Skip to main content
The vCenter Server and KMES Series 3 must establish a mutual trust relationship by validating their respective digitally signed certificates before KMIP connections can occur. The steps you performed in the preceding sections established the vCenter trust of the KMES. The steps in this section establish the recipoical trust the KMES has of vCenter. To do this, generate a Certificate Signing Request (CSR) in the vCenter Server system with the vSphere Client, sign the CSR using the Certificate Authority (CA) created on the KMES and import the signed certificate back into the vCenter Server system with the vSphere Client. After this, vCenter Server and the KMES Series 3 can establish a TCP/IP session secured by TLS, making it possible for KMIP connections, and therefore encryption operations, to occur.

Generate a CSR

Perform the following steps to generate a CSR with the vSphere Client:
1
Log in to the vCenter Server system with the vSphere Client.
2
Browse the inventory list and select the vCenter Server instance.
3
Select [ Configure ] and select Key Providers under Security.
4
Select the KMES Series 3 key provider.
The KMS for the key provider displays.
5
Select the KMES KMS, select the Establish Trust drop-down menu, and select Make KMS trust vCenter.
6
Select the New Certificate Signing Request (CSR) method and select [ Next ].
7
In the dialog box, select [ Download ] to download the CSR as a file.
You must copy the CSR file needs to the storage medium configured for the KMES.
8
Select [ Done ].

Sign the vCenter CSR

Perform the following steps to sign the vCenter CSR by using a CA on the KMES:
1
Log in to the KMES Series 3 application interface with the default Admin users.
2
Go to PKI > Certificate Authorities.
3
Right-click the System TLS Root CA certificate you configured in the Configure TLS certificates for the KMIP port on the KMES Series 3 section and select Add Certificate > From Request.
4
In the file browser, find and select the vCenter CSR.
5
On the Subject DN tab, change the Common Name value to a shorter string, such as vCenter.
The Common Name of the certificate should match the name of the user created in the next section so that vCenter can authenticate to the KMES through TLS certificate authentication.
6
On the V3 Extensions tab, select the TLS Client Certificate profile.
7
Select [ OK ] to finish.
The signed vCenter certificate now displays under the System TLS Root CA certificate.

Export the certificate

Perform the following steps to export the signed vCenter certificate:
1
Go to PKI > Certificate Authorities.
2
Right-click on the vCenter certificate and select Export > Certificate(s).
3
In the Export Certificate window, change the encoding to PEM and select [ Browse ].
4
In the file browser, go to the location where you want to save the certificate. Specify a name for the file and select [ Open ].
5
Select [ OK ].
A message displays stating that the PEM file was successfully written to the location that you specified.
You need to copy the signed vCenter certificate file from the KMES storage medium to the computer that accesses vCenter Server through the vSphere Client.

Import the signed vCenter certificate

Perform the following steps to import the signed vCenter certificate into vCenter Server with the vSphere Client:
1
Log in to the vCenter Server system with the vSphere Client.
2
Browse the inventory list and select the vCenter Server instance.
3
Select [ Configure ] and select Key Providers under Security.
4
Select the KMES Series 3 key provider.
The KMS for the key provider displays.
5
Select the KMES KMS, select the Establish Trust drop-down menu, and select Upload Signed CSR Certificate.
6
Select [ Upload A File ], and find and select the signed vCenter certificate in the file browser.
The content of the certificate should display.
7
Select [ Upload ].
The Connection Status column should now have a green checkmark and say Connected. The vCenter Certificate and KMS Certificate columns should also show green checkmarks, with certificate validity dates sometime in the future.