Skip to main content
Before secure connections between HashiCorp Vault and the KMES Series 3 can occur, both parties must establish a mutual trust relationship by validating their respective digitally signed certificates. This section describes how to create X.509 certificates for HashiCorp Vault and the Vault Client connection pair on the KMES Series 3, necessary for TLS communication. You can use the following optional methods to create the HashiCorp Vault and Vault Client connection pair TLS certificates:
  • Use an external CA
  • Use the KMES Series 3 as the CA

Use an External CA

To use an external CA, you must complete the following tasks:
  1. Create a TLS certificate for Vault.
  2. Import the certificate and chain to the KMES Series 3.
  3. Create a TLS certificate for the Vault connection pair on the KMES Series 3.
The following sections show you how to perform these tasks:

Create a TLS certificate

Perform the following steps to create a TLS certificate for HashiCorp Vault:
The HashiCorp Vault client certificate must use the V3 extension TLS Server Authentication.
1
Generate a private key by running the following OpenSSL command in a terminal:
Shell
openssl genrsa -out client-privatekey.pem 2048
2
Generate a Certificate Signing Request (CSR) by running the following OpenSSL command:
Shell
openssl req -new -key client-privatekey.pem -out client-cert-req.pem -days 365
Specify the IP address or hostname of the HashiCorp Vault server as the Common Name in the CSR.
3
Get an External CA to sign the CSR by sending the CSR file to the external CA.
4
After the CSR is signed, download the signed certificate and the chain of CA certificates used to sign it.

Import the signed certificate and chain

Perform the following steps to import the signed HashiCorp Vault certificate and chain into a new X.509 certificate container on the KMES Series 3:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to PKI> Certificate Authorities and select [ Add CA ].
3
Specify a name for the X.509 certificate container and select [ OK ].
4
Right-click the new certificate container and select Import> Certificate(s).
5
In the Import Certificates window, select [ Add ].
6
Select the signed HashiCorp Vault certificate and all CA certificates in the certificate chain, and select [ Open ].
All certificates should display in a tree form in the Verified section of the Import Certificates window.
7
Select [ OK ] to save.

Create a TLS certificate

To create the TLS certificate for the Vault client connection pair on KMES Series 3, complete the following tasks:
  1. Generate a private key and CSR for the connection pair.
  2. Get the external CA to sign the CSR.
  3. Configure the connection pair to use the signed CSR.
The following sections show you how to perform these tasks:

Generate a private key and CSR

Perform the following steps to generate a private key and construct a CSR for the Vault client connection pair:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to Administration> Configuration> Network Options. On the TLS/SSL Settings tab, select the Vault Client connection pair from the Connection drop-down menu.
3
Enable the Vault client connection pair if it is not already enabled.
4
Uncheck Use System/Host API SSL Parameters if it is selected.
5
In the User Certificates section, select [ Edit ] next to PKI Keys.
6
In the Application Public Keys window, select [ Generate ].
7
When warned that SSL will not be functional until new certificates are installed, select [ Yes ] to continue.
8
In the PKI Parameters window, leave all fields set to the default values and select [ OK ].
It now displays Loaded in the Application Public Keys window.
9
In the Application Public Keys window, select [ Request ].
10
On the Subject DN tab, change the Preset drop-down option to Classic and specify the IP address or Hostname of the KMES in the Common Name field.
11
On the V3 Extensions tab, set the profile to TLS Client Certificate.
12
On the PKCS #10 information tab, specify a save location and name for the CSR file, and select [ OK ].
13
When prompted that the certificate signing request was successfully written to the specified location, select [ OK ]*.
14
Select [ OK ] again to save the Application Public Keys settings.

Get an external CA to sign the CSR

Take the CSR file to the external CA. After the CSR is signed, download the signed certificate and the chain of CA certificates used to sign it.

Configure the connection pair

Perform the following steps to configure the Vault client connection pair to use the signed certificate and CA chain:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to Administration> Configuration> Network Options. On the TLS/SSL settings tab, select Vault Client from the Connection drop-down menu.
3
In the User Certificates section, select [ Edit ] next to Certificates.
4
In the Certificate Authority window, right-click on the Vault Client SSL CA X.509 certificate container, and select [ Import ].
5
In the Import Certificates window, select [ Add ].
6
In the file browser, select both the root CA certificate and the signed Vault Client connection pair certificate, and select [ Open ].
The certificates should now display in the Verified section of the Import Certificates window.
7
Select [ OK ].
It now says Signed Loaded next to Certificates in the User Certificates section.
8
Select [ OK ] to save.

