Configure TLS certificates for communication between FxPKCS11 and the KMES Series 3

This section provides instructions on configuring TLS communication between the KMES Series 3 and the computer where you have installed Java Jarsigner along with the Futurex PKCS #11 (FxPKCS11) module. This configuration allows both parties to establish a mutual trust relationship by validating each other’s digitally signed certificates. The following instructions outline how to generate and sign certificates for both FxPKCS11 and the System/Host API connection on the KMES Series 3. These certificates will be utilized each time a TCP/IP session secured with TLS is initiated.

Generate and sign the Futurex PKCS #11 module TLS certificate

There are two optional methods for generating and signing the FxPKCS11 library and System/Host API certificates:

Use an external CA
Use the KMES Series 3 as the CA

It’s also possible to use one method for the FxPKCS11 certificate and the other method for the System/Host API certificate.

Method 1: Use an external CA

For this method, import the external CA certificates into an empty certificate container on the KMES Series 3. Then, generate a Certificate Signing Request (CSR), which the external CA uses to issue a TLS client certificate for FxPKCS11. Finally, import the certificate into the certificate container on the KMES that contains the external CA certificate.

Go to PKI> Certificate Authorities and select [ Add CA ] at the bottom of the page.

Specify a name for the certificate container, such as Externally Issued, and select [ OK ]*.

The new certificate container displays in the Certificate Authorities window.

Right-click the newly created certificate container and select Import> Certificate(s).

In the Import Certificates window, select [ Add ] and find and select the external CA certificate that issues the FxPKCS11 TLS certificate. The CA certificates populate in the Verified section of the Import Certificates window.

Select [ OK ] to save.

The external CA certificates now display in tree form under the certificate container.

Next, create a placeholder TLS client certificate to generate a CSR. Right-click the lowest-level CA certificate in the tree and select Add Certificate> Pending.

On the Subject DN tab of the Create X.509 Certificate window, set a Common Name for the certificate, such as FxPKCS11.

Leave all other settings set to the default values and select [ OK ].

Right-click the placeholder FxPKCS11 certificate and select Export> Signing Request.

Leave all of the settings on the Subject DN tab of the Create PKCS #10 Request window as the default values.

On the V3 Extensions tab, select the TLS Client Certificate profile.

On the PKCS #10 Info tab, specify a save location for the CSR and select [ OK ].

A message states the certificate signing request was successfully written to the location you specified.

Then, send the CSR file to an external certificate authority. The external CA uses the CSR to issue a TLS client certificate.

After the external CA issues the TLS client certificate, copy it to the storage medium configured on the KMES.

Go to PKI> Certificate Authorities, right-click the placeholder FxPKCS11 certificate, and select Replace> With Signed Certificate.

In the Import Certificates window, select [ Add ]. Then, find and select the externally signed TLS client certificate in the file browser. The certificate displays under the CA certificates in the Verified section of the Import Certificates window.

Select [ OK ] to save.

The remaining steps in this procedure involve exporting the FxPKCS11 certificate as a PKCS #12 file. To do this, go to Administration> Configuration> Options and enable Allow export of certificates using passwords. After enabling this option, select [ Save ].

Go to PKI> Certificate Authorities, right-click the FxPKCS11 certificate, and select Export> PKCS12.

In the Export PKCS12 window, select Export Selected and change the Cipher Options to AES-256. Note and optionally modify the file name, and select [ Next ].

Set a password for the PKCS #12 file and select [ Next ].

Select [ Finish ] to save the PKCS #12 file to the specified location.

This PKCS #12 file contains the signed FxPKCS11 client certificate, associated private key, and the root certificate, all encrypted under the password set for the file.

Method 2: Use the KMES Series 3 as the CA

Perform the following steps to use the KMES Series 3 as the CA:

Go to PKI > Certificate Authorities and select [ Add CA ] at the bottom of the window.

Specify a name for the certificate container, such as KMES Issued, and select [ OK ].

The new certificate container displays in the Certificate Authorities menu.

Right-click the newly created certificate container and select Add Certificate > New Certificate.

On the Subject DN tab, set a Common Name for the certificate, such as Root.

On the Basic Info tab, change the key size to 4096. Leave all other settings set to the default values.

On the V3 Extensions tab, select the Certificate Authority profile and select [ OK ].

The Root CA certificate now displays under the KMES-issued certificate container.

Right-click the Root CA certificate you created and select Add Certificate > New Certificate.

On the Subject DN tab, set a Common Name for the certificate, such as FxPKCS11.

On the V3 Extensions tab, change the profile to TLS Client Certificate and select [ OK ].

