to establish trust.