> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure KMES Series 3

> Configuration steps on KMES Series 3 to enable SignTool integration, including TLS settings.

This section covers general configurations on the KMES Series 3 to enable SignTool to integrate with the KMES by using the Futurex CNG library. Then, it shows you how to configure TLS communication between the System/Host API port on the KMES and the Futurex CNG library.

## Configure general KMES settings

Perform the following tasks to configure the KMES Series 3 for communication with SignTool:

1. Create a SignTool role with the required permissions.
2. Create a SignTool identity with the correct assigned roles.
3. Enable Host API commands.
4. Create a signing approval group.
5. Export the code signing certificate.
6. Export the CA certificate that issued the code signing certificate.
7. Apply an issuance policy to the code signing certificate

The following sections show you how to complete these tasks.

### Create a role

Perform the following steps to create a role for Signtool with the required permissions:

<Steps>
  <Step>
    Log in to the KMES Series 3 with the default Admin identities.
  </Step>

  <Step>
    Go to **Identity** **Management** > **Roles** and select **\[ Add ]**.
  </Step>

  <Step>
    On the **Info** tab, set the **Type** to **Application**, set a **name** for the role, such as `SignTool`, and set the **Logins** **Required** to `1`.
  </Step>

  <Step>
    On the **Permissions** tab, enable the following permissions:

    <table>
      <thead>
        <tr>
          <th><em><strong>Permission</strong></em></th>
          <th><em><strong>Subpermission</strong></em> </th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Certificate</strong> <strong>Authority</strong></td>
          <td>Export, Upload</td>
        </tr>

        <tr>
          <td><strong>Keys</strong></td>
          <td>Add</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    On the **Advanced** tab, configure **Allowed** **Ports** to **Host API** only.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the role.
  </Step>
</Steps>

### Create a new identity and assign it to the SignTool role

Perform the following steps to create a new identity and assign it to the SignTool role:

<Steps>
  <Step>
    Go to **Identity** **Management** > **Identities**, right-click anywhere in the window, and select **Add** > **Client** **Application**.
  </Step>

  <Step>
    On the **Info** tab, set the **Storage** type to **Application** and set a **name** for the identity, such as `SignTool`.
  </Step>

  <Step>
    On the **Assigned** **Roles** tab, select the SignTool role you just created.
  </Step>

  <Step>
    On the **Authentication** tab, remove the default **API Key** mechanism, add the **Password** authentication mechanism, and configure a password.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the identity.

    <Note>
      A later section shows how to configure the SignTool identity in the `fxpkcs11.cfg` file to enable the Futurex PKCS #11 library to connect to the KMES Series 3.
    </Note>
  </Step>
</Steps>

### Enable the Host API commands

Because the Futurex CNG library connects to the Host API port on the KMES, you must define which Host API commands to enable for the **FXCNG** library. To enable the Host API commands required for Microsoft Signtool operations, complete the following steps:

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default Admin identities.
  </Step>

  <Step>
    Go to **Administration** > **Configuration** > **Host API Options** and enable the following commands:

    <table>
      <thead>
        <tr>
          <th><em><strong>Command</strong></em></th>
          <th><em><strong>Description</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>ECHO</strong></td>
          <td>Communication Test/Retrieve Version</td>
        </tr>

        <tr>
          <td><strong>RAFA</strong></td>
          <td>Filter Issuance Policy</td>
        </tr>

        <tr>
          <td><strong>RAGA</strong></td>
          <td>Retrieve Issuance Policy</td>
        </tr>

        <tr>
          <td><strong>RAGO</strong></td>
          <td>Retrieve Request (Hash Signing)</td>
        </tr>

        <tr>
          <td><strong>RAUO</strong></td>
          <td>Upload Request (Hash Signing)</td>
        </tr>

        <tr>
          <td><strong>RAGZ</strong></td>
          <td>Retrieve Request (Authenticode)</td>
        </tr>

        <tr>
          <td><strong>RAUZ</strong></td>
          <td>Upload Request (Authenticode)</td>
        </tr>

