> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure TLS certificates

> Step-by-step guide to generate, sign, and configure TLS certificates for mutual trust between NetApp ONTAP and KMES Series 3.

Before KMIP connections can occur, the NetApp ONTAP instance and KMES Series 3 must establish a mutual trust relationship by validating their respective digitally signed certificates.

The following sections demonstrate how to generate and sign certificates for NetApp ONTAP and the KMIP server connection pair on the KMES Series 3. The certificates are registered in both NetApp ONTAP and the KMIP server connection pair on the KMES Series 3 and are used each time a TCP/IP session secured by TLS is established.

## Generate and sign the NetApp ONTAP certificate

There are two optional methods for generating and signing the NetApp ONTAP and KMIP server certificates:

1. Use an external CA
2. Use the KMES Series 3 as the CA

<Note>
  It's also possible to use one method for the NetApp ONTAP certificate and the other method for the KMIP server certificate.
</Note>

### Method 1: Use an external CA

For this method, import the external CA certificates into an empty certificate container on the KMES. Then, generate a Certificate Signing Request (CSR), which the external CA uses to issue a TLS client certificate for the NetApp ONTAP instance. Finally, import the certificate into the certificate container on the KMES that contains the external CA certificate.

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default administrator identities.
  </Step>

  <Step>
    Go to **PKI**> **Certificate Authorities** and select **\[ Add CA ]** at the bottom of the page.
  </Step>

  <Step>
    Specify a **name** for the certificate container, such as `Externally Issued`, and select **\[ OK ]**\*.

    <Check>
      The new certificate container displays in the Certificate Authorities window.
    </Check>
  </Step>

  <Step>
    Right-click the newly created certificate container and select **Import**> **Certificate(s)**.
  </Step>

  <Step>
    In the **Import Certificates** window, select **\[ Add ]** and find and select the external CA certificate that issues the NetApp ONTAP TLS certificate. The CA certificates populate in the **Verified** section of the **Import Certificates** window.
  </Step>

  <Step>
    Select **\[ OK ]** to save.

    <Check>
      The external CA certificates now display in tree form under the certificate container.
    </Check>
  </Step>

  <Step>
    Next, create a placeholder TLS client certificate to generate a CSR. Right-click the lowest-level CA certificate in the tree and select **Add Certificate**> **Pending**.
  </Step>

  <Step>
    On the **Subject DN** tab of the **Create X.509 Certificate** window, set a **Common Name** for the certificate, such as `NetApp ONTAP`.
  </Step>

  <Step>
    Leave all other settings set to the default values and select **\[ OK ]**.
  </Step>

  <Step>
    Right-click the placeholder NetApp ONTAP certificate and select **Export**> **Signing Request**.
  </Step>

  <Step>
    Leave all of the settings on the **Subject DN** tab of the **Create PKCS #10 Request** window as the default values.
  </Step>

  <Step>
    On the **V3 Extensions** tab, select the **TLS Client Certificate** profile.
  </Step>

  <Step>
    On the **PKCS #10 Info** tab, specify a save location for the CSR and select **\[ OK ]**.

    <Check>
      A message states the certificate signing request was successfully written to the location you specified.
    </Check>
  </Step>

  <Step>
    Then, send the CSR file to an external certificate authority. The external CA uses the CSR to issue a TLS client certificate.

    <Note>
      After the external CA issues the TLS client certificate, copy it to the storage medium configured on the KMES.
    </Note>
  </Step>

  <Step>
    Go to **PKI**> **Certificate Authorities**, right-click the placeholder NetApp ONTAP certificate, and select **Replace**> **With Signed Certificate**.
  </Step>

  <Step>
    In the **Import Certificates** window, select **\[ Add ]**. Then, find and select the externally signed TLS client certificate in the file browser. The certificate displays under the CA certificates in the **Verified** section of the **Import Certificates** window.
  </Step>

  <Step>
    Select **\[ OK ]** to save.
  </Step>

  <Step>
    The remaining steps in this procedure involve exporting the NetApp ONTAP certificate as a PKCS #12 file. To do this, go to **Administration**> **Configuration**> **Options** and enable **Allow export of certificates using passwords**. After enabling this option, select **\[ Save ]**.
  </Step>

  <Step>
    Go to **PKI**> **Certificate Authorities**, right-click the NetApp ONTAP certificate, and select **Export**> **PKCS12**.
  </Step>

  <Step>
    In the **Export PKCS12** window, select **Export Selected** and change the **Cipher Options** to **AES-256**. Note and optionally modify the file name, and select **\[ Next ]**.
  </Step>

  <Step>
    Set a password for the PKCS #12 file and select **\[ Next ]**.
  </Step>

  <Step>
    Select **\[ Finish ]** to save the PKCS #12 file to the specified location.

    <Check>
      This PKCS #12 file contains the signed NetApp ONTAP client certificate, associated private key, and the root certificate, all encrypted under the password set for the file.
    </Check>
  </Step>
</Steps>

### Method 2: Use the KMES Series 3 as the CA

Perform the following steps to use the KMES Series 3 as the CA:

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface using the default Admin identities.
  </Step>

  <Step>
    Go to **PKI** > **Certificate Authorities** and select **\[ Add CA ]** at the bottom of the window.
  </Step>

  <Step>
    Specify a name for the certificate container, such as `KMES Issued`, and select **\[ OK ]**.

