> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure the KMES Series 3

> Step-by-step instructions for configuring KMES Series 3 for Bitwarden integration, including TLS setup.

This section covers the general KMES configurations that enable Bitwarden to integrate with the KMES and describes the necessary steps to configure TLS communication between the KMES and the Bitwarden instance.

## Configure the general KMES Series 3 settings

Perform the following tasks to complete the general KMES Series 3 configuration:

1. Create a role and identity for Bitwarden.
2. Enable Host API commands.

### Create a role and identity

Perform the following steps to create a new role and identity for Bitwarden with the required permissions on the KMES Series 3:

<Note>
  A later section shows you how to configure the name of this identity in the Futurex PKCS #11 configuration file.
</Note>

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default Admin identities.
  </Step>

  <Step>
    Go to **Identity Management** > **Roles**, and select **\[ Add ]**.
  </Step>

  <Step>
    In the **Role Editor** window, specify a name for the role and set the number of logins required to `1.`
  </Step>

  <Step>
    Go to the **Advanced** tab and allow authentication to the **Host API** port only. Leave all other fields set to the default values.
  </Step>

  <Step>
    Go to the **Permissions** tab and select the following permissions:

    <table>
      <thead>
        <tr>
          <th><em><strong>Permission</strong></em></th>
          <th><em><strong>Sub-permission</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Certificate Authority</strong></td>
          <td>Add, Delete, Export, Export Private Key, Modify, Upload</td>
        </tr>

        <tr>
          <td><strong>Cryptographic Operations</strong></td>
          <td>Sign, Verify, Encrypt, Decrypt, Wrap, Unwrap</td>
        </tr>

        <tr>
          <td><strong>Keys</strong></td>
          <td>Add, Delete, Export, Modify</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the role.
  </Step>

  <Step>
    Go to **Identity Management**> **Identities**, right-click anywhere in the window, and select **Add**> **Client Application**.
  </Step>

  <Step>
    On the **Info** tab of the **Identity Editor** window, select **Application** for the storage location, and specify a **name** for the identity.
  </Step>

  <Step>
    On the **Assigned Roles** tab, select the role you created.
  </Step>

  <Step>
    On the **Authentication** tab, configure the password for the identity.
  </Step>

  <Step>
    Leave all other fields set to the default values, and select **\[ OK ]** to finish creating the identity.
  </Step>
</Steps>

### Enable the Host API commands

Because the Futurex PKCS #11 library connects to the Host API port on the KMES, you must define which Host API commands (required for the Bitwarden operation) to enable for the **FXPKCS11** library. To set the enabled commands, complete the following steps:

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default Admin identities.
  </Step>

  <Step>
    Go to **Administration** > **Configuration** > **Host API Options**, and enable all Host API commands.
  </Step>

  <Step>
    Select **\[ Save ]** to finish.
  </Step>
</Steps>

## Configure TLS communication

Perform the following tasks to configure TLS communications between the KMES Series 3 and Bitwarden:

1. Create a CA.
2. Create a CSR for the connection pair.
3. Sign the CSR.
4. Export the Root CA certificate.
5. Export the signed System/Host API certificate.
6. Load the exported certificates to the connection pair.
7. Issue a client certificate for Bitwarden.
8. Export the Bitwarden certificate as a PKCS #12 file.

### Create a CA

Perform the following steps to create a Certificate Authority (CA):

<Steps>
  <Step>
    Log in to the KMES Series 3 application interface with the default Admin identities.
  </Step>

  <Step>
    Go to **PKI** > **Certificate Authorities**, and select **\[ Add CA ]** at the bottom of the page.
  </Step>

  <Step>
    In the **Certificate Authority** window, enter a name for the certificate container, leave all other fields set to the default values, and select **\[ OK ]**.

    <Check>
      The certificate container now displays in the Certificate Authorities menu.
    </Check>
  </Step>

  <Step>
    Right-click the certificate container and select **Add Certificate** > **New Certificate**.
  </Step>

  <Step>
    On the **Subject DN** tab, set a **Common Name** for the certificate, such as `System TLS CA Root`.
  </Step>

  <Step>
    On the **Basic Info** tab, leave all fields set to the default values.
  </Step>

  <Step>
    On the **V3 Extensions** tab, select the **Certificate Authority** profile, then select **\[ OK ]**.

    <Check>
      The root CA certificate now displays under the previously created Certificate Container.
    </Check>
  </Step>
</Steps>

### Generate a CSR

Perform the following steps to generate a CSR for the System/Host API connection pair:

<Steps>
  <Step>
    Go to **Administration**> **Configuration**> **Network Options**.
  </Step>

  <Step>
    In the **Network Options** window, go to the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Under the **System/Host API** connection pair, uncheck the **Use Futurex certificates** checkbox, and select **\[ Edit ]** next to **PKI Keys** in the **User Certificates** section.
  </Step>

  <Step>
    In the **Application Public Keys** window, select **\[ Generate ]**.
  </Step>

  <Step>
    When warned that *SSL will not be functional until new certificates are imported*, select **\[ Yes ]** to continue.
  </Step>

  <Step>
    In the **PKI Parameters** window, leave the fields set to the default values and select **\[ OK ].**

    <Check>
      The PKI Key pair now shows as loaded in the Application Public Keys window.
    </Check>
  </Step>

  <Step>
    Select **\[ Request ]**.
  </Step>

  <Step>
    On the **Subject DN** tab, set a **Common Name** for the certificate, such as `KMES`.
  </Step>

  <Step>
    On the **V3 Extensions** tab, select the **TLS Server Certificate** profile.
  </Step>

  <Step>
    On the **PKCS #10 Info** tab, select a save location for the CSR, and select **\[ OK ]**.
  </Step>

  <Step>
    When notified that *the certificate signing request was successfully written to the file location that was selected*, select **\[ OK ]**.
  </Step>

  <Step>
    Select **\[ OK ]** again to save the **Application Public Keys** settings.