        <tr>
          <td><strong>RAGJ</strong></td>
          <td>Retrieve Request (Jar Signing)</td>
        </tr>

        <tr>
          <td><strong>RAUJ</strong></td>
          <td>Upload Request (Jar Signing)</td>
        </tr>

        <tr>
          <td><strong>RKCP</strong></td>
          <td>Get Command Permissions</td>
        </tr>

        <tr>
          <td><strong>RKLN</strong></td>
          <td>Lookup Objects</td>
        </tr>

        <tr>
          <td><strong>RKLO</strong></td>
          <td>Login User</td>
        </tr>

        <tr>
          <td><strong>RKRK</strong></td>
          <td>Retrieve Generated Keys</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    Select **\[ Save ]** to finish.
  </Step>
</Steps>

### Create a signing approval group

Perform the following steps to create a signing approval group:

<Steps>
  <Step>
    Go to **PKI** > **Signing** **Workflow** and select **\[ Add Approval Group ]** at the bottom of the page.
  </Step>

  <Step>
    Set a name for the **Approval Group**, such as `SignTool`, and select **\[ OK ]** to save.
  </Step>

  <Step>
    Right-click the **SignTool** approval group and select **\[ Permission ]**.
  </Step>

  <Step>
    Give the **SignTool** role the **Use** permission and select **\[ OK ]** to save.
  </Step>
</Steps>

### Create a code signing certificate

This section describes three different methods that you can use to issue a code signing certificate.

#### Use a CA

Perform the following steps to use a CA on the KMES:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities** and select **\[ Add CA ]** at the bottom of the page.
  </Step>

  <Step>
    In the **Certificate** **Authority** window, enter a **Name** for the certificate container, such as `SignTool`. Set the **owner** field to the **SignTool** role and select **\[ OK ]**.
  </Step>

  <Step>
    Right-click the **SignTool** certificate container and select **Add** **Certificate** > **New** **Certificate**.
  </Step>

  <Step>
    On the **Subject** **DN** tab, set a **Common Name** for the certificate, such as `Root`.
  </Step>

  <Step>
    On the **Basic** **Info** tab, leave the fields set to the default values.
  </Step>

  <Step>
    On the **V3** **Extensions** tab, select the **Certificate Authority** profile and select **\[ OK ]**.

    <Check>
      The Root CA certificate now displays under the SignTool certificate container.
    </Check>
  </Step>

  <Step>
    Right-click the Root CA certificate you created and select **Add** **Certificate** > **New** **Certificate**.
  </Step>

  <Step>
    On the **Subject DN** tab, set a **Common Name** for the certificate, such as `Code Signing`.
  </Step>

  <Step>
    On the **V3** **Extensions** tab, select the **Code Signing Certificate** profile and select **\[ OK ]**.

    <Check>
      The code signing certificate now displays under the Root CA certificate in the SignTool certificate container.
    </Check>
  </Step>
</Steps>

#### Use an External CA

For this method, you must import the external CA certificates into an empty certificate container on the KMES. Then, generate a Certificate Signing Request (CSR), which the external CA uses to issue a code signing certificate. Finally, import the code signing certificate into the certificate container on the KMES that contains the external CA certificate.

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities** and select **\[ Add CA]** at the bottom of the page.
  </Step>

  <Step>
    In the **Certificate** **Authority** window, enter a **Name** for the certificate container, such as `SignTool`. Set the owner field to the **SignTool** role and select **\[ OK ]**.
  </Step>

  <Step>
    Right-click the **SignTool** certificate container and select **Import** > **Certificates**.
  </Step>

  <Step>
    In the **Import** **Certificates** window, select **\[ Add ]** and select the external CA certificates for issuing the code signing certificate.

    <Check>
      The CA certificates display in the Verified section of the Import Certificates window.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save.