The remaining steps in this procedure involve exporting the FxPKCS11 certificate as a PKCS #12 file. To do this, perform the following steps:1. Go to Administration> Configuration> Options.2. Enable Allow export of certificates using passwords.3. Select [ Save ].

Go to PKI> Certificate Authorities, right-click on the FxPKCS11 certificate, and select Export> PKCS12.

In the Export PKCS12 window, select Export Selected and change the Cipher Options to AES-256. Note and optionally modify the file name and select [ Next ].

Set a password for the PKCS #12 file and select [ Next ].

Select [ Finish ] to save the PKCS #12 file to the specified location.

This PKCS #12 file contains the signed FxPKCS11 client certificate, associated private key, and the root certificate, all encrypted under the password set for the file.

Create and configure the System/Host API TLS certificate

Perform the following tasks to create and configure a TLS server certificate for the System/Host API connection pair on the KMES Series 3:

Generate a private key and construct a CSR.
Sign the System/Host API connection pair CSR using an external CA or CA generated on the KMES.
Download all certificates in the CA tree.
Configure the System/Host API connection pair to use the signed certificate and CA chain.

Generate a private key and CSR

Perform the following steps to generate a private key and construct a CSR:

Go to Administration > Configuration > Network Options and go to the TLS/SSL Settings tab.

Select the Connection drop-down option and select the System/Host API connection pair.

Uncheck the Use System/Host API SSL Parameters checkbox if it is selected.

In the User Certificates section, select [ Edit ] next to PKI Keys.

In the Application Public Keys window, select [ Generate ].

When prompted that SSL will not be functional until new certificates are imported, select [ Yes ] to continue.

In the PKI Parameters window, leave all fields set to the default values and select [ OK ].

The Application Public Keys window now shows that a PKI Key Pair is Loaded.

Select [ Request ].

In the Subject DN tab, select Classic from the Preset drop-down list and specify the hostname or IP address of the KMES in Common Name.

On the V3 Extensions tab, set the profile to TLS Server Certificate.

On the PKCS #10 Info tab, specify a save location and name for the CSR file and select [ OK ]*.

When prompted that the certificate signing request was successfully written to the specified location, select [ OK ].

Select [ OK ] again in the Application Public Keys window to finish.

Sign the CSR

Perform the following steps to sign the System/Host API connection pair CSR:

Go to PKI > Certificate Authorities.

Right-click the Root CA certificate and select Add Certificate > From Request.

In the file browser, select the System/Host API connection pair CSR.

Certificate information populates in the Create X.509 From CSR window.

Leave all settings exactly as they are and select [ OK ] to save.

The signed System/Host API connection pair certificate now displays under the Root CA certificate in the CA tree.

Export all certificates

If you signed the System/Host API server certificate with an external CA, download each individual CA certificate in the CA tree using a mechanism supported by the external CA. If you signed the System/Host API server certificate using a KMES-hosted CA, perform the following steps to export each CA certificate in the tree:

Right-click the certificates in the certificate tree and select Export > Certificate(s).

On the Export Certificate window, change the encoding to PEM and specify a save location for the file.

Configure the System/Host API connection pair

Perform the following steps to configure the System/Host API connection pair to use the signed certificate and CA chain:

Go to Administration > Configuration > Network Options and go to the TLS/SSL Settings tab.

Select the Connection drop-down option and select the System/Host API connection pair.

In the User Certificates section, select [ Edit ] next to Certificates.

On the Certificate Authority window, right-click the System/Host API SSL CA X.509 certificate container and select [ Import ].

On the Import Certificates window, select [ Add ] at the bottom of the window.

In the file browser, select the signed System/Host API certificate and every CA certificate in the CA tree, then select [ Open ].

The certificates now display in the Verified section of the Import Certificates window.

Select [ OK ] to save.

You now see Signed loaded next to Certificates in the User Certificates section of the Network Options window under the System/Host API connection pair.

Select [ OK ] to save and finish.

​Generate and sign the Futurex PKCS #11 module TLS certificate

​Method 1: Use an external CA

​Method 2: Use the KMES Series 3 as the CA

​Create and configure the System/Host API TLS certificate

​Generate a private key and CSR

​Sign the CSR

​Export all certificates

​Configure the System/Host API connection pair

Generate and sign the Futurex PKCS #11 module TLS certificate

Method 1: Use an external CA

Method 2: Use the KMES Series 3 as the CA

Create and configure the System/Host API TLS certificate

Generate a private key and CSR

Sign the CSR

Export all certificates

Configure the System/Host API connection pair