Skip to main content
Before KMIP connections between MySQL Server and the KMES Series 3 can occur, both parties must establish a mutual trust relationship by validating their respective digitally signed certificates. This section shows you how to create X.509 certificates for MySQL Server and the KMIP connection pair on the KMES Series 3, which they use for TLS communication.

Create the X.509 certificates for TLS mutual authentication

Use one of the following optional methods for creating the MySQL Server and KMIP connection pair TLS certificates:
  1. Use an external CA
  2. Use the KMES Series 3 as the CA

Method 1: Use an external CA

To use an external CA to create the TLS certificates, perform the following tasks:
  1. Generate a private key pair and create a Certificate Signing Request (CSR) for MySQL Server.
  2. Create a TLS certificate for the KMIP connection pair on the KMES Series 3.

Generate a private key and CSR

Perform the following tasks in this section to create the private key and CSR for MySQL Server:
  1. Generate a private key.
  2. Get the CSR signed.
  3. Import the certificate and chain onto the KMES Series 3.

Generate a private key

Perform the following steps to generate a private key:
1
In a terminal, run the following OpenSSL command to generate a private key:
Shell
openssl genpkey -algorithm RSA -out key.pem
2
Run the following OpenSSL command to generate a CSR, specifying MySQL as the Common Name in the CSR.:
Shell
openssl req -new -key key.pem -out client.csr

Get the CSR signed

Perform the following steps to get the CSR signed by an external CA:
1
Send the CSR file to the external CA.
2
After the CSR is signed, download the signed certificate and the chain of CA certificates that were used to sign it.

Import the certificate

Perform the following steps to import the signed MySQL Server certificate and chain into a new X.509 certificate container on the KMES Series 3:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to PKI > Certificate Authorities and select [ Add CA ].
3
Specify a name for the X.509 certificate container and select [ OK ].
4
Right-click the new certificate container and select Import > Certificate(s).
5
In the Import Certificates window, select [ Add ].
6
Select the signed MySQL Server certificate and all CA certificates in the certificate chain, and select [ Open ].
All of the certificates display in tree form in the Verified section of the Import Certificates window.
7
Select [ OK ] to save.

Create a TLS certificate for the KMIP connection pair on the KMES Series 3

To create the TLS certificate, perform the following tasks:
  1. Generate a private key and create a CSR.
  2. Get the CSR signed.
  3. Configure a KMIP connection pair.

Generate a private key and CSR

Perform the following steps to generate a private key and construct a CSR:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to Administration > Configuration > Network Options and go to the TLS/SSL Settings tab.
3
Select the Connection drop-down option and select the KMIP connection pair.
4
Enable the KMIP connection pair if it is not already enabled.
5
Uncheck the Use System/Host API SSL Parameters checkbox if it is selected.
6
In the User Certificates section, select [ Edit ] next to PKI Keys.
7
In the Application Public Keys window, select [ Generate ].
8
When prompted that SSL will not be functional until new certificates are imported, select [ Yes ] to continue.
9
In the PKI Parameters window, leave all fields set to the default values and select [ OK ].
The Application Public Keys window now shows that a PKI Key Pair is Loaded.
10
Select [ Request ].
11
On the Subject DN tab, select Classic in the Preset drop-down list and specify the hostname or IP address of the KMES in the Common Name field.
12
On the V3 Extensions tab, set the profile to TLS Server Certificate.
13
On the PKCS #10 Info tab, specify a save location and name for the CSR file and select [ OK ]*.
14
When prompted that the certificate signing request was successfully written to the specified location, select [ OK ].
15
Select [ OK ] again in the Application Public Keys window to finish.

Get the CSR signed

Perform the following steps to get the CSR signed by an external CA:
1
Send the CSR file to the external CA.
2
After the CSR is signed, download the signed certificate and the chain of CA certificates that were used to sign it.

Configure the KMIP connection pair

Perform the following steps to configure the KMIP connection pair to use the signed certificate and CA chain:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to Administration > Configuration > Network Options and select the TLS/SSL Settings tab.
3
Select the Connection drop-down option and select the KMIP connection pair.
4
In the User Certificates section, select [ Edit ] next to Certificates.
5
In the Certificate Authority window, right-click the KMIP SSL CA X.509 certificate container and select [ Import ].
6
In the Import Certificates window, select [ Add ] at the bottom of the window.
7
In the file browser, select both the root CA certificate and the signed KMIP connection pair certificate and select [ Open ].
The certificates now display in the Verified section of the Import Certificates window.
8
Select [ OK ] to save.
You now see Signed loaded next to Certificates in the User Certificates section of the Network Options window under the KMIP connection pair.
9
Select [ OK ] to finish.

Method 2: Use the KMES Series 3 as the CA

To use the KMES as the CA to create the TLS certificates, perform the following tasks:
  1. Create the CA.
  2. Create a TLS certificate for MySQL Server.
  3. Create and configure the TLS certificate for the KMIP connection pair on the KMES Series 3.
  4. Generate a private key pair and create a Certificate Signing Request (CSR) for MySQL Server.