    <Check>
      The external CA certificates should now display in tree form under the SignTool certificate container.
    </Check>
  </Step>

  <Step>
    To create a placeholder code signing certificate, from which you can generate a CSR, right-click the lowest level CA certificate in the tree and select **Add** **Certificate** > **Pending**.
  </Step>

  <Step>
    On the **Subject** **DN** tab of the **Create X.509 Certificate** window, set a **Common Name** for the certificate, such as `Code Signing`.
  </Step>

  <Step>
    On the **V3** **Extensions** tab, select the code signing certificate profile.
  </Step>

  <Step>
    Select **\[ OK ]**.

    <Check>
      The code signing placeholder certificate now displays under the external CA certificates.
    </Check>
  </Step>

  <Step>
    Right-click the placeholder code signing certificate and select **Export** > **Signing** **Request**.
  </Step>

  <Step>
    On the **Subject** **DN** tab of the **Create PKCS #10 Request** window, leave all fields set to the default values.0
  </Step>

  <Step>
    On the **V3** **Extensions** tab, select the code signing certificate profile.
  </Step>

  <Step>
    On the **PKCS #10 Info** tab, specify a save location for the CSR and select **\[ OK ]**.

    <Check>
      A message box states that the certificate signing request was successfully written to the location you specified.
    </Check>
  </Step>

  <Step>
    Send the CSR file to an external certificate authority (CA).

    <Check>
      Using the CSR, the external CA issues a code signing certificate.
    </Check>
  </Step>

  <Step>
    After the external CA issues the code signing certificate, copy it to the storage medium you configured on the KMES.
  </Step>

  <Step>
    In the **Certificate** **Authorities** menu on the KMES, right-click the placeholder code signing certificate and select **Replace** > **With** **Signed** **Certificate**.
  </Step>

  <Step>
    In the **Import** **Certificates** window, select **\[ Add ]** and select the externally signed code signing certificate in the file browser.

    <Check>
      The code signing certificate displays under the CA certificates in the Verified section of the Import Certificates window.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save.
  </Step>
</Steps>

#### Import an existing certificate

<Note>
  To perform the steps in this section, you must go to Administration > Configuration > Options and enable the Allow import of certificates using passwords option.
</Note>

Perform the following steps to import an existing code signing certificate as a PKCS #12 file:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities** and select **\[ Add CA ]** at the bottom of the page.
  </Step>

  <Step>
    In the **Certificate** **Authority** window, enter a **Name** for the certificate container, such as `imported`. Set the owner field to the SignTool role and select **\[ OK ]**.
  </Step>

  <Step>
    Right-click the **Imported** certificate container, and select **Import** > **PKCS12**.
  </Step>

  <Step>
    In the **Import** **PKCS12** window, select the PKCS #12 file to import and select **\[ Next ]**.
  </Step>

  <Step>
    Input the file password and select **\[ Next ]**.
  </Step>

  <Step>
    Select **\[ Finish ]** to initiate the import.
  </Step>
</Steps>

### Export the code signing certificate

Perform the following steps to export the code signing certificate, no matter which of the preceding methods you used to create it:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the code signing certificate you configured in the previous section, then select **Export** > **Certificate(s)**.
  </Step>

  <Step>
    Change the encoding to **PEM** and select **\[ Browse ]**. Specify the location where you want to save the file.
  </Step>

  <Step>
    Select **\[ OK ]** to initiate the export.
  </Step>
</Steps>

### Export the CA certificate

Perform the following steps to export the CA certificate that issued the code signing certificate, no matter which method you used to create it:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the CA certificate that issued the code signing certificate and select **Export** > **Certificate(s)**.
  </Step>

  <Step>
    Change the encoding to **PEM** and select **\[ Browse ]**. Specify the location where you want to save the file.
  </Step>

  <Step>
    Select **\[ OK ]** to initiate the export.
  </Step>

  <Step>
    Repeat steps 1-4 for any additional CA certificates that are in the certificate tree (if applicable).
  </Step>
</Steps>

### Apply an issuance policy

Perform the following steps to apply an issuance policy to the code signing certificate:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the code signing certificate and select **Issuance** **Policy** > **Add**.
  </Step>