    <Check>
      The new certificate container displays in the Certificate Authorities menu.
    </Check>
  </Step>

  <Step>
    Right-click the newly created certificate container and select **Add Certificate** > **New Certificate**.
  </Step>

  <Step>
    On the **Subject DN** tab, set a **Common Name** for the certificate, such as `Root`.
  </Step>

  <Step>
    On the **Basic Info** tab, change the key size to `4096`. Leave all other settings set to the default values.
  </Step>

  <Step>
    On the **V3 Extensions** tab, select the **Certificate Authority** profile and select **\[ OK ]**.

    <Note>
      The Root CA certificate now displays under the KMES-issued certificate container.
    </Note>
  </Step>

  <Step>
    Right-click the Root CA certificate you created and select **Add Certificate** > **New Certificate**.
  </Step>

  <Step>
    On the **Subject DN** tab, set a **Common Name** for the certificate, such as `NetApp ONTAP`.
  </Step>

  <Step>
    On the **V3 Extensions** tab, change the profile to **TLS Client Certificate** and select **\[ OK ]**.
  </Step>

  <Step>
    The remaining steps in this procedure involve exporting the NetApp ONTAP certificate as a PKCS #12 file. To do this, perform the following steps:

    1\. Go to **Administration**> **Configuration**> **Options**.

    2\. Enable **Allow export of certificates using passwords**.

    3\. Select **\[ Save ]**.
  </Step>

  <Step>
    Go to **PKI**> **Certificate Authorities,** right-click on the NetApp ONTAP certificate, and select **Export**> **PKCS12**.
  </Step>

  <Step>
    In the **Export PKCS12** window, select **Export Selected** and change the **Cipher Options** to **AES-256**. Note and optionally modify the file name and select **\[ Next ]**.
  </Step>

  <Step>
    Set a password for the PKCS #12 file and select **\[ Next ]**.
  </Step>

  <Step>
    Select **\[ Finish ]** to save the PKCS #12 file to the specified location.

    <Check>
      This PKCS #12 file contains the signed NetApp ONTAP client certificate, associated private key, and the root certificate, all encrypted under the password set for the file.
    </Check>
  </Step>
</Steps>

### Create and configure the KMIP server certificate

Perform the following tasks to create and configure a TLS server certificate for the KMIP connection pair on the KMES Series 3:

1. Generate a private key and construct a CSR.
2. Sign the KMIP connection pair CSR using an external CA or CA generated on the KMES.
3. Get all certificates in the CA tree.
4. Configure the KMIP connection pair to use the signed certificate and CA chain.

#### Generate a private key and CSR

Perform the following steps to generate a private key and construct a CSR:

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default Admin identities.
  </Step>

  <Step>
    Go to **Administration** > **Configuration** > **Network** **Options** and go to the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Select the **Connection** drop-down option and select the **KMIP** connection pair.
  </Step>

  <Step>
    **Enable** the KMIP connection pair if it is not already enabled.
  </Step>

  <Step>
    Uncheck the **Use System/Host API SSL Parameters** checkbox if it is selected.
  </Step>

  <Step>
    In the **User** **Certificates** section, select **\[ Edit ]** next to **PKI** **Keys**.
  </Step>

  <Step>
    In the **Application Public Keys** window, select **\[ Generate ]**.
  </Step>

  <Step>
    When prompted that *SSL will not be functional until new certificates are imported*, select **\[ Yes ]** to continue.
  </Step>

  <Step>
    In the **PKI Parameters** window, leave all fields set to the default values and select **\[ OK ]**.

    <Check>
      The Application Public Keys window now shows that a PKI Key Pair is Loaded.
    </Check>
  </Step>

  <Step>
    Select **\[ Request ]**.
  </Step>

  <Step>
    In the **Subject DN** tab, select **Classic** from the **Preset** drop-down list and specify the hostname or IP address of the KMES in **Common** **Name**.
  </Step>

  <Step>
    On the **V3 Extensions** tab, set the profile to **TLS Server Certificate**.
  </Step>

  <Step>
    On the **PKCS #10 Info** tab, specify a save location and name for the CSR file and select **\[ OK ]**\*.
  </Step>

  <Step>
    When prompted that *the certificate signing request was successfully written to the specified location*, select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ OK ]** again in the **Application Public Keys** window to finish.
  </Step>
</Steps>

#### Sign the CSR

Perform the following steps to sign the KMIP connection pair CSR:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the Root CA certificate and select **Add Certificate** > **From Request**.
  </Step>

  <Step>
    In the file browser, select the KMIP connection pair CSR.

    <Check>
      Certificate information populates in the Create X.509 From CSR window.
    </Check>
  </Step>

  <Step>
    Leave all settings exactly as they are and select **\[ OK ]** to save.

