> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure KMES Series 3

> Procedural guide to configure mutual certificate trust between SCEP client and KMES Series 3.

Before SCEP connections can occur, the SCEP client and KMES Series 3 must establish a mutual trust relationship by validating their respective digitally signed certificates.

This section describes how to perform the following tasks:

1. Create a CA on the KMES Series 3.
2. Generate and sign the SCEP client certificate.
3. Configure a TLS certificate for the SCEP Server connection pair.

## Create a CA

Perform the following steps to create a Certificate Authority on the KMES Series 3:

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default Admin identities.
  </Step>

  <Step>
    Go to **PKI**> **Certificate Authorities**, and select **\[ Add CA ].**
  </Step>

  <Step>
    Specify a name for the CA, and select **\[ OK ]**.
  </Step>

  <Step>
    Right-click the newly created CA and select **Add Certificate**> **New Certificate**.
  </Step>

  <Step>
    On the **Subject DN** tab, change the **Preset** to **Classic**, and set the common name value to `Root`.
  </Step>

  <Step>
    On the **Basic Info** tab, leave all settings set to the default values.
  </Step>

  <Step>
    On the **V3 Extensions** tab, set the **Profile** to **Certificate Authority**, and select **\[ OK ]** to save.
  </Step>
</Steps>

## Generate and sign the SCEP client certificate

Choose one of the following optional methods for generating and signing the SCEP client certificate and perform the related steps:

* Use an external CA to get and import the certificate
* Use the KMES Series 3 as the CA

### Use an external CA - Step 1: Get the certificate

You can run the OpenSSL commands in this section from the default terminal application for your operating system.

<Steps>
  <Step>
    Generate a private key

    In a terminal, run the following OpenSSL command:

    ```shell expandable lines wrap title="Shell" theme={null}
    openssl genrsa -out ssl-client-privatekey.pem 2048
    ```
  </Step>

  <Step>
    Construct a Certificate Signing Request (CSR)

    Run the following OpenSSL command to generate a CSR:

    ```shell expandable lines wrap title="Shell" theme={null}
    openssl req -new -key ssl-client-privatekey.pem -out ssl-client-cert-req.pem -days 365
    ```
  </Step>

  <Step>
    Get the CSR signed by an external CA.

    Take the CSR file to the external CA. After the CSR is signed, download the signed certificate and the chain of CA certificates that were used to sign it.
  </Step>
</Steps>

### Use an  external CA - Step 2: Import the signed SCEP client certificate

Perform the following steps to import the signed SCEP client certificate and chain in a new X.509 certificate container on the KMES Series 3:

<Steps>
  <Step>
    Go to **PKI**> **Certificate Authorities**, and select **\[ Add CA ]**.
  </Step>

  <Step>
    Give the new X.509 certificate container a name, and select **\[ OK ]**.
  </Step>

  <Step>
    Right-click the certificate container you created, and select **Import**> **Certificate(s)**.
  </Step>

  <Step>
    In the **Import Certificates** window, select **\[ Add ]**.
  </Step>

  <Step>
    Select the signed SCEP client certificate and all CA certificates in the certificate chain, and select **\[ Open ]**.

    <Check>
      All of the certificates display in tree form in the Import Certificates window
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save.
  </Step>
</Steps>

### Use the KMES Series 3 as the CA

<Steps>
  <Step>
    Right-click the Root CA certificate created previously (in **Create a certificate authority on the** KMES Series 3) and select **Add Certificate** > **New Certificate**.
  </Step>

  <Step>
    Modify the options on the **Subject DN** tab as needed.
  </Step>

  <Step>
    On the **V3 Extensions** tab, change the profile to **TLS Client Certificate**. Then select **\[ OK ]**.
  </Step>

  <Step>
    The remaining steps in this section involve exporting the SCEP client certificate as a PKCS #12 file. To do this, you must enable a configuration option. Go to **Administration**> **Configuration**> **Options** and select the **Allow export of certificates using passwords** checkbox. Then, select **\[ Save ]**.
  </Step>

  <Step>
    Now, right-click the SCEP client certificate and select **Export**> **PKCS12.**
  </Step>

  <Step>
    In the **Export PKCS12** window, set the password by selecting **\[ Set Password ]**. Enter the desired password and select **\[ Save ].**

    For export options, select **\[ Export Selected Certificate with Parents ],** set the **Cipher Options** to **AES-256**, and select **\[ Next ].**
  </Step>

  <Step>
    Browse for the folder in which to save the PKCS12 file on your designated storage medium. Enter a file name and then select **\[ Open ]**.
  </Step>

  <Step>
    After the PKCS #12 file is saved to the specified location, select **\[ OK ]**. This PKCS #12 file contains the signed SCEP client certificate, associated private key, and root certificate, all encrypted under the password that was set for the file.
  </Step>
</Steps>

## Configure a TLS certificate for the SCEP Server connection pair

Perform the following tasks to configure a TLS certificate for the SCEP Server connection pair:

1. Generate a new PKI key pair and CSR for the SCEP connection pair.
2. Sign the SCEP connection pair CSR.
3. Export all of the certificates in the certificate tree.
4. Import the signed SCEP connection pair certificate.

