> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure KMES Series 3

> Step-by-step configuration of KMES Series 3 for TLS and general integration with Microsoft Intune.

This section starts by covering the steps required to configure TLS communication between the KMES Series 3 and the FXCL CNG module, where Microsoft ADCS is running. Then, it covers general configurations that you must make on the KMES Series 3 to enable Microsoft ADCS to integrate with the KMES to manage certificate authorities in a scalable manner and enable secure storage, encryption, and signing by using FXCL CNG.

## Configure TLS communication

Perform the following tasks to configure the KMES Series 3 for communication with the **FXCL CNG** module:

1. Add a PKI identity provider.
2. Create an AD CS role with the required permissions.
3. Create an AD CS identity with the correct assigned roles.
4. Enable Host API commands.

The following sections show you how to complete these tasks.

### Create a CA

Perform the following steps to create a Certificate Authority (CA):

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default Admin identities.
  </Step>

  <Step>
    Go to **PKI** > **Certificate** **Authorities** and select **\[ Add CA ]** at the bottom of the page.
  </Step>

  <Step>
    In the **Certificate** **Authority** window, enter a name for the **Certificate Container**, leave all other fields set to the default values, and select **\[ OK ]**.
  </Step>

  <Step>
    Right-click the certificate container you just created and select **Add** **Certificate** > **New** **Certificate**.
  </Step>

  <Step>
    On the **Subject** **DN** tab, select the **Classic** preset and set a **Common** **Name** for the certificate, such as `TLS CA Root`.
  </Step>

  <Step>
    On the **Basic** **Info** tab, leave all fields set to the default values.
  </Step>

  <Step>
    On the **V3** **Extensions** tab, select the **Certificate** **Authority** profile and select **\[ OK ]**.

    <Check>
      The certificate container and the root CA certificate now display in the Certificate Authorities window.
    </Check>
  </Step>
</Steps>

### Generate a CSR

Perform the following steps to generate a CSR for the System/Host API connection pair:

<Steps>
  <Step>
    Go to **Administration** > **Configuration** > **Network** **Options**.
  </Step>

  <Step>
    In the **Network** **Options** window, go to the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Under the **System/Host API** connection pair, uncheck the **Use** **Futurex** **Certificates** checkbox and select **\[ Edit ]** next to **PKI keys** in the **User Certificates** section.
  </Step>

  <Step>
    In the **Application** **Public** **Keys** window, select **\[ Generate ]**.
  </Step>

  <Step>
    When warned that *SSL will not be functional until new certificates are imported*, select **\[ Yes ]** to continue.
  </Step>

  <Step>
    In the **PKI** **Parameters** window, leave all fields set to the default values and select **\[ OK ]**\*.

    <Check>
      You should see that a PKI Key Pair is loaded in the Application Public Keys window
    </Check>
  </Step>

  <Step>
    Select **\[ Request ]**.
  </Step>

  <Step>
    On the **Subject** **DN** tab, set a **Common Name** for the certificate, such as `KMES`.
  </Step>

  <Step>
    On the **V3** **Extensions** tab, select the **TLS Server Certificate** profile.
  </Step>

  <Step>
    On the **PKCS #10** Info tab, select a save location for the CSR and select **\[ OK ]**.
  </Step>

  <Step>
    When prompted that *the certificate signing request was successfully written to the file location that was selected*, select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ OK ]** again to save the **Application** **Public** **Keys** settings.

    <Check>
      The main Network Options window now says Loaded next to PKI keys for the System/Host API connection pair.
    </Check>
  </Step>
</Steps>

### Sign the CSR

Perform the following steps to sign the System/Host API CSR:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the System TLS CA Root certificate you created, then select **Add** **Certificate** > **From** **Request**.
  </Step>

  <Step>
    In the file browser, find and select the CSR that was generated for the System/Host API connection pair.
  </Step>

  <Step>
    After it loads, you don't need to modify any settings for the certificate. Select **\[ OK ]**.

    <Check>
      The signed System/Host API TLS certificate now shows under the TLS root CA certificate on the Certificate Authorities page.
    </Check>
  </Step>
</Steps>

### Export the certificate

Perform the following steps to export the Root CA certificate:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the System TLS CA Root certificate and select **Export** > **Certificate(s)**.
  </Step>

  <Step>
    In the **Export** **Certificates** window, change the encoding to PEM and select **\[ Browse ]**.
  </Step>

  <Step>
    In the file browser, go to the location where you want to save the root CA certificate. Specify a name for the file, and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]**.

