Skip to main content
The KMES Series 3 device enables you to build an enterprise-level PKI and deploy CAs by using a custom-defined CA hierarchy system. The CA hierarchy begins with a root CA certificate, which you can generate directly on the KMES. Typically, you host the root CA on a separate device or service from the issuing CA (that is, another offline KMES or another CA entirely). Then, under the root CA certificate, you create and use an issuing CA certificate to issue all leaf certificates in the certificate tree. The issuing CA can define the enterprise CA security parameters such as the certificate approvers, certificate validity, certificate renewal, and so on.
A leaf or end-entity certificate is any certificate that cannot sign other certificates, such as TLS/SSL server and client certificates, email certificates, code signing certificates, and qualified certificates are all types of leaf certificates.
This section outlines the following items related to the creation and management of issuing CAs on the KMES Series 3:
  • Root CA certificate management
  • Issuing CA certificate creation
  • Certificate Renewal
  • Certificate Revocation and CRLs

Root CA certificate management

The root CA is typically a separate device or service from the issuing CA. However, you can generate a self-signed root CA directly on the KMES. The following sections provide instructions for both of these methods. To perform the steps in this section related to root CA certificate management, the logged-in identity must be assigned a role with the following permissions:
PermissionSubpermission
Certificate Authority Add, Delete, Modify
TLS ProfilesAdd
Enable these permissions in the Role Editor window in the Permissions tab.

Create an X.509 certificate container

On the KMES Series 3, you must create certificate trees in a certificate container. This means that creating a new certificate container is a prerequisite before generating the root and issuing CA certificates.
The certificate container includes identifying information, which resides in the Distinguished Name (DN) attached to it. If required, you can define the DN to include security restrictions while creating the certificate container.
Perform the following steps to create a new X.509 certificate container:
1
Log in to the KMES Series 3 application interface using an identity assigned the required permissions.
2
Go to PKI > Certificate Authorities, and select [ Add CA ] at the bottom of the page.
3
On the Certificate Authority window, enter a name for the CA container and select X.509 in the Type drop-down menu. Use the default values in the Host and Owner group fields, or set them according to your requirements. Additionally, you can select [ Permissions ] and grant permissions to specific roles.
4
Select [ OK ] to finish creating the certificate container.

Import an externally hosted root CA certificate

If you are using a root CA hosted on a separate device or service from the issuing CA, follow the steps outlined in this section. If you plan to generate a self-signed root CA directly on the KMES, skip to the next subsection.
1
Log in to the KMES Series 3 application interface with an identity assigned the required permissions.
2
Go to PKI > Certificate Authorities.
3
Right-click the appropriate certificate container and select Import > Certificate(s).
4
On the Import Certificates window, select [ Add ] and then select the externally-hosted root CA certificate.
The root CA certificate should be listed now in the Verified section.
5
Select [ OK ] to finish importing.

Generate a root CA

Perform the following steps to generate a self-signed root CA certificate directly on the KMES:
1
Log in to the KMES Series 3 application interface with an identity assigned the required permissions
2
Go to PKI > Certificate Authorities.
3
Right-click the appropriate certificate container and select Add Certificate > New Certificate.
4
On the Subject DN tab of the Create X.509 Certificate window, change the Preset drop-down option to Classic and, as a minimum requirement, specify a Common Name for the certificate, such as Root.
5
On the Basic Info tab, you can leave the default values set or modify them per your specific requirements.
Define the validity dates for the certificate in the PKI Date Validity section. The default validity period is one year.
6
On the V3 Extensions tab, select the Certificate Authority profile in the drop-down menu.
7
Select [ OK ] to generate the root CA certificate with all the settings you configured.

Issue CA certificate creation

To manage issuing CA certificates, you must assign the logged-in identity a role with the following permissions:
PermissionSubpermission
Certificate AuthorityAdd, Delete, Modify, Export
TLS ProfilesAdd
Enable these permissions in the Role Editor window on the Permissions tab.
The most commonly used terms for issuing CA certificates are issuing certificate, intermediate certificate, or sub-CA certificate. For the purpose of this guide, consider these synonymous.

Sign the issuer CA certificate

Perform the steps in this section to use an externally-hosted root CA to sign the issuer CA certificate from a CSR. If you are using a root CA hosted on a separate device or service from the issuing CA, follow the steps outlined in this section. If you generated a self-signed root CA directly on the KMES, skip to Generate the issuing CA certificate.

