Log in to the KMES Series 3 application interface with the default Admin identities.

Go to PKI > Certificate Authorities and select [ Add CA ] at the bottom of the page.

In the Certificate Authority window, enter a name for the certificate container, leave all other fields set to the default values, and select [ OK ].

Right-click the certificate container you just created and select Add Certificate > New Certificate.

On the Subject DN tab, select the Classic preset and set a Common Name for the certificate, such as System TLS CA Root.

On the Basic Info tab, leave all settings as the default values.

On the V3 Extensions tab, select the Certificate Authority profile and select [ OK ].

Go to Administration > Configuration > Network Options.

In the Network Options window, go to the TLS/SSL Settings tab.

Under the System/Host API connection pair, uncheck the Use Futurex Certificates checkbox and select [ Edit ] next to PKI Keys in the User Certificates section.

In the Application Public Keys window, select [ Generate ].

When warned that SSL will not be functional until new certificates are imported, select [ Yes ] to continue.

In the PKI Parameters window, leave the fields set to the default values and select [ OK ].

Select [ Request ].

On the Subject DN tab, you can leave the default Common Name value set to System/Host API.

On the V3 Extensions tab, select the TLS Server Certificate profile.

On the PKCS #10 Info tab, select a save location for the CSR and select [ OK ].

When notified that the certificate signing request was successfully written to the location you specified, select [ OK ].

Select [ OK ] again to save the Application Public Keys settings.

Select [ OK ] to save and close the Network Options menu.

Go to PKI > Certificate Authorities.

Right-click the System TLS CA Root certificate and select Add Certificate > From Request.

In the file browser, select the CSR you generated for the System/Host API connection pair.

After it loads, don't modify any settings for the certificate. Select [ OK ].

Go to PKI > Certificate Authorities.

Right-click the System TLS CA Root certificate and select Export > Certificate(s).

In the Export Certificates window, change the encoding to PEM and select [ Browse ].

In the file browser, navigate to the location where you want to save the root CA certificate. Specify a name for the file and select [ Open ].

Select [ OK ].

Go to PKI > Certificate Authorities.

Right-click the System/Host API certificate and select Export > Certificate(s).

In the Export Certificates window, change the encoding to PEM and select [ Browse ].

In the file browser, navigate to the location where you want to save the signed System/Host API TLS certificate. Specify a name for the file and select [ Open ].

Select [ OK ].

Go to Administration > Configuration > Network Options.

In the Network Options window, select the TLS/SSL Settings tab.

Under the System/Host API connection pair, select [ Edit ] next to Certificates in the User Certificates section.

Right-click the System/Host API SSL CA X.509 Certificate Container and select [ Import ].

Select [ Add ] at the bottom of the Import Certificates window.

In a file browser, select both the root CA certificate and the signed System/Host API certificate, and select [ Open ].

Select [ OK ] to save the changes.

Go to PKI > Certificate Authorities.

Right-click the System TLS CA Root certificate and select Add Certificate > New Certificate.

On the Subject DN tab, set Venafi as the Common Name for the certificate.

Leave all fields on the Basic Info tab set to the default values.

On the V3 Extensions tab, select the TLS Client Certificate profille and select [ OK ].

Go to PKI > Certificate Authorities.

Right-click the Venafi certificate and select Export > PKCS#12.

Set a password for the PKCS #12 file, select Export Selected Certificate, and select [ Next ].

In the file browser, select a location for the PKCS #12 file and select [ Open ].

Move both the Venafi certificate and the root CA certificate exported in the Export the Root CA certificate section to the computer that runs the Venafi TPP instance.

The next section shows you how to configure and use them for TLS communication with the KMES Series 3.

Go to Identity Management > Roles and select [ Add ] at the bottom of the page.

On the Info tab of the Role Editor window, set the Type to Application, the Name to Venafi, select the Hardened checkbox, and set the Logins Required to 1.

On the Permissions tab, enable the following permissions:

On the Advanced tab, set Allowed Ports to Host API only.

Select [ OK ] to finish creating the role.

Go to Identity Management > Identities.

Right-click anywhere in the window and select Add > Client Application.

On the Info tab of the Identity Editor window, set the Storage type to HSM and specify a Name for the identity.

On the Assigned Roles tab, select the Venafi role.

On the Authentication tab, remove the default Hardened API Key mechanism and select [ Add ].

In the Configure Credential window, the Hardened Password mechanism populates by default. Select [ Change ], configure a password, and select [ Save ]. Select [ OK ] to finish configuring the new credential.

Select [ OK ] to finish creating the identity.

Go to Administration > Configuration > Host API Options.

Enable the following commands:

Select [ Save ] to finish.