    <Check>
      A message box says that the PEM file was successfully written to the location that you specified.
    </Check>

    <Note>
      You must move the Root CA certificate to the computer where the Microsoft ADCS instance is running. A later section shows you how to configure and use it for TLS communication with the KMES Series 3.
    </Note>
  </Step>
</Steps>

### Export the certificate

Perform the following steps to export the signed System/Host API TLS certificate:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the KMES certificate and select **Export** > **Certificate(s)**.
  </Step>

  <Step>
    In the **Export** **Certificate** window, change the encoding to **PEM** and select **\[ Browse ]**.
  </Step>

  <Step>
    In the file browser, go to the location where you want to save the signed System/Host API TLS certificate. Specify a name for the file and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]**.

    <Check>
      A message box states that the PEM file was successfully written to the location that you specified.
    </Check>
  </Step>
</Steps>

### Load the certificates

Perform the following steps to load the exported TLS certificates into the System/Host API connection pair:

<Steps>
  <Step>
    Go to **Administration** > **Configuration** > **Network** **Options**.
  </Step>

  <Step>
    In the **Network** **Options** window, go to the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Under the **System/Host API** connection pair, select **\[ Edit ]** next to **Certificates** in the **User** **Certificates** section.
  </Step>

  <Step>
    Right-click the **System/Host API SSL CA** X.509 certificate container and select **\[ Import ]**.
  </Step>

  <Step>
    Select **\[ Add ]** at the bottom of the **Import** **Certificates** window.
  </Step>

  <Step>
    In the file browser, select both the root CA certificate and the signed System/Host API certificate, and select **\[ Open ]**.

    <Check>
      The certificate chain appears in the Verified section.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save the changes.

    <Check>
      In the Network Options window, the System/Host API connection pair now shows Signed Loaded next to Certificates in the User Certificates section
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save and exit the **Network Options** window.
  </Step>
</Steps>

### Issue a client certificate

Perform the following steps to issue a client certificate for Microsoft AD CS:

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the **System TLS CA Root** certificate and select **Add** **Certificate** > **New Certificate**
  </Step>

  <Step>
    On the **Subject** **DN** tab, set `ADCS` as the **Common Name** for the certificate.

    <Note>
      The Common Name of the certificate must match the name of the identity to be created later in this guide.
    </Note>
  </Step>

  <Step>
    All settings on the **Basic** **info** tab should be left as the default values
  </Step>

  <Step>
    On the **V3 Extensions** tab, select the **TLS Client Certificate** profile and select **\[ OK ]**.

    <Check>
      The AD CS certificate now displays under the System TLS CA Root certificate.
    </Check>
  </Step>
</Steps>

### Export the signed Microsoft AD CS certificate as a PKCS #12 file

Perform the following steps to export the signed Microsoft AD CS certificate as a PKCS #12 file:

<Note>
  To complete the following steps, you must go to Administration > Configuration > Options and enable the Allow export of certificates using passwords option.
</Note>

<Steps>
  <Step>
    Go to **PKI** > **Certificate** **Authorities**.
  </Step>

  <Step>
    Right-click the AD CS certificate and select **Export** > **PKCS#12**.
  </Step>

  <Step>
    Select **\[ Set Password ],** enter a password for the PKCS #12 file, and select **\[ Save ].**
  </Step>

  <Step>
    In the **Export** **Options** section, select **Export** **Selected** **Certificate**, and select **\[ Next ]**.
  </Step>

  <Step>
    Specify a name for the PKCS #12 export file and select **\[ Open ]**.

    <Check>
      A message window states that the PKCS #12 certificate export was successful.
    </Check>

    <Note>
      You must move this PKCS #12 file to the computer where you installed AD CS. A later section shows you how to configure it in the Futurex CNG configuration file and use it for TLS communication with the KMES Series 3.
    </Note>
  </Step>
</Steps>

## Configure general KMES settings

Perform the following tasks to configure the KMES Series 3 for communication with Microsoft AD CS:

1. Add a PKI identity provider.
2. Create an AD CS role with the required permissions.
3. Create an AD CS identity with the correct assigned roles.
4. Enable Host API commands.

The following sections show you how to complete these tasks.

### Add a PKI identity provider

This section shows you how to create a new PKI Identity Provider (IdP), assign it a TLS authentication mechanism, and add it to an identity as a credential. This allows **FXCL CNG** to authenticate with the KMES by using the signed Microsoft AD CS certificate that you exported.