### Generate a key pair and CSR

Perform the following steps to generate a new PKI key pair and CSR for the SCEP connection pair:

<Steps>
  <Step>
    Go to **Administration**> **Configuration**> **Network Options**. On the **TLS/SSL** tab, select the **Connection** drop-down option and select the **SCEP** connection pair.
  </Step>

  <Step>
    Enable the SCEP connection pair if it is not already enabled.
  </Step>

  <Step>
    Uncheck **Use System/Host API SSL Parameters** if it is selected.
  </Step>

  <Step>
    In the **User Certificates** section, select **\[ Edit ]** next to **PKI keys**.
  </Step>

  <Step>
    Select **\[ Generate ]** to create a new PKI Key Pair.
  </Step>

  <Step>
    Select **\[ Yes ]** and bypass the warning about SSL not being functional until new certificates are imported.
  </Step>

  <Step>
    In the **PKI Parameters** window, set the **PMK** as the Encrypting Key, and change the Key Size to **2048**. Select **\[ OK ]**.

    <Check>
      The Application Public Keys window now shows that the PKI Key Pair is Loaded.
    </Check>
  </Step>

  <Step>
    Select **\[ Request ]**.
  </Step>

  <Step>
    On the **Subject DN** tab, leave all fields set to the default values.
  </Step>

  <Step>
    On the **V3 Extensions** tab, set the profile to **TLS Server Certificate**.
  </Step>

  <Step>
    On the **PKCS #10** tab, specify a save location and name for the CSR file.
  </Step>

  <Step>
    Select **\[ OK ]**.
  </Step>

  <Step>
    When a message box saying that *the certificate signing request was successfully written to the specified location opens*, select **\[ OK ]** to close the message box.
  </Step>

  <Step>
    Select **\[ OK ]** in the **Application Public Keys** window, then select **\[ OK ]** in the main **Network Options** window.
  </Step>
</Steps>

### Sign the CSR

Perform the following steps to sign the SCEP connection pair CSR:

<Steps>
  <Step>
    Go to **PKI**> **Certificate Authorities**. Right-click the Root CA certificate and select **Add Certificate** > **From Request**.
  </Step>

  <Step>
    In the file browser, select the SCEP connection pair CSR.

    <Check>
      Certificate information for the SCEP server certificate should automatically populate in the window.
    </Check>
  </Step>

  <Step>
    Leave all settings exactly as they are and select \*\*\[ OK ]\*\*\*to save.

    <Check>
      The signed SCEP server certificate displays under the Root CA certificate in the CA tree now.
    </Check>
  </Step>
</Steps>

### Export all of the certificates

For each of the certificates in the certificate tree, perform the following steps:

<Steps>
  <Step>
    Right-click the certificate and select **Export**> **Certificate(s)**.
  </Step>

  <Step>
    In the **Export Certificates** dialog for the certificate, change the encoding to **PEM**, and specify a save location for the file.
  </Step>
</Steps>

### Import the signed certificate

Perform the following steps to import the signed SCEP connection pair certificate:

<Steps>
  <Step>
    Go to **Administration**> **Configuration**> **Network Options**. On the **TLS/SSL** tab, select the **Connection** drop-down menu and select the **SCEP** connection pair.
  </Step>

  <Step>
    In the **User Certificates** section, select **\[ Edit ]** next to **Certificates**.
  </Step>

  <Step>
    In the **Certificate Authority** dialog, right-click the **SCEP SSL CA** X.509 certificate container, and select **\[ Import ]**.
  </Step>

  <Step>
    In the **Import Certificates** dialog, select **\[ Add ]** at the bottom of the window. In the file browser, select both the root CA certificate and the signed SCEP server certificate and select **\[ Open ]**.

    <Check>
      The certificates should now be listed in the Verified section of the Import Certificates dialog.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save.

    <Check>
      You should now see Signed loaded next to Certificates in the User Certificates section of the Network Options dialog.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save.
  </Step>
</Steps>