Generate a key pair

Perform the following steps to generate a key pair for the issuing CA on the KMES:
1
Log in to the KMES Series 3 application interface with an identity assigned the required permissions.
2
Go to PKI > Certificate Authorities.
3
Right-click the root CA certificate you created and select Add Certificate > Pending.
4
On the Subject DN tab, change the Preset drop-down option to Classic and, as a minimum requirement, specify a Common Name for the certificate, such as Issuing.
5
On the Basic Info tab, you can leave the default values set or modify them per your specific requirements.
The validity dates for the certificate are defined in the PKI Date Validity section. The default validity period is one year.
6
On the V3 Extensions tab, select the Certificate Authority profile in the drop-down menu.
7
Select [ OK ] to generate the issuing CA key pair and the CSR with the settings you configured.
You should see the Issuing certificate listed under the Root certificate with the status of the issuing CA as Pending/Invalid.

Export a CSR

Perform the following steps to export a Certificate Signing Request (CSR) for the issuing CA:
1
Log in to the KMES Series 3 application interface with an identity assigned the required permissions.
2
Go to PKI > Certificate Authorities.
3
Right-click the Pending/Invalid issuing CA certificate and select Export > Signing Request.
4
On the Subject DN tab, change the Preset drop-down option to Classic and, as a minimum requirement, specify a Common Name for the certificate, such as Issuing.
5
On the V3 Extensions tab, select the Certificate Authority profile in the drop-down menu.
6
On the PKCS #10 Info tab, select [ Browse ] and specify a save location for the CSR.
7
Select [ OK ] to finish generating the CSR for the issuing CA.

Take the CSR to the external root CA to sign the issuer CA certificate

The specific steps required for this task vary depending on the external root CA being used (such as another KMES device, DigiCert, and so on). After you have the signed issuer CA certificate, proceed to the next section.

Import the CA certificate

Perform the following steps to import the signed issuer CA certificate into the KMES:
1
Log in to the KMES Series 3 application interface with an identity assigned the required permissions.
2
Go to PKI > Certificate Authorities.
3
Right-click the Pending/Invalid issuing CA certificate and select Replace > With Signed Certificate.
4
On the Import Certificates window, select [ Add ] and select the signed issuing CA certificate in the file browser. Then, select [ Open ].
You should see the issuing CA certificate listed under the root CA certificate in the Verified section.
5
If you see the issuing CA certificate listed in the Unverified section, review the preceding steps and repeat the process.
6
Select [ OK ] to finish associating the signed issuing CA certificate with its corresponding private key stored on the KMES.
The status of the issuing CA should show as Valid now.

Generate the issuing CA certificate

If you created a self-signed root CA certificate directly on the KMES, perform the following steps to generate the issuing CA certificate from KMES-generated keys:
1
Log in to the KMES Series 3 application interface with an identity assigned the required permissions.
2
Go to PKI > Certificate Authorities.
3
Right-click the root CA certificate that you imported and select Add Certificate > New Certificate.
4
In the Subject DN tab of the Create X.509 Certificate window, change the Preset drop-down option to Classic and, as a minimum requirement, specify a Common Name for the certificate, such as Issuing.
5
On the Basic Info tab, you can leave the default values set or modify them per your specific requirements.
Define the validity dates for the certificate in the PKI Date Validity section. The default validity period is one year.
6
On the V3 Extensions tab, select the Certificate Authority profile in the drop-down menu.
7
Select [ OK ] to generate the issuer CA certificate with the settings you configured.

Issuance policies

An issuance policy on the KMES Series 3 defines and limits the parameters under which you can issue leaf certificates under a given CA tree. This includes the number of approvers needed to issue a certificate, the ability to define the validity period of the issued certificate, and the allowance of renewals.