<Steps>
  <Step>
    Go to **Identity** **Management** > **Identity** **Providers**.
  </Step>

  <Step>
    Right-click anywhere in the window and select **Add** > **Provider** > **PKI**.
  </Step>

  <Step>
    On the **Info** tab of the **Identity** **Provider** **Editor** window, specify a name for the IdP and uncheck the **Enforce** **Dual** **Factor** checkbox.
  </Step>

  <Step>
    On the **PKI** **Options** tab, select **\[ Select ]**. In the **Certificate** **Selector** window, expand the certificate tree you created, select the CA certificate that signed the ADCS and System/Host API connection pair certificates, and select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the PKI IdP.
  </Step>

  <Step>
    Right-click the IdP that you created and select **Add** > **Mechanism** > **TLS**.
  </Step>

  <Step>
    On the **PKI** tab, leave all fields set to the default values.
  </Step>

  <Step>
    Select **\[ OK ]** to save.
  </Step>
</Steps>

### Create a role

Perform the following steps to create a role for Microsoft AD CS and grant it permission to use the PKI IdP:

<Steps>
  <Step>
    Go to **Identity** **Management** > **Roles** and select **\[ Add ]** at the bottom of the page.
  </Step>

  <Step>
    On the **Info** tab of the **Role** **Editor** window, leave the **Role Type** set to **Application**, specify a **Name** for the role, such as `Microsoft AD CS`, and change the number of **Logins** **Required** to `1`. Leave all other fields set to the default values.
  </Step>

  <Step>
    On the **Permissions** tab, select the following permissions:

    <table>
      <thead>
        <tr>
          <th><em><strong>Permission</strong></em></th>
          <th><em><strong>Sub-permissions</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Certificate</strong> <strong>Authority</strong></td>
          <td>Add, Export, Upload</td>
        </tr>

        <tr>
          <td><strong>Cryptographic</strong> <strong>Operations</strong></td>
          <td>Sign</td>
        </tr>

        <tr>
          <td><strong>Keys</strong> </td>
          <td>Add, Export</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    On the **Advanced** tab, set **Allowed** **Ports** to **Host API** only. Leave the other fields set to the default values and select **\[ OK ]** to finish creating the role.
  </Step>

  <Step>
    Go to **Identity Management** > **Identity Providers**, right-click the PKI IdP, and select **\[ Permission ]**.
  </Step>

  <Step>
    In the **Set Object-Group Permissions** window, select the **Show all roles and permissions** checkbox, select the drop-down menu next to the **Microsoft AD CS** role, and select the **Use** permission.
  </Step>

  <Step>
    Select **\[ OK ]** to save.
  </Step>
</Steps>

### Create a new identity

Perform the following steps to create a new identity and assign it the Microsoft AD CS role and PKI authentication credentials:

<Steps>
  <Step>
    Go to **Identity** **Management** > **Identities**.
  </Step>

  <Step>
    Right-click anywhere in the window and select **Add** > **Client** **Application**.
  </Step>

  <Step>
    On the **Info** tab of the **Identity** **Editor** window, leave the **Storage Type** set to **Application**, and specify a **Name** for the identity. Leave all other fields set to the default values.

    <Warning>
      The name you specify must match the Common Name that you chose for the ADCS certificate in the Issue a client certificate for Microsoft AD CS section.
    </Warning>
  </Step>

  <Step>
    On the **Assigned** **Roles** tab, select the **Microsoft AD CS** role.
  </Step>

  <Step>
    Perform the following steps on the **Authentication** tab:

    1. Select **\[ Add ]** to add a new credential.
    2. In the **Configure** **Credential** window, select **TLS** **Certificate** in the **Type** drop-down list.
    3. Select the **Provider** and **Mechanism** that you created for this integration.
    4. Select **\[ OK ]** to finish creating a credential.
  </Step>

  <Step>
    Remove the default **API** **Key** mechanism, leaving only the **TLS** **Certificate** credential, and select **\[ OK ]** to save.
  </Step>
</Steps>

### Enable the Host API commands

Because **FXCL CNG** connects to the Host API port on the KMES, you must define which Host API commands to enable **FXCL CNG** to execute. To set the enabled commands for the Microsoft AD CS operation, complete the following steps:

<Steps>
  <Step>
    Go to **Administration** > **Configuration** > **Host API Options** and enable the following commands:

    <table>
      <thead>
        <tr>
          <th><em><strong>Command</strong></em></th>
          <th><em><strong>Description/Subcommands (If applicable)</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>CLKY</strong></td>
          <td>Manipulate the application key and enable all subcommands.</td>
        </tr>

        <tr>
          <td><strong>ECHO</strong></td>
          <td>Communication Test/Retrieve Version</td>
        </tr>

        <tr>
          <td><strong>RKGP</strong></td>
          <td>Export PKI keypair</td>
        </tr>

        <tr>
          <td><strong>RKGS</strong></td>
          <td>Generate Signature</td>
        </tr>

        <tr>
          <td><strong>RKLN</strong></td>
          <td>Lookup Objects</td>
        </tr>

        <tr>
          <td><strong>RKPK</strong></td>
          <td>Pop Generated Key</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    Select **\[ Save ]** to finish.
  </Step>
</Steps>
