> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure KMES TLS communication

> Procedural guide to configure TLS certificates for secure communication between Venafi TPP and KMES Series 3 Host API.

This section shows users how to set up TLS certificates for the connection between the Venafi TPP instance and the System/Host API connection pair on the KMES Series 3.

To configure communications, perform the following tasks detailed in this section:

1. Create a Certificate Authority (CA).
2. Generate a CSR for the System/Host API connection pair.
3. Sign the System/Host API CSR.
4. Export the Root CA certificate.
5. Export the signed System/Host API certificate.
6. Load the exported certificates into the System/Host API connection pair.
7. Issue a client certificate for Venafi TPP.
8. Export the Venafi certificate as a PKCS #12 file.

## Create a CA

Perform the following steps to create a CA:

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default Admin identities.
  </Step>

  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Select **\[ Add CA ]** at the bottom of the page.
  </Step>

  <Step>
    In the **Certificate** **Authority** window, enter a name for the certificate container, select the Venafi Adaptable CA role in the **Owner group** drop-down menu, and select **\[ OK ]**.

    <Check>
      The certificate container you created now displays in the Certificate Authorities menu.
    </Check>
  </Step>

  <Step>
    Right-click the certificate container and select **Add** **Certificate** > **New** **Certificate**.
  </Step>

  <Step>
    On the **Subject DN** tab, set a **Common Name** for the certificate, such as `System TLS CA Root`.
  </Step>

  <Step>
    On the **Basic Info** tab, leave the fields set to the default values.
  </Step>

  <Step>
    On the **V3 Extensions** tab, select the **Certificate** **Authority** profile and select **\[ OK ]**.

    <Check>
      The root CA certificate now displays under the previously created certificate container.
    </Check>
  </Step>
</Steps>

## Generate a CSR

Perform the following steps to generate a CSR for the System/Host API connection pair:

<Steps>
  <Step>
    Go to **Administration** > **Configuration** > **Network Options**.
  </Step>

  <Step>
    In the **Network** **Options** window, go to the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Under the **System/Host API** connection pair, uncheck the **Use Futurex certificates** checkbox and then select **\[ Edit ]** next to **PKI Keys** in the **User Certificates** section.
  </Step>

  <Step>
    In the **Application** **Public** **Keys** window, select **\[ Generate ]**.
  </Step>

  <Step>
    When warned that *SSL will not be functional until new certificates are imported*, select **\[ Yes ]** to continue.
  </Step>

  <Step>
    In the **PKI Parameters** window, set the **Encrypting key** to **PMK**, **Key type** to **RSA**, and **Key size** to **2048**. Select **\[ OK ]** to save.

    <Check>
      The Application Public Keys window now shows that a PKI key pair is Loaded.
    </Check>
  </Step>

  <Step>
    Select **\[ Request ]**.
  </Step>

  <Step>
    On the **Subject DN** tab, you can leave the **Common Name** set to the default value of `System/Host API`.
  </Step>

  <Step>
    On the **V3 Extensions** tab, select the **TLS Server Certificate** profile.
  </Step>

  <Step>
    On the **PKCS #10 Info** tab, select a save location for the CSR and select **\[ OK ]**.
  </Step>

  <Step>
    When notified that *the certificate signing request was successfully written to the file location that was selected*, select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ OK ]** again to save the **Application Public Keys** settings.

    <Check>
      The main Network Options window now shows Loaded next to PKI Keys for the System/Host API connection pair.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save and close the **Network Options** window.
  </Step>
</Steps>

## Sign the CSR

Perform the following steps to sign the System/Host API CSR:

<Steps>
  <Step>
    Go to **PKI** > **Certificate Authorities**.
  </Step>

  <Step>
    Right-click the root CA certificate you created for TLS and select **Add Certificate** > **From Request**.
  </Step>

  <Step>
    In the file browser, select the CSR that you generated for the System/Host API connection pair.
  </Step>

  <Step>
    After it loads, don't modify any certificate settings. Select **\[ OK ]**.