Create an issuance policy

You can create issuance policies for each certificate tree that resides in a X.509 certificate container on the KMES Series 3. Administrators can individualize each policy for the specific needs of any given issuing CA. Perform the following steps to create an issuance policy for the issuing CA certificate:
1
Log in to the KMES Series 3 application interface with an identity assigned the required permissions.
2
Go to PKI > Certificate Authorities.
3
Right-click the issuing CA certificate and select Issuance Policy > Add.
4
On the Basic Info tab of the Issuance Policy editor, perform the following steps:
  1. In the Alias field, enter a name for the issuance policy.
  2. Use the up-down arrows to specify the number of Approvals (0-5) that are required for CSRs listed under this Issuance Policy. Unique, non-admin identities must enter approvals.
  3. In the Allowed hashes drop-down menu, select the allowed hashes.
  4. If you want to Require LDAP login, select the checkbox.
  5. Select a Notifications option. This option notifies users when CSRs upload. (To have identities with approve permissions receive notifications when CSRs upload, you must assign an email address to their identity.)
    • Notify upload: Messages users when CSRs are uploaded.
    • Notify approve: Messages users when CSRs are approved.
    • Notify deny: Messages users when CSRs are denied.
    • Notify expired: Messages users when certificates expire.
    • In the Emails field, specify all of the email addresses you want to receive notifications.
    • Use the up-down arrows to specify the number of days before expiration to notify users.
5
On the X.509 tab, perform the following steps:
  1. Select the Allow CSR uploads checkbox to enable the ability to upload a certificate signing request for approval.
  2. Select the Allow renewals checkbox to allow signatures to be renewed.
  3. Select the Allow PKI generation checkbox to enable the ability to request PKI signatures.
  4. (Optional) Select the Save certificate checkbox.
  5. Select the Allow self approval checkbox if you want to allow the same role both to submit and approve CSRs.
  6. Select [ Select ] and select a Default approval group.
  7. Use the up and down arrows and the drop-down menu to select the Max validity period in days, weeks, months, or years (the default).
  8. Select the Expiration date you want to apply to issued certificates.
  9. In the Renewal validity drop-down menu, select either Same as original or Max validity. (This option is available only if you select the Allow renewals checkbox.)
  10. Under PKI Types, select either RSA or ECC and select the minimum and maximum bit sizes, defaulting to 2048/2048 for RSA and 384/521 for ECC. Add another type using the [ + ] button. Delete a type using the [ - ] button.
  11. Under Extension Profiles, select [ Add ] to add one of the pre-defined X.509 v3 Extension Profiles.
6
On the Object Signing tab, perform the following steps:
  1. Select the Allow object signing checkbox to enable the ability to upload object-signing requests.
  2. Select the Padding algorithm to use for padding the object-signing requests.
7
On the LDAP Binding Info tab, perform the following steps:
Lightweight Directory Access Protocol (LDAP) is a software protocol that enables you to enroll people, places, and resources in a network for quick reference. You can register a remote LDAP server against which you can authenticate certificates.
  1. Press [ Select ] to choose the directory of a defined remote LDAP server. Refer to the Remote LDAP Servers section of the KMES Series 3 User Guide for more information.
  2. Under User Settings, define the Base DN. This determines where to store users in the LDAP database. For example, use ou to store users in the user directory of the LDAP database.
  3. Define the User attribute identifier for user settings. For example, cn is common name.
  4. Define the Password attribute identifier. The default is userPassword.
  5. Under the Group Permission Settings, begin by defining the Base DN. This determines where to store groups in the LDAP database. For example, use ou to store groups in the user directory of the LDAP database.
  6. Define the Group attribute identifier for group permission settings. For example, cn is common name.
  7. Define the Group name identifier for group permission settings. The default is Admin Group.
  8. Select the Use memberOf checkbox to change the Member attribute field from member to memberOf.
  9. Under Authentication, select the Authentication type you want to use in the drop-down menu.
  10. If you selected the SASL Bind in the Authentication type drop-down menu, select the SASL mechanism you want to use in the drop-down menu.
8
On the AIA and CRL DP tab, perform the following steps:
  1. (Optional) Select the Authority Information Access checkbox.
  2. If you enabled Authority Information Access, select the Only insert if extension is being used, Replace existing values, and Critical checkboxes according to your use case, and specify HTTP, LDAP, and OCSP endpoints.
  3. (Optional) Select the CRL Distribution Points checkbox.
  4. If you enabled CRL Distribution Points, select the Only insert if extension is being used, Replace existing values, and Critical checkboxes according to your use case. Then, specify HTTP and LDAP endpoints.