    <Check>
      In the main Network Options window, Loaded now displays next to PKI Keys for the System/Host API connection pair.
    </Check>
  </Step>
</Steps>

### Sign the System/Host API CSR

Perform the following steps to sign the System/Host API CSR:

<Steps>
  <Step>
    Go to **PKI**> **Certificate Authorities**.
  </Step>

  <Step>
    Right-click the root CA certificate you created, and select **Add Certificate**> **From Request**.
  </Step>

  <Step>
    In the file browser, find and select the CSR that you generated for the System/Host API connection pair.
  </Step>

  <Step>
    After it loads, you don't need to modify any settings for the certificate. Select **\[ OK ]**.

    <Check>
      The signed System/Host API certificate now displays under the root CA certificate on the Certificate Authorities page.
    </Check>
  </Step>
</Steps>

### Export the certificate

Perform the following steps to export the Root CA certificate:

<Steps>
  <Step>
    Go to **PKI**> **Certificate Authorities**.
  </Step>

  <Step>
    Right-click the **System TLS CA Root** certificate, and select **Export**> **Certificate(s)**.
  </Step>

  <Step>
    In the **Export Certificate** window, change the encoding to **PEM**, and select **\[ Browse ]**.
  </Step>

  <Step>
    In the file browser, go to the location where you want to save the signed System/Host API certificate. Specify `tls_ca.pem` as the name for the file, and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]**.

    <Check>
      A message box notifies you that the PEM file was successfully written to the location that you specified.
    </Check>
  </Step>
</Steps>

### Export the signed System/Host API certificate

Perform the following steps to export the signed System/Host API certificate:

<Steps>
  <Step>
    Go to **PKI**> **Certificate Authorities**.
  </Step>

  <Step>
    Right-click the **KMES** certificate, and select **Export**> **Certificate(s)**.
  </Step>

  <Step>
    In the **Export Certificate** window, change the encoding to **PEM**, and select **\[ Browse ]**.
  </Step>

  <Step>
    In the file browser, go to the location where you want to save the signed System/Host API certificate. Specify `tls_kmes.pem` as the name for the file, and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]**.

    <Check>
      A message box notifies you that the PEM file was successfully written to the location that you specified.
    </Check>
  </Step>
</Steps>

### Load the exported certificates

Perform the following steps to load the exported certificates into the System/Host API connection pair:

<Steps>
  <Step>
    Go to **Administration**> **Configuration**> **Network Options**.
  </Step>

  <Step>
    In the **Network Options** window, go to the **TLS/SSL Settings** tab.
  </Step>

  <Step>
    Select **\[ Edit ]** next to **Certificates** in the **User Certificates** section.
  </Step>

  <Step>
    Right-click the **System/Host API SSL CA** X.509 certificate container and select **\[ Import ]**.
  </Step>

  <Step>
    Select **\[ Add ]** at the bottom of the **Import Certificates** dialog.
  </Step>

  <Step>
    In the file browser, select both the root CA certificate and the signed System/Host API certificate and select **\[ Open ]**.
  </Step>

  <Step>
    Select **\[ OK ]** to save the changes.

    <Check>
      In the Network Options window, the System/Host API connection pair now shows Signed loaded next to Certificates in the User Certificates section.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to save and exit the **Network Options** dialog.
  </Step>
</Steps>

### Issue a client certificate

Perform the following steps to issue a client certificate for Bitwarden:

<Steps>
  <Step>
    Go to **PKI**> **Certificate Authorities**.
  </Step>

  <Step>
    Right-click the **System TLS CA Root** certificate and select **Add Certificate**> **New Certificate**.
  </Step>

  <Step>
    On the **Subject DN** tab, set a **Common Name** for the certificate, such as `Bitwarden`.
  </Step>

  <Step>
    Leave all fields on the **Basic Info** tab set to the default values.
  </Step>

  <Step>
    On the **V3 Extensions** tab, select the **TLS Client Certificate** profile, and select **\[ OK ]**.

    <Check>
      The Bitwarden certificate now displays under the System TLS CA Root certificate.

      A later section shows you how to configure this client certificate in the Futurex PKCS #11 configuration file.
    </Check>
  </Step>
</Steps>

### Export the certificate

Perform the following steps to export the Bitwarden certificate as a PKCS #12 file:

<Note>
  To perform the following steps, go to Configuration > Options and enable the Allow export of certificates using passwords option.
</Note>

<Steps>
  <Step>
    Go to **PKI**> **Certificate Authorities**.
  </Step>

  <Step>
    Right-click the **Bitwarden** certificate and select **Export**> **PKCS12**.
  </Step>

  <Step>
    Select the **Export Selected** option, specify a unique name for the export file, and select **\[ Next ]**.
  </Step>

  <Step>
    Enter a file password of your choosing and select **\[ Next ]**.
  </Step>

  <Step>
    Select **\[ Finish ]** to initiate the export.
  </Step>

  <Step>
    Move both the **Bitwarden** certificate and the Root CA certificate exported in a previous section to the computer that runs the Bitwarden instance.

    A later section shows how to configure and use them for TLS communication with the KMES Series 3.
  </Step>
</Steps>
