Log in to the KMES application interface with the default Admin identities.

Go to the Identity Management > Roles menu and select [ Add ].

In the Role Editor window, specify a name for the role, select the Hardened checkbox, and set the number of logins required to 1.

On the Permissions tab, select the following permissions:

On the Advanced tab, set the allowed ports field to Host API.

Select [ OK ] to finish creating the role.

Go to the Identity Management > Identities menu, then right-click the pane background and select Add > Client Application.

Change the storage type to HSM and specify a name for the identity.

On the Assigned Roles tab, select the hardened role that you just created.

On the Authentication tab, select [ Add ] to configure a new credential.

In the Configure Credential window, set the credential type to Password, enter a password for the credential, and select [ OK ].

Select the API Key credential and select [ Remove ].

In the main Identity Editor dialog, select [ OK ] to save.

Go to Administration > Configuration > Host API Options and enable the following commands:

After enabling the preceding commands, select [ Save ].

Go to the PKI > Certificate Authorities menu and select [ Add CA ] at the bottom of the window.

In the Certificate Authority dialog, enter a name for the certificate container, leave all other fields set to the default values, and select [ OK ].

Right-click the certificate container that you created and select Add Certificate > New Certificate.

On the Subject DN tab, select the Classic preset and set a Common Name for the certificate, such as System TLS CA Root.

On the Basic Info tab, leave all fields set to the default values.

On the V3 Extensions tab, select the Certificate Authority profile and select [ OK ].

Go to Administration > Configuration > Network Options.

In the Network Options dialog, go to the TLS/SSL Settings tab.

Under the System/Host API connection pair, uncheck the Use Futurex Certificates checkbox and select [ Edit ] next to the PKI keys in the User Certificates section.

In the Application Public Keys window, select [ Generate ].

When the SSL will not be functional until new certificates are imported warning displays, select [ Yes ] to continue.

In the PKI Parameters window, leave the default settings and select [ OK ].

When you see that a PKI Key Pair is loaded in the Application Public Keys dialog, select [ Request ].

On the Subject DN tab, set a Common Name for the certificate, such as KMES.

On the V3 Extensions tab, select the TLS Server Certificate profile.

On the PKCS #10 Info tab, select a save location for the CSR and select [ OK ].

When the save successful message displays, select [ OK ].

Select [ OK ] again to save the Application Public Keys settings.

Go to the PKI > Certificate Authorities menu.

Right-click the System TLS CA Root certificate created previously and select Add Certificate > From Request.

In the file browser, select the CSR generated for the System/Host API connection pair.

After it loads, you don't need to modify any certificate settings. Select [ OK ].

Go to the PKI > Certificate Authorities menu.

Right-click the System TLS CA Root certificate and select Export > Certificate(s).

In the Export Certificate window, select the PEM encoding and select [ Browse ].

In the file browser, navigate to the location where you want to save the TLS root CA certificate. Specify a name for the file and select [ Open ].

Select [ OK ].

Go to the PKI > Certificate Authorities menu.

Right-click the KMES certificate and select Export > Certificates(s).

In the Export Certificate dialog, select the PEM encoding and select [ Browse ].

In the file browser, navigate to the location where you want to save the signed System/Host API TLS certificate. Specify a name for the file and select [ Open ].

Select [ OK ].

Go to Administration > Configuration > Network Options.

In the Network Options dialog, go to the TLS/SSL Settings tab.

Select [ Edit ] next to Certificates in the User Certificates section.

Right-click the System/Host API SSL CA X.509 Certificate Container and then select [ Import ].

Select [ Add ] at the bottom of the Import Certificates window.

In the file browser, find and select both the TLS Root CA certificate and the signed System/Host API TLS certificate and select [ Open ].

Select [ OK ] to save the changes.

Select [ OK ] to save and exit the Network Options window.

Open a terminal and run the following command to generate a TLS private for the FXPKCS11 library:

Run the following command to generate a Certificate Signing Request (CSR) for the FXPKCS11 library:

It prompts you to enter certificate information. The CSR outputs to a file named fxpkcs11_tls_cert_req.pem in the same directory in which you ran the command.

Move or copy the CSR file to the storage medium configured on the KMES.

Go to the PKI > Certificate Authorities menu.

Right-click the System TLS CA Root certificate and select Add Certificate > From Request.

In the file browser, locate and select the FXPKCS11 CSR. Certificate information populates in the Create X.509 From CSR window.

On the Subject DN tab, change the preset drop-down option to Classic, and set a Common Name for the certificate, such as FXPKCS11.

On the Basic Info tab, leave all settings set to the default values.

On the V3 Extensions tab, select the TLS Client Certificate profile, and then select [ OK ].

Go to the PKI > Certificate Authorities menu.

Right-click the FXPKCS11 certificate and select Export > Certificate(s).

In the Export Certificate dialog, change the PEM encoding and select [ Browse ].

In the file browser, navigate to the location where you want to save the FXPKCS11 TLS certificate. Specify a name for the file and select [ Open ].

Select [ OK ].

Move both the signed FXPKCS11 TLS certificate and the TLS Root CA certificate to the computer that hosts the Apache HTTP Server instance.

The next section shows how to configure and use them for TLS communication with the KMES Series 3.