Set up the KMES Series 3
Before attempting either of the examples, you must set up the KMES Series 3. See the KMES Series 3 user guide for additional information about completing the following required setup steps:Create a Signing Approval role, set Logins Required to 1, and enable all permissions under Certificate Authority, Keys, and Cryptographic operations. Select [ OK ] to finish creating the role.
Under Assigned Roles, select the Signing Approval role you just created. Under Authentication, set a password for the identity. Select [ OK ] to finish creating the identity.
Go to PKI> Signing Workflow and select [ Add ]. Set a name for the signing approval group and select [ OK ]*.
Create a CA tree, ensuring that you select the PMK as the major key for all certificates created in this CA Tree.
Add an Issuance Policy to the leaf certificate in the CA tree.In the X.509 tab of the Issuance Policy window, ensure that you select all of the permission checkboxes and that you select the signing approval group you created in step 5.
Example: RAUP Excrypt command
The following example demonstrates the RAUP command:Run the following command to connect to the System/Host API port on the KMES by using Slope:
Shell
You must configure the System/Host API connection pair on the KMES Series 3 so that this OpenSSL connection works. Instructions for setting this up are outside the scope of this guide. See the KMES Series 3 user guide for more information.
After you connect successfully, run the RKLO Excrypt command twice to log in with the default Admin users, as shown in the following example:
Shell
Run the RAUP command to upload a new X.509 PKI request, as shown in the following example:
Shell
If the command shown in the preceding example succeeds, a new X.509 PKI, issued as a PKCS #12 file, generates on the KMES Series 3, and the passphrase for the PKCS #12 file is stored in Vault.
Example: POST Request to the KMES RESTful API by using Postman
Before trying this example, you must perform the following configurations on the KMES Series 3.Configure a JWT Identity Provider
Perform the following steps to configure a JWT Identity Provider and authentication mechanism:Right-click the Identity Provider you just created and select Add> Mechanism> JSON Web Token. On the Info tab, specify a name for the mechanism, then select [ OK ] to save.
Go to Identity Management> Identities and locate the Signing Approval identity created for the previous example. Right-click it and select Edit.
Go to the Authentication tab and select [ Add ]. In the Type drop-down menu, select JSON Web Token and select [ OK ] to return to the Identity editor. Then select [ OK ] to save.
Send a POST Request to the KMES RESTful API by using Postman
To perform the following steps, you must install the Postman application on your local computer. The same concepts apply if you use cURL rather than Postman. However, to use cURL, you must generate the JWT token elsewhere (for example, a website such as
https://jwt.io/). With Postman, you can generate a JWT token on the fly when you send the POST request.Set any name for the collection, go to the Variable tab, and set jwt_token in the Variable field. Select [ Create ]. You don’t need to set anything else in this window.
Set any name for the request. The most important part is that the request is associated with the newly created Collection. Save the request.
Expand the Collection Folder and select the request that you just created. Set the request URL to
https://10.0.5.125:8081/kmes/v6/certificates/signing-requests and change the request type to POST in the drop-down menu.Go to the Authorization tab, set the TYPE to Bearer Token, and set the Token value to
{{jwt_token}}.Go to the Body tab, select the Raw bullet, and paste the following JSON code:
JSON
In the request body, you specify that you want the KMES Series 3 to create a new X.509 PKI. You define the CA tree that you built on the KMES, along with several other parameters. One of the most important parameters to notice is the randomPassphrase value set to
true. The randomPassphrase parameter ensures that the PKI request is issued as PKCS #12. Then, the passphrase for the PKCS #12 file is stored in Vault.Go to the Pre-Request Script tab and paste the following JavaScript:The preceding code generates the JWT Token used to authenticate to the KMES, on-the-fly.
Javascript
After pasting in the JavaScript, select the settings icon in the upper-right corner of the page and select Globals.
Add a new variable, jwt_user. Set the Current Value to the username of the Signing Approval Identity you created. Select [ Save ].
Select [ Save ] on your request and select [ Send ].
If the request is successful, the response body contains the message: Successfully created new entry.
When you log back into the Vault UI and go to Secret Engines > Secret, you see a new entry with ID values after CommonName that matches the requested value in the response body in Postman. This confirms that the KMES Series 3 sent the PKCS #12 passphrase successfully to Vault for storage.
Enable the rekey feature
You can apply a renewal threshold in Registration Authority Options. When you request an existing key name, one of the following events occurs:- If the key is under the expiration threshold when you request the key, the system returns a new key and certificate.
- If the key is over the expiration threshold when you request the key, the system returns the same key and certificate.
For the Renewal Threshold option, set a number and use the drop-down list to select Days, Weeks, Months, or years, depending on your needs (for example, 90 days).In this example, a key request with the same name that is over the 90-day threshold returns the same key and certificate. A key request with the same name that is under the 90-day threshold returns a new key and certificate.
renewalCheck: true line to the JSON request, as shown in the following example:
JSON