Use the KMES Series 3 as the CA

To use the KMES as the CA, you must complete the following tasks:
  1. Create the CA.
  2. Create a TLS certificate for the Vault.
  3. Create and configure the TLS certificate for the Vault client connection pair.
The following sections show you how to perform these tasks:

Create the CA

1
Log in to the KMES Series 3 application interface with the default Admin users.
2
Go to PKI> Certificate Authorities and select [ Add CA ].
3
Specify a name for the CA and select [ OK ].
The new certificate container now displays in the Certificate Authorities window.
4
Right-click the new certificate container and select Add Certificate> New Certificate.
5
Change the Preset drop-down option to Classic and set the Common Name value to Root.
6
On the Basic Info tab, leave all fields set to the default values.
7
On the V3 Extensions tab, set the Profile to Certificate Authority and select [ OK ].
The Root certificate now displays under the certificate container you created.

Create the TLS certificate for HashiCorp Vault

To create the TLS certificate, you must perform the following steps:
  1. Generate a private key and CSR.
  2. Sign the CSR.
The following sections show you how to perform these tasks:

Generate a private key and CSR

Perform the following steps to generate a private key and construct a CSR for HashiCorp Vault:
1
In a terminal, run the following OpenSSL command to generate a private key.
Shell
openssl genrsa -out client-privatekey.pem 2048
2
In a terminal, run the following OpenSSL command to generate a CSR, specifying the IP address or hostname of the HashiCorp Vault server as the Common Name:
Shell
openssl req -new -key client-privatekey.pem -out client-cert-req.pem -days 365

Sign the CSR

Perform the following steps to sign the HashiCorp Vault CSR:
1
Go to PKI> Certificate Authorities.
2
Right-click the Root CA certificate you created and select Add Certificate> From Request.
3
In the file browser, select the HashCorp Vault CSR.
Certificate information populates in the Create X.509 From CSR window.
4
On the V3 Extensions tab, set the profile to TLS Server Certificate and select [ OK ]* to save.
The signed HashiCorp Vault certificate displays now under the Root CA certificate in the CA tree.

Create and configure the TLS certificate

To create and configure the TLS certificate for the Vault client connection pair on the KMES Series 3, complete the following tasks:
  1. Generate a private key and construct a CSR.
  2. Sign the CSR.
  3. Export the certificates in the CA tree and add them to the Vault client connection pair.
The following sections show you how to perform these tasks:

Generate a private key and CSR

Perform the following steps to generate a private key and construct a CSR for the Vault Client connection pair:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to Administration> Configuration> Network Options. On the TLS/SSL Settings tab, select the Vault Client connection pair from the Connection drop-down menu.
3
Enable the Vault Client connection pair if it is not already enabled.
4
Uncheck Use System/Host API SSL Parameters if it is selected.
5
In the User Certificates section, select [ Edit ] next to PKI Keys.
6
In the Application Public Keys window, select [ Generate ].
7
When warned that SSL will not be functional until new certificates are installed, select [ Yes ] to continue.
8
In the PKI Parameters window, leave all fields set to the default values and select [ OK ].
It now says Loaded in the Application Public Keys window.
9
In the Application Public Keys window, select [ Request ].
10
On the Subject DN tab, change the Preset drop-down option to Classic and specify the IP address or Hostname of the KMES in the Common Name field.
11
On the V3 Extensions tab, set the profile to TLS Client Certificate.
12
On the PKCS #10 Info tab, specify a save location and name for the CSR file and select [ OK ].
13
When prompted that the certificate signing request was successfully written to the specified location, select [ OK ]*.
14
Select [ OK ] again to save the Application Public Keys settings.

Sign the CSR

Perform the following steps to sign the Vault client connection pair CSR:
1
Go to PKI> Certificate Authorities.
2
Right-click the Root CA certificate you created and select Add Certificate> From Request.
3
In the file browser, select the Vault Client connection pair CSR.
Certificate information populates in the Create X.509 From CSR window.
4
Leave all settings set to the defaults and select [ OK ] to save.
The signed Vault Client connection pair certificate now displays under the Root CA certificate in the CA tree.

Export all certificates and import them

To export the certificates, right-click each certificate in the certificate tree and select Export> Certificate(s). In the Export Certificate dialog for each of them, change the encoding to PEM, and specify a save location for the file. Then, perform the following instructions to import them to the Vault client connection pair:
1
Log in to KMES Series 3 application interface with the default Admin identities.
2
Go to Administration> Configuration> Network Options. Under the TLS/SSL settings tab, select Vault Client from the Connection drop-down menu.
3
In the User Certificates section, select [ Edit ] next to Certificates.
4
In the Certificate Authority window, right-click on the Vault Client SSL CA X.509 certificate container and select [ Import ].
5
In the Import Certificates window, select [ Add ].
6
In the file browser, select both the root CA certificate and the signed Vault Client connection pair certificate, and select [ Open ].
The certificates should now display in the Verified section of the Import Certificates window.
7
Select [ OK ].
It now says Signed Loaded next to Certificates in the User Certificates section.
8
Select [ OK ] to save.