Skip to main content
This section shows you the configurations to make on the KMES Series 3 to enable Venafi TTP to integrate through its Adaptable CA functionality. To configure the KMES, perform the following tasks, detailed in this section:
  1. Enable the required Host API commands.
  2. Create KMES credentials for Venafi TPP.
  3. Create a signing approval group.
  4. Create an issuing CA.
  5. Add an issuance policy.
  6. Allow user-defined extensions for X.509 Extension Profiles (optional).

Enable the required commands

Because Venafi TPP connects to the Host API port on the KMES, you must define which Host API commands to enable. To set the allowed Host API commands, complete the following steps:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to Administration > Configuration > Host API Options and enable the following commands:
CommandDescription
RAGXRetrieve Request (X.509 CSR)
RASXManipulate Signed Request
RAUXUpload Request (X.509 CSR)
RAYXApprove Requests
RKLOLogin User
RKRKRetrieve Generated Keys
3
Select [ Save ] to finish.

Create KMES credentials for Venafi TPP

Venafi TPP supports two options for user credential management. The single-user role option establishes one user per issuance policy that is permitted to submit certificate issuance requests, approve or deny requests, and revoke certificates. The dual-user role option establishes two users per issuance policy, with one permitted only to submit certificate issuance requests and one permitted only to approve or deny issuance requests or revoke issued certificates. For a greater degree of administrative separation and adherence to principles of role-based access control, we recommend using the dual-user method. Select the following dual-user or single-user role and identity creation methods and follow the steps: Perform the following steps to set up a dual-user role to control certificate requests, approval, and revocation. One user is responsible for submitting certificate issuance requests, while the other is solely responsible for approving, rejecting, and revoking certificates.
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to Identity Management > Roles and select [ Add ] at the bottom of the window.
3
On the Info tab of the Role Editor window, specify a name for the role and set the number of logins required to 1.
4
On the Permissions tab, enable the following permissions:
PermissionSubpermission
Certificate AuthorityExport, Upload
5
On the Advanced tab, allow authentication to the Host API port only.
6
Select [ OK ] to finish creating the role.
7
Go to Identity Management > Identities, right-click anywhere in the window, and select Add > Client Application.
8
On the Info tab of the Identity Editor window, select Application for the storage location and specify a name for the identity.
9
On the Assigned Roles tab, select the role you just created.
10
On the Authentication tab, remove the default API Key authentication mechanism, add the Password authentication mechanism, and configure it.
11
Select [ OK ] to finish creating the identity.
12
Use the preceding steps to configure a second role and identity, but enable the Approve permission under the Signing Approval permission category instead.

Single-user role option

Perform the following steps to set up a single-user role to control certificate requests, approval, and revocation.
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to Identity Management > Roles and select [ Add ] at the bottom of the page.
3
On the Info tab of the Role Editor window, specify a name for the role and set the number of logins required to 1.
4
On the Permissions tab, enable the following permissions:
PermissionSubpermission
Certificate AuthorityExport, Upload
Signing Approval Approve
5
On the Advanced tab, allow authentication to the Host API port only.
6
Select [ OK ] to finish creating the role.
7
Go to Identity Management > Identities, right-click anywhere in the window, and select Add > Client Application.
8
On the Info tab of the Identity Editor window, select Application for the storage location and specify a name for the identity.
9
On the Assigned Roles tab, select the role you just created.
10
On the Authentication tab, remove the default API Key mechanism, add the Password authentication mechanism, and configure it.
11
Select [ OK ] to finish creating the identity.

Create a signing approval group

To enable certificate signing approval workflows on the KMES Series 3, perform the following steps to create a signing approval group:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to PKI > Signing Workflow.
3
Select [ Add Approval Group ].
4
Specify a name for the approval group and select [ OK ]* to save.
5
Right-click the newly created approval group and select [ Permission ].
6
Grant the Venafi Adaptable CA role the Use permission and select [ OK ] to save.
Remember the group name because you use it to configure the Adaptable CA driver configuration in a later section of this guide.

Create an issuing CA

Perform the following steps to create an issuing CA certificate tree on the KMES Series 3:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to PKI > Certificate Authorities and select [ Add CA ] at the bottom of the page.
3
In the Certificate Authority window, enter a name for the certificate container, select the Venafi Adaptable CA role in the Owner group drop-down menu, and select [ OK ].
4
Right-click the certificate container and select Add Certificate > New Certificate.
5
On the Subject DN tab, set a Common Name for the certificate, such as RootCA.
6
On the Basic Info tab, leave the fields set to the default values.
7
On the V3 Extensions tab, select the Certificate Authority profile and select [ OK ] to create the certificate.
8
Right-click the root CA certificate and select Add Certificate > New Certificate.
9
On the Subject DN tab, set a Common Name for the certificate, such as IssuingCA.
10
On the Basic Info tab, leave the default values set.
11
On the V3 Extensions tab, select the Certificate Authority profile, then select [ OK ] to create the certificate
The root and issuing CA certificates now display in the Venafi Adaptable CA certificate container.

Add an issuance policy

Perform the following steps to add an issuance policy:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to PKI > Certificate Authorities.
3
Right-click the issuing CA certificate and select Issuance Policy > Add.
4
On the Basic Info tab of the Issuance Policy window, set an alias for the issuance policy (optional), set the desired number of approvals required for certificate requests, and set the hashes that you want to allow.
5
On the X.509 tab, perform the following actions:
  • Select the Allow CSR uploads checkbox.
  • Set the Default approval group to the approval group you created.
  • If you set the number of required approvals to 0, you must select the Allow self approval checkbox. Otherwise, leave it unchecked.
  • Add at least one Extension Profile. If you are not using the Custom Fields PowerShell script, you must define exactly one extension profile here.
6
If you set the number of approvals required to 0, you must set Anonymous Signing security usage on the issuing CA certificate. To do so, right-click on the issuing CA certificate and select Change Security Usage. Then, in the drop-down menu, select Anonymous Signing and select [ OK ] to save the changes.
7
Select [ OK ] to save the issuance policy.

(Optional) Allow user-defined extensions

The Allow User-Defined Extensions option is disabled by default. This is by design to maintain a more secure configuration. Only enable it if your workflow requires users to define custom extensions.
If you want to allow users to define Subject Alternate Names (SANs) or other custom X.509 v3 extension profiles in Venafi TPP when creating certificates, select one of the following methods and perform the steps:

Enable Allow User-Defined Extensions

Perform the following steps to enable the Allow User-Defined Extensions option for the X.509 v3 extension profiles you plan to use with Venafi Adaptable CA:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to PKI > X.509 Extensions.
3
Right-click the X.509 v3 extension profile you want to modify and select [ Edit ].
4
Select the Allow User-Defined Extensions checkbox.
5
Select [ OK ] to save changes.

Add Subject Alternate Names

Perform the following steps to add Subject Alternate Names (SANs) to the X.509 v3 extension profiles you plan to use with Venafi Adaptable CA:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to PKI > X.509 Extensions.
3
Right-click the X.509 v3 extension profile you want to modify and select [ Edit ].
4
Select [ Add ], select the Subject Alternate Name extension type in the drop-down menu, and select [ OK ].
5
Add at least one subject alternate name entry and select [ OK ].
6
Select [ OK ] to save changes.