Skip to main content
Before KMIP connections can occur, the KMIP client and KMES Series 3 must establish a mutual trust relationship by validating their respective digitally signed certificates. The following sections show how to generate and sign certificates for both the KMIP client and the KMIP server connection pair on the KMES Series 3. The KMIP client and the KMES register both certificates and use them each time they establish a TCP/IP session secured by TLS.

Create a CA

Perform the following steps to create a Certificate Authority (CA):
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to PKI > Certificate Authorities and select [ Add CA ] at the bottom of the page.
3
In the Certificate Authority window, enter a name for the certificate container, leave all other fields as the default values, and select [ OK ].
The certificate container you created displays now in the Certificate Authorities menu.
4
Right-click the certificate container you just created and select Add Certificate > New Certificate.
5
On the Subject DN tab, change the Preset to “Classic”, then set a Common Name for the certificate, such as System TLS CA Root.
6
On the Basic Info tab, leave all of the default values set
7
On the V3 Extensions tab, select the Certificate Authority profile and select [ OK ].
The root CA certificate now displays under the previously created certificate container.

Generate and sign the KMIP Client Certificate

Choose one of the following optional methods for generating and signing the KMIP client certificate and perform the related steps:
  • Use an external CA (get and import the certificate)
  • Use the KMES Series 3 as the CA

Use an external CA - Step 1: Get the certificate

You can run the OpenSSL commands in this section from the default terminal application for your operating system.
1
Generate a private key.In a terminal, run the following OpenSSL command:
Shell
openssl genrsa -out ssl-client-privatekey.pem 2048
2
Construct a CSR.Run the following OpenSSL command to generate a CSR:
Shell
openssl req -new -key ssl-client-privatekey.pem -out ssl-client-cert-req.pem -days 365
3
Get the CSR signed by an external CA.Take the CSR file to the external CA. After the CSR is signed, download the signed certificate and the chain of CA certificates that were used to sign it.

Use an external CA - Step 2: Import the signed KMIP client certificate

Perform the following steps to import the signed KMIP client certificate and chain in a new X.509 certificate container on the KMES Series 3:
1
Go to PKI> Certificate Authorities, and select [ Add CA ].
2
Give the new X.509 certificate container a name, and select [ OK ].
3
Right-click the certificate container you created, and select Import> Certificate(s).
4
On the Import Certificates window, select [ Add ].
5
Select the signed KMIP client certificate and all CA certificates in the certificate chain, and select [ Open ].
All of the certificates display in tree form in the Import Certificates window
6
Select [ OK ] to save.

Use the KMES Series 3 as the CA

Perform the following steps to use the KMES Series 3 as the CA:
1
Right-click the Root CA certificate created previously (in Create a certificate authority on the KMES Series 3) and select Add Certificate > New Certificate.
2
Modify the options on the Subject DNtab as needed.
3
On the V3 Extensionstab, change the profile to TLS Client Certificate. Then select [ OK ].
4
The remaining steps in this section involve exporting the KMIP client certificate as a PKCS #12 file. To do this, you must enable a configuration option. Go to Administration> Configuration> Optionsand select the Allow export of certificates using passwords checkbox. Then, select [ Save ].
5
Now, right-click the KMIP client certificate and select Export> PKCS12.
6
In the Export PKCS12 window, set the password by selecting [ Set Password ]. Enter the desired password and select [ Save ].For export options, select [ Export Selected Certificate with Parents ], set the Cipher Options to AES-256, and select [ Next ].
7
Browse for the folder in which to save the PKCS12 file on your designated storage medium. Enter a file name and then select [ Open ].
8
After you save the PKCS #12 file to the specified location, select [ OK ].
This PKCS #12 file contains the signed KMIP client certificate, associated private key, and root certificate, all encrypted under the password that you set for the file.

Configure TLS certificates for the KMIP server connection pair

This section provides instructions for the following tasks:
  1. Generate a new PKI key pair and CSR for the KMIP connection pair.
  2. Issue a certificate from the KMIP connection pair CSR.
  3. Export the root CA and KMIP certificates as PEM files.
  4. Import the signed KMIP connection pair certificate.

Generate a key pair and CSR

Perform the following steps to generate a new PKI key pair and CSR for the KMIP connection pair:
1
Go to Administration > Configuration > Network Options and go to the TLS/SSL Settingstab.
2
Select the Connection drop-down option and select the KMIP connection pair. If it is not already enabled, enable it.
3
Uncheck Use System/Host API SSL Parameters if it is selected.
4
In the User Certificates section, uncheck Use Futurex certificates if it is selected, and select **[ Edit ]**next to PKI keys.
5
In the Application Public Keys window, select [ Generate ].
6
In the PKI Parameters window, leave all fields set to the defaults and select [ OK ]*.
The Application Public Keys window now shows that a PKI Key Pair is Loaded.
7
Select [ Request ].
8
On the Subject DN tab of the Create PKCS #10 Requestwindow, change the Common Name value to the IP address of the KMES.
9
On the V3 Extensions tab, set the profile to TLS Server Certificate.
10
On the PKCS #10 Infotab, specify a save location and name for the CSR file, and select [ OK ].
11
When prompted that the certificate signing request was successfully written to the specified location, select [ OK ]*.
12
Select [ OK ] in the Application Public Keys window, and select [ OK ] in the main Network Options window.

Issue a certificate

Perform the following steps to issue a certificate from the KMIP connection pair CSR:
1
Go to PKI > Certificate Authorities.
2
Right-click the System TLS Root CA certificate and select Add Certificate > From Request.
3
In the file browser, select the KMIP connection pair CSR.
Certificate information should populate in the Create X.509 From CSR window.
4
Leave all settings exactly as they are and select **[ OK ]**to save.
The signed KMIP server certificate now displays under the System TLS CA Root certificate

Export the certificates

Perform the following steps to export the root CA certificate and the signed KMIP connection pair certificates as PEM files:
1
Right-click the certificate and select Export > Certificate(s).
2
In the Export Certificate window for each, change the encoding to PEM, and specify a save location for the file.
3
You must copy the root CA certificate to the machine that is running the KMIP application.

Import the connection pair certificate

Perform the following steps to import the signed KMIP connection pair certificate:
1
Go to Administration > Configuration > Network Options and select the TLS/SSL Settingstab.
2
Select the Connection drop-down option and select the KMIP connection pair.
3
Select [ Edit ] next to Certificates in the User Certificate section.
4
In the Certificate Authority window, right-click the **KMIP SSL CA **X.509 certificate container, and select [ Import ].
5
Select [ Add ] at the bottom of the Import Certificates window.
6
In the file browser, select both the root CA certificate and the signed KMIP server certificate and select [ Open ].
The certificates should now display in the Verified section of the Import Certificates window.
7
Select** [ OK ]** to save.
It now shows Signed loaded next to Certificates in the User Certificates section for the KMIP connection pair.
8
Select [ OK ] to save.