Create the CA

Perform the following steps to create the CA:
1
Log in to the KMES Series 3 application interface with the default Admin users.
2
Go to PKI > Certificate Authorities and select [ Add CA ].
3
Specify a name for the CA and select [ OK ].
4
Right-click the new certificate container and select Add Certificate > New Certificate.
5
Select Classic in the Preset drop-down list, then set Common Name to Root.
6
On the Basic Info tab, leave all fields set to the default values.
7
On the V3 Extensions tab, set Profile to Certificate Authority and select [ OK ] to save.

Create the TLS certificate

Perform the following tasks to create the TLS certificate for MySQL Server:
  1. Generate a private key and construct a CSR for MySQL Server.
  2. Sign the MySQL Server CSR.

Generate a private key and CSR

Perform the following steps to generate a private key and construct a CSR for MySQL Server:
1
In a terminal, run the following OpenSSL command to generate a private key:
Shell
openssl genpkey -algorithm RSA -out key.pem
2
Run the following OpenSSL command to generate a CSR, specifying MySQL as the Common Name in the Certificate Signing Request (CSR).:
Shell
openssl req -new -key key.pem -out client.csr

Sign the CSR

Perform the following steps to sign the MySQL Server CSR:
1
Go to PKI > Certificate Authorities.
2
Right-click the Root CA certificate and select Add Certificate > From Request.
3
In the file browser, select the MySQL Server CSR.
Certificate information populates in the Create X.509 From CSR window.
4
Leave all settings exactly as they are and select [ OK ] to save.
The signed MySQL Server certificate now displays under the Root CA certificate in the CA tree.

Create and configure the certificate

Perform the following tasks to create and configure the TLS certificate for the KMIP connection pair on the KMES Series 3:
  1. Generate a private key and construct a CSR.
  2. Sign the KMIP connection pair CSR.
  3. Export all certificates in the CA tree.
  4. Configure the KMIP connection pair to use the signed certificate and CA chain.

Generate a private key and a CSR

Perform the following steps to generate a private key and construct a CSR:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to Administration > Configuration > Network Options and go to the TLS/SSL Settings tab.
3
Select the Connection drop-down option and select the KMIP connection pair.
4
Enable the KMIP connection pair if it is not already enabled.
5
Uncheck the Use System/Host API SSL Parameters checkbox if it is selected.
6
In the User Certificates section, select [ Edit ] next to PKI Keys.
7
In the Application Public Keys window, select [ Generate ].
8
When prompted that SSL will not be functional until new certificates are imported, select [ Yes ] to continue.
9
In the PKI Parameters window, leave all fields set to the default values and select [ OK ].
The Application Public Keys window now shows that a PKI Key Pair is Loaded.
10
Select [ Request ].
11
In the Subject DN tab, select Classic from the Preset drop-down list and specify the hostname or IP address of the KMES in Common Name.
12
On the V3 Extensions tab, set the profile to TLS Server Certificate.
13
On the PKCS #10 Info tab, specify a save location and name for the CSR file and select [ OK ]*.
14
When prompted that the certificate signing request was successfully written to the specified location, select [ OK ].
15
Select [ OK ] again in the Application Public Keys window to finish.

Sign the CSR

Perform the following steps to sign the KMIP connection pair CSR:
1
Go to PKI > Certificate Authorities.
2
Right-click the Root CA certificate and select Add Certificate > From Request.
3
In the file browser, select the KMIP connection pair CSR.
Certificate information populates in the Create X.509 From CSR window.
4
Leave all settings exactly as they are and select [ OK ] to save.
The signed KMIP connection pair certificate now displays under the Root CA certificate in the CA tree.

Export all certificates

Perform the following steps to export each certificate in the certificate tree:
1
Right-click the certificates in the certificate tree and select Export > Certificate(s).
2
In the Export Certificate window, change the encoding to PEM and specify a save location for the file.

Configure the connection pair

Perform the following steps to configure the KMIP connection pair to use the signed certificate and CA chain:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to Administration > Configuration > Network Options and go to the TLS/SSL Settings tab.
3
Select the Connection drop-down option and select the KMIP connection pair.
4
In the User Certificates section, select [ Edit ] next to Certificates.
5
In the Certificate Authority window, right-click the KMIP SSL CA X.509 certificate container and select [ Import ].
6
In the Import Certificates window, select [ Add ] at the bottom of the window.
7
In the file browser, select both the root CA certificate and the signed KMIP connection pair certificate, and select [ Open ].
The certificates now display in the Verified section of the Import Certificates window.
8
Select [ OK ] to save.
You now see Signed loaded next to Certificates in the User Certificates section of the Network Options window under the KMIP connection pair.
9
Select [ OK ] to save and finish.