  <Step>
    On the **Basic** **Info** tab, set **Approvals** to `0` to allow anonymous signing and select any hashes that you want to allow.
  </Step>

  <Step>
    On the **X.509** tab, set the Default approval group to **SignTool**.
  </Step>

  <Step>
    On the **Object** **Signing** tab, select the **Allow object signing** checkbox.
  </Step>

  <Step>
    Select **\[ OK ]** to apply the issuance policy to the SignTool code signing certificate.
  </Step>
</Steps>

## Configure TLS communication

Perform the following tasks to configure TLS communication between the KMES Series 3 and the **FXCL CNG** library:

1. Create a Certificate Authority (CA).
2. Generate a CSR for the System/Host API connection pair.
3. Sign the System/Host API CSR.
4. Export the Root CA and the signed System/Host API TLS certificate.
5. Load the exported certificates into the System/Host API connection pair.
6. Generate a signed client certificate for SignTool and **FXCNG**.
7. Allow export of certificates using passwords.
8. Export the signed SignTool certificate as a PKCS #12 file.

The following sections describe how to perform these tasks.

### Create a CA

Perform the following steps to create a Certificate Authority (CA):

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default Admin identities.
  </Step>

  <Step>
    Go to **PKI** > **Certificate** **Authorities** and select **\[ Add CA ]** at the bottom of the page.
  </Step>

  <Step>
    In the **Certificate** **Authority** window, enter a **Name** for the certificate container, leave all other fields set to the default values, and select **\[ OK ]**.

    <Check>
      The new certificate container now displays in the Certificate Authorities menu.
    </Check>
  </Step>

  <Step>
    Right-click the certificate container and select **Add** **Certificate** > **New** **Certificate**.
  </Step>

  <Step>
    On the **Subject** **DN** tab, set a **Common Name** for the certificate, such as `System TLS CA Root`.
  </Step>

  <Step>
    On the **Basic** **Info** tab, leave fields set to the default values.
  </Step>

  <Step>
    In the **V3** **Extensions** tab, select the **Certificate** **Authority** profile and select **\[ OK ]**.

    <Check>
      The root CA certificate now displays under the previously created certificate container.
    </Check>
  </Step>
</Steps>

### Generate a CSR

Perform the following steps to generate a CSR for the System/Host API connection pair:

<Steps>
  <Step>
    Go to **Administration** > **Configuration** > **Network** **Options**.
  </Step>

  <Step>
    In the **Network** **Options** window, select the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Under the **System/Host API** connection pair, uncheck the **Use Futurex certificates** checkbox and select **\[ Edit ]** next to **PKI** **keys** in the **User** **Certificates** section.
  </Step>

  <Step>
    In the **Application** **Public** **Keys** window, select **\[ Generate ]**.
  </Step>

  <Step>
    When warned that *SSL will not be functional until new certificates are imported*, select **\[ Yes ]** to continue.
  </Step>

  <Step>
    In the **PKI** **Parameters** window, leave the default settings and select **\[ OK ]**.

    <Check>
      The Application Public Keys window now shows that a PKI Key Pair is loaded.
    </Check>
  </Step>

  <Step>
    Select **\[ Request ]**.
  </Step>

  <Step>
    On the **Subject** **DN** tab, you can leave the default System/Host API value set in the **Common Name** field, or you can change it to a different value.
  </Step>

  <Step>
    On the **V3** **Extensions** tab, select the **TLS** **Server** **Certificate** profile.
  </Step>

  <Step>
    On the **PKCS #10 Info** tab, select a save location for the CSR and select **\[ OK ]**\*.

    <Check>
      The main Network Options window now shows Loaded next to PKI keys.
    </Check>
  </Step>
</Steps>

### Sign the CSR

Perform the following steps to sign the System/Host API CSR:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the root CA certificate you created and select **Add** **Certificate** > **From** **Request**.
  </Step>

  <Step>
    In the file browser, select the CSR that you generated for the System/Host API connection pair.
  </Step>

  <Step>
    After it loads, don't modify any settings for the certificate. Select **\[ OK ]**.