    <Check>
      The signed System/Host API certificate now shows under the root CA certificate on the Certificate Authorities page.
    </Check>
  </Step>
</Steps>

## Export the Root CA certificate

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the **System TLS CA Root** certificate and select **Export** > **Certificate(s)**.
  </Step>

  <Step>
    In the **Export Certificate** window, change the encoding to **PEM** and select **\[ Browse ]**.
  </Step>

  <Step>
    In the file browser, go to the location where you want to save the Root CA certificate. Specify a name for the file and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]**.

    <Check>
      A message box states that the PEM file was successfully written to the location that you specified.
    </Check>
  </Step>
</Steps>

## Export the signed certificate

Perform the following steps to export the signed System/Host API certificate:

<Steps>
  <Step>
    Go to **PKI** > **Certificate Authorities**.
  </Step>

  <Step>
    Right-click the **System/Host API** TLS certificate and select **Export** > **Certificate(s)**.
  </Step>

  <Step>
    In the **Export** **Certificate** window, change the encoding to **PEM** and select **\[ Browse ]**.
  </Step>

  <Step>
    In the file browser, navigate to the location where you want to save the System/Host API TLS certificate. Specify a name for the file and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]**.

    <Check>
      A message box states that the PEM file was successfully written to the location that you specified.
    </Check>
  </Step>
</Steps>

## Load the certificates into a connection pair

Perform the following steps to load the exported certificates into the System/Host API connection pair:

<Steps>
  <Step>
    Go to **Administration** > **Configuration** >
    **Network Options**.
  </Step>

  <Step>
    In the **Network** **Options** window, go to the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Under the **System/Host API** connection pair, select **\[ Edit ]** next to **Certificates** in the **User** **Certificates** section.
  </Step>

  <Step>
    Right-click the **System/Host API SSL CA** X.509 certificate container and select **\[ Import ]**.
  </Step>

  <Step>
    Select **\[ Add ]** at the bottom of the **Import** **Certificates** window.
  </Step>

  <Step>
    In the file browser, select both the root CA certificate and the signed System/Host API certificate and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]** to save the changes.

    <Check>
      In the Network Options window, the System/Host API connection pair now shows Signed loaded next to Certificates in the User Certificates section.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save and exit the **Network Options** window.
  </Step>
</Steps>

## Issue a client certificate

Perform the following steps to issue a client certificate for Venafi TPP:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the **System TLS CA Root** certificate and select **Add** **Certificate** > **New** **Certificate**.
  </Step>

  <Step>
    On the **Subject DN** tab, set a **Common Name** for the certificate, such as `Venafi`.
  </Step>

  <Step>
    Leave all fields on the **Basic Info** tab set to the default values.
  </Step>

  <Step>
    On the **V3 Extensions** tab, select the **TLS Client Certificate** profile and select **\[ OK ]**\*.

    <Check>
      The Venafi certificate now displays under the System TLS CA Root certificate.
    </Check>
  </Step>
</Steps>

## Export the Venafi certificate

<Note>
  Before proceeding, you must go to Administration > Configuration > Options and enable the Allow export of certificates using passwords option.
</Note>

Perform the following steps to export the Venafi certificate as a PKCS #12 file:

<Steps>
  <Step>
    Go to **PKI** > **Certificate Authorities**.
  </Step>

  <Step>
    Right-click the Venafi certificate and select **Export** > **PKCS12**.
  </Step>

  <Step>
    Select the **Export Selected** option, specify a unique name for the export file, and select **\[ Next ]**.
  </Step>

  <Step>
    Enter a file password of your choice and select **\[ Next ]**.
  </Step>

  <Step>
    Select **\[ Finish ]** to initiate the export.
  </Step>

  <Step>
    Move both the **Venafi** certificate and the Root CA certificate that you exported in the **Export the Root CA Certificate** section to the computer that runs the Venafi TPP instance.

    A later section shows you how to configure and use them for TLS communication with the KMES Series 3.
  </Step>
</Steps>