X.509 V3 Extensions

The KMES Series 3 offers the ability to define X.509 V3 certificate extensions. These extension fields permit any quantity of additional fields to be included in the certificate being created or issued. X.509 V3 extensions enable you to assign usage restrictions and additional information, such as alternative subject names, to certificates. If you want to deploy client-side authentication TLS certificates, you might want to define the Key Usage OID to only permit Key Agreement and Key Encipherment. Code signing users should include the Code Signing Extended Key Usage.

Manage X.509 v3 extension profiles

In the PKI > X.509 Extensions menu, you can see the eight example profiles enabled by default. You can also create new X.509 v3 extension profiles. This section shows you how to manage X.509 extension profiles

Create a new profile

Perform the following steps to create a new X.509 extension profile:
1
Log in to the KMES Series 3 application interface with an identity assigned the required permissions.
2
Go to PKI > X.509 Extensions.
3
Select [ Add ] at the bottom of the page.
4
In the Name field of the X.509 v3 Extension Profile window, enter the desired name for the profile. This can reflect the type of document that the profile you use to add data to in the future.
5
(Optional) Select the Allow User-Defined Extensions checkbox to enable users to modify or add their extensions when adding the profile to a CSR.
6
Select [ Add ].
7
In the X.509 v3 Extension OID window, select the extension type to add and select [ OK ]*.
The extension appears under the X.509 v3 Extension Profile line.
The information provided for each extension is as follows: Mode: The rules guiding whether the extension is presented and if it is editable:
RuleDescription
OptionalYou can include but not edit the extension value.
RequiredExtension is always present, and you can edit the value.
Fixed ValueExtension is always present, but you cannot edit it.
RestrictedYou cannot add the extension to the request.
UploadedUpload it by using a CSR, or manually add it when creating a certificate request.
OID: The object identifier, which specifies the type of extension used:
Object identifierDescription
Authority Information AccessEnables users to specify an OID and various HTTP, LDAP, or OCSP URLs. Authority Information Access (AIA) is a special extension in SSL certificates that contains information about the issuer of the certificate. This extension helps fetch intermediate certificates from the issuing certification authority.
Authority Key Identifier:Enables users to specify an OID and a hash value. The Authority Key Identifier is an extension that identifies the public key corresponding to the private key used to sign the certificate. The default hash algorithm is SHA-256. The other supported algorithms are MD5, RIPEMD-160, SHA-1, SHA-224, SHA-384, and SHA-512.
Basic ConstraintsIdentifies the subject of a certificate as a CA. Specify the maximum valid certificate paths contained within the certificate using the up-down arrows (from 0 to 99).
CRL Distribution PointsEstablishes how to gather certificate revocation list information. Select [ Add ] to define location information. From the drop-down menu, select either LDAP or HTTP. To delete additional CRL Distribution Points, use the [ Remove ] buttons on the right side of the window.
Certificate PoliciesProvides information on certificate policies. Enter the OID. Then, type in the octet string in hexadecimal format, or select [ Load ] to open the Import Hex window. The window updates to show the formatted ASN.1 structure.
Certificate Template ExtensionA certification authority (CA) processes each certificate request by using a defined set of rules. you can customize certificate templates with a number of extensions that regulate their use.
Extended Key UsageDesignates the extended key usage options (multiple options can be selected) in the respective checkboxes, from the following:
  • TLS Web Server Authentication
  • TLS Web Client Authentication
  • Code Signing
  • E-mail Protection
  • Time Stamping
  • Microsoft Individual Code Signing
  • Microsoft Commercial Code Signing
  • Microsoft Trust List Signing
  • Microsoft Server Gated Crypto
  • Microsoft Encryption File System
  • Netscape Server Gated Crypto
  • OCSP Signing
Issuer Alternate NameProvides an alias for the issuer. Enter the OID. Then, type in the octet string in hexadecimal format, or select [ Load ] to open the Import Hex window. The window updates to show the formatted ASN.1 structure.
Key UsageDesignates the key usage options (multiple options can be selected) in the respective checkboxes, from the following:
  • Digital Signature
  • Non-Repudiation
  • Key Encipherment
  • Data Encipherment
  • Key Agreement
  • Certificate Sign
  • CRL Sign
  • Encipher Only
  • Decipher Only
MS Application PoliciesApplications can use the Microsoft application policies extension to filter certificates based on permitted use. OIDs identify permitted uses. This extension is similar to the Enhanced Key Usage extension but with stricter semantics applied to the parent CA. The extension is Microsoft-specific.
MS Template NameUse the template name extension to identify the version 1 template to use when issuing or renewing a certificate. The extension value contains the name of the template. The extension is Microsoft-specific.
Name ConstraintsSpecifies restrictions for the data’s name. Enter the OID. Then, type in the octet string in hexadecimal format or select [ Load ] to open the Import Hex window. The window updates to show the formatted ASN.1 structure.
OCSP No-CheckDefines an OCSP server that checks if certificates have been revoked. Enter the OID. Then, enter the desired octet string in hexadecimal format or select [ Load ] to open the Import Hex window. The window updates to show the formatted ASN.1 structure.
Policy ConstraintsSpecifies constraints for certificate policy. Enter the desired OID. Then, enter the desired octet string in hexadecimal format or select [ Load ] to open the Import Hex window. The window updates to show the formatted ASN.1 structure.
Policy MappingsSpecifies maps for certificate policy. Enter the OID. Then, enter the octet string in hexadecimal format or select [ Load ] to open the Import Hex window. The window updates to show the formatted ASN.1 structure.
Subject Alternate NameEstablishes an alias for the subject. Select [ Add ] to enter a new alternate name. To delete an alternate name, use the [ Remove ] buttons on the right side of the window.
Subject Key IdentifierSpecifies a subject key. The default algorithm is SHA-256. The other supported algorithms are MD5, RIPEMD-160, SHA-1, SHA-224, SHA-384, and SHA-512.
Verifone Log ExtensionDescription N/A
CustomEnables the user to add a custom extension. Enter the OID. Then, enter the octet string in hexadecimal format or select [ Load ] to open the Import Hex window. The window updates to show the formatted ASN.1 structure.