    <Check>
      The signed System/Host API certificate now displays under the root CA certificate on the Certificate Authorities page.
    </Check>
  </Step>
</Steps>

### Export the root CA

Perform the following steps to export the root CA and signed System/Host API TLS certificates

<Steps>
  <Step>
    Right-click the root CA certificate and select **Export** > **Certificate(s)**.
  </Step>

  <Step>
    Change the encoding to **PEM** and select **\[ Browse ]**. Specify a save location and name for the export file.
  </Step>

  <Step>
    When prompted that *the file was successfully written to the location that was selected*, select **\[ OK ]**.
  </Step>

  <Step>
    Right-click the signed **System/Host API** certificate and select **Export** > **Certificate(s)**.
  </Step>

  <Step>
    Change the encoding to **PEM** and select **\[ Browse ]**. Specify a save location and name for the export file.
  </Step>

  <Step>
    When prompted that *the file was successfully written to the location that was selected*, select **\[ OK ]**.
  </Step>
</Steps>

### Load the TLS certificates

Perform the following steps to load the exported TLS certificates into the System/Host API connection pair:

<Steps>
  <Step>
    Go to **Administration** > **Configuration** > **Network** **Options**.
  </Step>

  <Step>
    In the **Network** **Options** window, go to the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Select **\[ Edit ]** next to **Certificates** in the **User** **Certificates** section.
  </Step>

  <Step>
    Right-click the **System/Host API SSL CA** X.509 certificate container and select **\[ Import ]**.
  </Step>

  <Step>
    Select **\[ Add ]** at the bottom of the **Import** **Certificates** window.
  </Step>

  <Step>
    In the file browser, select both the root CA certificate and the signed System/Host API certificate, and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]** to save the changes.

    <Check>
      In the Network Options window, the System/Host API connection pair  shows Signed loaded next to Certificates in the User Certificates section
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save and exit the **Network Options** window.
  </Step>
</Steps>

### Generate a TLS certificate

Perform the following steps to generate a signed client TLS certificate for SignTool and FXCNG:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the root CA certificate and select **Add** **Certificate** > **New** **Certificate**.
  </Step>

  <Step>
    On the **Subject** **DN** tab, set a **Common Name** for the certificate, such as `SignTool`.
  </Step>

  <Step>
    Leave all fields on the **Basic** **Info** tab set to the default values.
  </Step>

  <Step>
    On the **V3** **Extensions** tab, select the **TLS** **Client** **Certificate** profile and select **\[ OK ]**.

    <Check>
      The signed SignTool certificate now displays the root CA certificate.
    </Check>
  </Step>
</Steps>

### Allow export of certificates

Perform the following steps to configure the **Allow export of certificates by using passwords** option:

<Steps>
  <Step>
    Go to **Administration** > **Configuration** > **Options**.
  </Step>

  <Step>
    Select the checkbox next to the second menu option, **Allow export of certificates using passwords**.
  </Step>

  <Step>
    Select **\[ Save ]**.
  </Step>
</Steps>

### Export the certificate

Perform the following steps to export the signed SignTool client TLS certificate as a PKCS #12 file:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the signed SignTool Client certificate and select **Export** > **PKCS12**.
  </Step>

  <Step>
    Select **\[ Set Password ]**, enter a password for the PKCS #12 file, and select **\[ Save ]**.
  </Step>

  <Step>
    In the **Export** **Certificate** window, select **Export** **Selected Certificate** under **Export** **Options** and select **\[ Next ]**.
  </Step>

  <Step>
    Specify a name for the PKCS #12 export file and select **\[ Open ]**.

    <Check>
      A message box states that the PKCS #12 certificate export was successful.
    </Check>
  </Step>

  <Step>
    Move the **SignTool** certificate and the **System TLS CA Root** certificate to the computer that uses the Microsoft SignTool application.

    A later section configures them in the Futurex **CNG** configuration file and uses them for TLS communication with the KMES Series 3.
  </Step>
</Steps>

##

###
