Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

Before SCEP connections can occur, the SCEP client and KMES Series 3 must establish a mutual trust relationship by validating their respective digitally signed certificates. This section describes how to perform the following tasks:
  1. Create a CA on the KMES Series 3.
  2. Generate and sign the SCEP client certificate.
  3. Configure a TLS certificate for the SCEP Server connection pair.

Create a CA

Perform the following steps to create a Certificate Authority on the KMES Series 3:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to PKI> Certificate Authorities, and select [ Add CA ].
3
Specify a name for the CA, and select [ OK ].
4
Right-click the newly created CA and select Add Certificate> New Certificate.
5
On the Subject DN tab, change the Preset to Classic, and set the common name value to Root.
6
On the Basic Info tab, leave all settings set to the default values.
7
On the V3 Extensions tab, set the Profile to Certificate Authority, and select [ OK ] to save.

Generate and sign the SCEP client certificate

Choose one of the following optional methods for generating and signing the SCEP client certificate and perform the related steps:
  • Use an external CA to get and import the certificate
  • Use the KMES Series 3 as the CA

Use an external CA - Step 1: Get the certificate

You can run the OpenSSL commands in this section from the default terminal application for your operating system.
1
Generate a private keyIn a terminal, run the following OpenSSL command:
Shell
openssl genrsa -out ssl-client-privatekey.pem 2048
2
Construct a Certificate Signing Request (CSR)Run the following OpenSSL command to generate a CSR:
Shell
openssl req -new -key ssl-client-privatekey.pem -out ssl-client-cert-req.pem -days 365
3
Get the CSR signed by an external CA.Take the CSR file to the external CA. After the CSR is signed, download the signed certificate and the chain of CA certificates that were used to sign it.

Use an external CA - Step 2: Import the signed SCEP client certificate

Perform the following steps to import the signed SCEP client certificate and chain in a new X.509 certificate container on the KMES Series 3:
1
Go to PKI> Certificate Authorities, and select [ Add CA ].
2
Give the new X.509 certificate container a name, and select [ OK ].
3
Right-click the certificate container you created, and select Import> Certificate(s).
4
In the Import Certificates window, select [ Add ].
5
Select the signed SCEP client certificate and all CA certificates in the certificate chain, and select [ Open ].
All of the certificates display in tree form in the Import Certificates window
6
Select [ OK ] to save.

Use the KMES Series 3 as the CA

1
Right-click the Root CA certificate created previously (in Create a certificate authority on the KMES Series 3) and select Add Certificate > New Certificate.
2
Modify the options on the Subject DN tab as needed.
3
On the V3 Extensions tab, change the profile to TLS Client Certificate. Then select [ OK ].
4
The remaining steps in this section involve exporting the SCEP client certificate as a PKCS #12 file. To do this, you must enable a configuration option. Go to Administration> Configuration> Options and select the Allow export of certificates using passwords checkbox. Then, select [ Save ].
5
Now, right-click the SCEP client certificate and select Export> PKCS12.
6
In the Export PKCS12 window, set the password by selecting [ Set Password ]. Enter the desired password and select [ Save ].For export options, select [ Export Selected Certificate with Parents ], set the Cipher Options to AES-256, and select [ Next ].
7
Browse for the folder in which to save the PKCS12 file on your designated storage medium. Enter a file name and then select [ Open ].
8
After the PKCS #12 file is saved to the specified location, select [ OK ]. This PKCS #12 file contains the signed SCEP client certificate, associated private key, and root certificate, all encrypted under the password that was set for the file.

Configure a TLS certificate for the SCEP Server connection pair

Perform the following tasks to configure a TLS certificate for the SCEP Server connection pair:
  1. Generate a new PKI key pair and CSR for the SCEP connection pair.
  2. Sign the SCEP connection pair CSR.
  3. Export all of the certificates in the certificate tree.
  4. Import the signed SCEP connection pair certificate.

Generate a key pair and CSR

Perform the following steps to generate a new PKI key pair and CSR for the SCEP connection pair:
1
Go to Administration> Configuration> Network Options. On the TLS/SSL tab, select the Connection drop-down option and select the SCEP connection pair.
2
Enable the SCEP connection pair if it is not already enabled.
3
Uncheck Use System/Host API SSL Parameters if it is selected.
4
In the User Certificates section, select [ Edit ] next to PKI keys.
5
Select [ Generate ] to create a new PKI Key Pair.
6
Select [ Yes ] and bypass the warning about SSL not being functional until new certificates are imported.
7
In the PKI Parameters window, set the PMK as the Encrypting Key, and change the Key Size to 2048. Select [ OK ].
The Application Public Keys window now shows that the PKI Key Pair is Loaded.
8
Select [ Request ].
9
On the Subject DN tab, leave all fields set to the default values.
10
On the V3 Extensions tab, set the profile to TLS Server Certificate.
11
On the PKCS #10 tab, specify a save location and name for the CSR file.
12
Select [ OK ].
13
When a message box saying that the certificate signing request was successfully written to the specified location opens, select [ OK ] to close the message box.
14
Select [ OK ] in the Application Public Keys window, then select [ OK ] in the main Network Options window.

Sign the CSR

Perform the following steps to sign the SCEP connection pair CSR:
1
Go to PKI> Certificate Authorities. Right-click the Root CA certificate and select Add Certificate > From Request.
2
In the file browser, select the SCEP connection pair CSR.
Certificate information for the SCEP server certificate should automatically populate in the window.
3
Leave all settings exactly as they are and select **[ OK ]***to save.
The signed SCEP server certificate displays under the Root CA certificate in the CA tree now.

Export all of the certificates

For each of the certificates in the certificate tree, perform the following steps:
1
Right-click the certificate and select Export> Certificate(s).
2
In the Export Certificates dialog for the certificate, change the encoding to PEM, and specify a save location for the file.

Import the signed certificate

Perform the following steps to import the signed SCEP connection pair certificate:
1
Go to Administration> Configuration> Network Options. On the TLS/SSL tab, select the Connection drop-down menu and select the SCEP connection pair.
2
In the User Certificates section, select [ Edit ] next to Certificates.
3
In the Certificate Authority dialog, right-click the SCEP SSL CA X.509 certificate container, and select [ Import ].
4
In the Import Certificates dialog, select [ Add ] at the bottom of the window. In the file browser, select both the root CA certificate and the signed SCEP server certificate and select [ Open ].
The certificates should now be listed in the Verified section of the Import Certificates dialog.
5
Select [ OK ] to save.
You should now see Signed loaded next to Certificates in the User Certificates section of the Network Options dialog.
6
Select [ OK ] to save.