Manage DN profiles

Every certificate that you request or use to issue a certificate contains identifying information in the form of a Distinguished Name (DN). The DN can contain differing information depending on what the issuing CA requires for the certificate to be issued. You can use the KMES Series 3 to configure issuance policies that restrict the DN information that the certificate request must contain.

Add an X.509 DN profile

Perform the following steps to add an X.509 DN profile:
1
Log in to the KMES Series 3 application interface with an identity assigned the required permissions.
2
Go to PKI > X.509 DN Profiles.
3
Select [ Add ] at the bottom of the page.
4
In the Name field of the X.509 DN Profile editor, enter the desired name for the profile.
5
Select [ New ] to add X.509 attributes to the profile.
6
After you add all the desired attributes, select [ OK ]* to save the X.509 DN Profile.

Certificate renewal and revocation

To perform certificate renewal tasks, you must assign the logged-in identity a role with the following permissions:
PermissionSubpermission
Certificate Authority Add, Delete, Modify
TLS Profiles Add
Enable these permissions on the Permissions tab of the Role Editor window.

Renew X.509 certificates

Perform the following steps to renew an X.509 certificate:
1
Log in to the KMES Series 3 application interface with an identity assigned the required permissions
2
Go to PKI > Certificate Authorities.
3
Right-click the certificate you want to renew and select [ Re-sign ].
4
In the Certificate Data tab of the Re-sign Existing Certificate window, set new validity dates for the certificate in the Not valid before and Not valid after fields.
5
Select [ OK ] to proceed with the certificate renewal/re-signing operation.

Revoke X.509 certificates

Perform the following steps to revoke an X.509 certificate:
1
Log in to the KMES Series 3 application interface with an identity assigned the required permissions.
2
Go to PKI > Certificate Authorities.
3
Right-click the certificate you want to revoke and select CRL > Revoke.
4
In the Revoke Certificate Wizard, select the certificate to revoke from the list in the left side of the window, and select the [ >> ].
This moves the certificate to the right side of the window.
Then, select [ Next ].
5
Configure the Revocation Options, optionally select the Export checkbox, and specify the Type, Encoding, and Output directory. Then, select [ Next ].
6
Select the revoke CRL from the list in the left side of the window and select [ >> ].
This moves the CRL to the right side of the window.
Then select [ Next ].
A message displays stating that the CRLs were successfully updated.
7
Select [ Finish ].
In the Certificate Authorities menu, the status for the certificate you revoked should show as Revoked.