Skip to main content
Before KMIP connections can occur between vCenter Server and KMES Series 3, both parties must establish a mutual trust relationship by validating their respective digitally signed certificates. This section shows how to generate and sign a certificate for the KMIP connection pair on the KMES Series 3. In the next section, while registering the KMES as a Standard Key Provider in the vSphere Client, the KMES presents the TLS certificate configured for the KMIP connection pair. After accepting the presented certificate, vCenter trusts the KMES moving forward. Learn how to generate, sign, and register TLS certificates for the vCenter Server in a later section.

Create a CA

Perform the following steps to create a Certificate Authority (CA):
1
Log in to the KMES Series 3 application interface with the default Admin users.
2
Go to PKI > Certificate Authorities and select [ Add CA ] at the bottom of the page.
3
On the Certificate Authority window, specify a name for the Certificate Container and select [ OK ].
4
Right-click the newly created Certificate Container and select Add Certificate > New Certificate.
5
On the Subject DN tab, change the Preset to Classic, and set a Common Name for the certificate.
6
On the Basic Info tab, leave all of the default settings.
7
On the V3 Extensions tab, set the profile to Certificate Authority an select [ OK ].
The root CA displays under the Certificate Container you created in the Certificate Authorities menu.

Configure TLS certificates for the KMIP connection pair

This section covers the following tasks:
  • Generate a new OKI pair and CSR.
  • Sign the CSR.
  • Import the certificate.

Generate a key pair and CSR

Perform the following steps to generate a new PKI key pair and CSR for the KMIP connection pair:
1
Go to Administration > Configuration > Network Options and go to the TLS/SSL Settings tab.
2
Select the Connection drop-down menu and select the KMIP connection pair. If it is not already enabled, enable it.
3
Uncheck Use System/Host API SSL Parameters if it is selected.
4
In the User Certificates section, uncheck Use Futurex certificates if it is selected, and select [ Edit ] next to PKI keys.
5
In the Application Public Keys window, select [ Generate ].
6
Click [ Yes ] and bypass the warning about SSL not being functional until new certificates are imported.
7
In the PKI Parameters window, leave the settings as default and select [ OK ].
The Application Public Keys window now shows that a PKI Key Pair is Loaded.
8
Select [ Request ].
9
On the Subject DN tab of the Create PKCS #10 Request window, change the Common Name value to the IP of the KMES.
10
On the V3 Extensions tab, set the profile to TLS Server Certificate.
11
On the PKCS #10 Info tab, specify a save location and name for the CSR file and select [ OK ].
12
When prompted that the certificate signing request was successfully written to the specified location, select [ OK ].
13
Select [ OK ] in the Application Public Keys window, and select [ OK ] in the main Network Options window.

Sign the CSR

Perform the following steps to sign the KMIP connection pair CSR:
1
Go to PKI > Certificate Authorities.
2
Right-click the Root CA certificate and select Add Certificate > From Request.
3
In the file browser, find and select the KMIP connection pair CSR. Certificate information should populate in the Create X.509 From CSR window.
4
After it loads, you don’t need to modify any certificate settings. Select [ OK ].
The signed KMIP server certificate displays under the Root CA certificate.

Import the certificate

Perform the following steps to import the signed KMIP connection pair certificate:
1
Go to Administration > Configuration > Network Options and go to the TLS/SSL Settings tab.
2
Select the Connection drop-down menu and select the KMIP connection pair.
3
Select [ Edit ] next to Certificates in the User Certificate section.
4
In the Certificate Authority window, right-click the KMIP SSL CA X.509 Certificate Container and select [ Import ].
5
Select [ Add ] at the bottom of the Import Certificates window.
6
In the file browser, select both the root CA certificate and the signed KMIP server certificate and select [ Open ].
The certificates should now display in the Verified section of the Import Certificates window.
7
Select [ OK ] to save.
It now says Signed loaded next to Certificates in the User Certificates section for the KMIP connection pair.
8
Select [ OK ] to save.