> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure TLS certificates for mutual authentication

> Procedural guide to generating and configuring X.509 TLS certificates for mutual authentication.

Before KMIP connections between IBM Db2 and the KMES Series 3 can occur, both parties must establish a mutual trust relationship by validating their respective digitally signed certificates. This section shows how to create X.509 certificates for IBM Db2 and the KMIP connection pair on the KMES Series 3, which they use for TLS communication.

## Create the CA

Perform the following steps to create the certificate authority (CA):

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface by using the default Admin users.
  </Step>

  <Step>
    Go to **PKI**> **Certificate Authorities** and select **\[ Add CA ]**.
  </Step>

  <Step>
    Specify a **Name** for the CA, and select **\[ OK ]**.
  </Step>

  <Step>
    Right-click the new certificate container and select **Add Certificate** > **New Certificate**.
  </Step>

  <Step>
    Change the **Preset** drop-down option to **Classic** and set the **Common Name** value to `Root`.
  </Step>

  <Step>
    On the **Basic Info** tab, leave the settings set to the default values.
  </Step>

  <Step>
    On the **V3 Extensions** tab, set the **Profile** to **Certificate Authority** and select **\[ OK ]** to save.
  </Step>
</Steps>

## Create the TLS certificate

To create and configure the TLS certificate for the KMIP connection pair on the KMES Series 3, perform the following tasks:

1. Generate a private key.
2. Construct a CSR.
3. Sign the KMIP connection pair.
4. Export the certificates.
5. Configure the KMIP connection pair.

### Generate a private key

Perform the following steps to generate a private key:

<Steps>
  <Step>
    Go to **Administration**> **Configuration** and double-click **Network Options**. On the **TLS/SSL Settings** tab, select the **Connection** drop-down option and select the **KMIP** connection pair.
  </Step>

  <Step>
    Enable the **KMIP** connection pair if it is not already enabled.
  </Step>

  <Step>
    Uncheck **Use System/Host API SSL Parameters** if it is selected.
  </Step>

  <Step>
    In the **User Certificates** section, select **\[ Edit ]** next to **PKI keys**.
  </Step>

  <Step>
    Select **\[ Generate ]** to create a new PKI key pair.
  </Step>

  <Step>
    Select **\[ Yes ]** and bypass the warning about SSL not being functional until new certificates are imported.
  </Step>

  <Step>
    On the **PKI Parameters** window, leave all settings set to the default values and select **\[ OK ]**.

    <Check>
      The Application Public Keys window should now show that the PKI key pair is Loaded.
    </Check>
  </Step>
</Steps>

### Construct a CSR

Perform the following steps to construct a Certificate Signing Request (CSR):

<Steps>
  <Step>
    On the **Application Public Keys** window, select **\[ Request ]**.
  </Step>

  <Step>
    On the **Subject** **DN** tab, change the **Preset** drop-down option to **Classic** and specify the hostname or IP address of the KMES in the **Common** **Name** field.
  </Step>

  <Step>
    On the **V3** **Extensions** tab, set the profile to **TLS Server Certificate**.
  </Step>

  <Step>
    On the **PKCS #10 Info** tab, specify a save location and name for the CSR file and select **\[ OK ]**.
  </Step>

  <Step>
    When prompted that *the certificate signing request was successfully written to the specified location*, select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ OK ]** in the **Application Public Keys** window and select **\[ OK ]** in the main **Network** **Options** window.
  </Step>
</Steps>

### Sign the CSR

Perform the following steps to sign the KMIP connection pair CSR:

<Steps>
  <Step>
    Go to the **PKI** > **Certificate** **Authorities** menu. Right-click the Root CA certificate and select **Add** **Certificate** > **From** **Request**.
  </Step>

  <Step>
    In the file browser, find and select the KMIP connection pair CSR.

    <Check>
      Certificate information should populate in the Create X.509 From CSR window.
    </Check>
  </Step>

  <Step>
    Leave all settings set to the default values and select **\[ OK ]** to save.

    <Check>
      The signed KMIP connection pair certificate should display now under the Root CA certificate in the CA tree.
    </Check>
  </Step>
</Steps>

### Export all certificates

Perform the following steps to export all certificates in the CA tree:

<Steps>
  <Step>
    Right-click each certificate in the certificate tree and select **Export** > **Certificate(s)**.
  </Step>

  <Step>
    On the **Export** **Certificate** window for each of them, change the encoding to **PEM** and specify a save location for the file.
  </Step>
</Steps>

### Configure the connection pair

Perform the following steps to configure the KMIP connection pair to use the signed certificate and CA chain:

<Steps>
  <Step>
    Go to the **Administration** > **Configuration** menu and double-click **Network** **Options**. On the **TLS/SSL Settings** tab, select the **Connection** drop-down option and select the **KMIP** connection pair.
  </Step>

  <Step>
    In the **User** **Certificates** section, select **\[ Edit ]** next to **Certificates**.
  </Step>

  <Step>
    In the **Certificate** **Authority** window, right-click the **KMIP SSL CA X.509** certificate container and select **\[ Import ]**.
  </Step>

  <Step>
    In the **Import** **Certificates** window, select **\[ Add ]** at the bottom of the window. In the file browser, select both the root CA certificate and the signed KMIP connection pair certificate and select **\[ Open ]**.

    <Check>
      The certificates should now display in the Verified section of the Import Certificates window.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save.

    <Check>
      It should now display Signed loaded next to Certificates in the User Certificates section of the Network Options window.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save and finish.
  </Step>
</Steps>