    <Check>
      The signed KMIP connection pair certificate now displays under the Root CA certificate in the CA tree.
    </Check>
  </Step>
</Steps>

#### Export all certificates

If you signed the KMIP server certificate with an external CA, download each individual CA certificate in the CA tree using a mechanism supported by the external CA. If you signed the KMIP server certificate using a KMES-hosted CA, perform the following steps to export each CA certificate in the tree:

<Steps>
  <Step>
    Right-click the certificates in the certificate tree and select **Export** > **Certificate(s)**.
  </Step>

  <Step>
    On the **Export** **Certificate** window, change the encoding to **PEM** and specify a save location for the file.
  </Step>
</Steps>

#### Configure the KMIP connection pair

Perform the following steps to configure the KMIP connection pair to use the signed certificate and CA chain:

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default Admin identities.
  </Step>

  <Step>
    Go to **Administration** > **Configuration** > **Network** **Options** and go to the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Select the **Connection** drop-down option and select the **KMIP** connection pair.
  </Step>

  <Step>
    In the **User** **Certificates** section, select **\[ Edit ]** next to **Certificates**.
  </Step>

  <Step>
    On the **Certificate** **Authority** window, right-click the **KMIP SSL CA** X.509 certificate container and select **\[ Import ]**.
  </Step>

  <Step>
    On the **Import** **Certificates** window, select **\[ Add ]** at the bottom of the window.
  </Step>

  <Step>
    In the file browser, select the signed KMIP server certificate and every CA certificate in the CA tree, then select **\[ Open ]**.

    <Check>
      The certificates now display in the Verified section of the Import Certificates window.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save.

    <Check>
      You now see Signed loaded next to Certificates in the User Certificates section of the Network Options window under the KMIP connection pair.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save and finish.
  </Step>
</Steps>

## Create a role and identity

This section covers the following tasks to create a role and identity on the KMES Series 3 for NetApp ONTAP:

1. Add a PKI Identity Provider.
2. Create a NetApp ONTAP role.
3. Create a NetApp ONTAP identity.

### Add a PKI identity provider

Perform the following steps to add a **PKI** identity provider (IdP) configured with the **TLS** authentication mechanism:

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default Admin identities.
  </Step>

  <Step>
    Go to **Identity** **Management** > **Identity** **Providers**.
  </Step>

  <Step>
    Right-click anywhere in the window and select **Add** > **Provider** > **PKI**.
  </Step>

  <Step>
    On the **Info** tab of the **Identity Provider Editor** window, specify a **name** for the Identity Provider and uncheck **Enforce Dual Factor**.
  </Step>

  <Step>
    On the **PKI** **Options** tab, select **\[ Select ]**.
  </Step>

  <Step>
    In the **Certificate** **Selector** window, expand the certificate tree you created for mutual authentication, select the root CA certificate for the CA that issued the NetApp ONTAP certificate, and select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the PKI IdP.
  </Step>

  <Step>
    Right-click the identity provider you just created and select **Add** > **Mechanism** > **TLS**.
  </Step>

  <Step>
    On the **Info** tab, specify a name for the authentication mechanism.
  </Step>

  <Step>
    On the **PKI** tab, leave all fields set to the default values.
  </Step>

  <Step>
    Select **\[ OK ]** to save.
  </Step>
</Steps>

### Create a role

Perform the following steps to create a role for NetApp ONTAP:

<Steps>
  <Step>
    Go to **Identity** **Management** > **Roles** and select **\[ Add ]**.
  </Step>

  <Step>
    On the **Info** tab of the **Role** **Editor** window, set the **Type** to **Application**, set any **name**(the role name does not matter), and **Logins** **Required** to `1`.
  </Step>

  <Step>
    On the **Permissions** tab, enable all of the following permissions (including their sub-permissions):

    * **Certificate Authority**
    * **Cryptographic Operations**
    * **Keys**
  </Step>

  <Step>
    On the **Advanced** tab, set **Allowed** **Ports** to **KMIP** only.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the role.
  </Step>
</Steps>

### Create an identity

Perform the following steps to create an identity for NetApp ONTAP:

<Steps>
  <Step>
    Go to **Identity** **Management** > **Identities**.
  </Step>

  <Step>
    Right-click anywhere in the window and select **Add** > **Client** **Application**.
  </Step>

  <Step>
    On the **Info** tab of the **Identity** **Editor** window, select **Application** for the storage location and specify `NetApp ONTAP` as the identity name.

    <Note>
      The identity name MUST match the Common Name of the NetApp ONTAP TLS client certificate. If it does not, TLS authentication fails.
    </Note>
  </Step>

  <Step>
    On the **Assigned** **Roles** tab, select the role you created for NetApp ONTAP.
  </Step>

  <Step>
    On the **Authentication** tab, remove the default API Key mechanism and select **\[ Add ]**.
  </Step>

  <Step>
    In the **Configure** **Credential** window, select the **TLS** **Certificate** drop-down option in **Type** and select the Provider and Mechanism you created. Select **\[ OK ]** to finish configuring the credential.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the identity.
  </Step>
</Steps>
