Configure KMES Series 3

11 min

before scep connections can occur, the scep client and {{k3}} must establish a mutual trust relationship by validating their respective digitally signed certificates this section describes how to perform the following tasks create a ca on the {{k3}} generate and sign the scep client certificate configure a tls certificate for the scep server connection pair create a ca perform the following steps to create a certificate authority on the {{k3}} log in to the {{k3}} application interface with the default admin identities go to pki > certificate authorities , and select \[ add ca ] specify a name for the ca, and select \[ ok ] right click the newly created ca and select add certificate > new certificate on the subject dn tab, change the preset to classic , and set the common name value to root on the basic info tab, change the major key to the pmk leave all other settings set to the default values on the v3 extensions tab, set the profile to certificate authority , and select \[ ok ] to save generate and sign the scep client certificate choose one of the following optional methods for generating and signing the scep client certificate and perform the related steps use an external ca to get and import the certificate use the {{k3}} as the ca use an external ca step 1 get the certificate you can run the openssl commands in this section from the default terminal application for your operating system generate a private key in a terminal, run the following openssl command openssl genrsa out ssl client privatekey pem 2048 construct a certificate signing request (csr) run the following openssl command to generate a csr openssl req new key ssl client privatekey pem out ssl client cert req pem days 365 get the csr signed by an external ca take the csr file to the external ca after the csr is signed, download the signed certificate and the chain of ca certificates that were used to sign it use an external ca step 2 import the signed scep client certificate perform the following steps to import the signed scep client certificate and chain in a new x 509 certificate container on the {{k3}} go to pki > certificate authorities , and select \[ add ca ] give the new x 509 certificate container a name, and select \[ ok ] right click the certificate container you created, and select import > certificate(s) in the import certificates window, select \[ add ] select the signed scep client certificate and all ca certificates in the certificate chain, and select \[ open ] all of the certificates display in tree form in the import certificates window select \[ ok ] to save use the {{k3}} as the ca right click the root ca certificate created previously (in create a certificate authority on the {{k3}} ) and select add certificate > new certificate modify the options on the subject dn tab as needed on the v3 extensions tab, change the profile to tls client certificate then select \[ ok ] the remaining steps in this section involve exporting the scep client certificate as a pkcs #12 file to do this, you must enable a configuration option go to administration > configuration > options and select the allow export of certificates using passwords checkbox then, select \[ save ] now, right click the scep client certificate and select export > pkcs12 in the export pkcs12 window, set the password by selecting \[ set password ] enter the desired password and select \[ save ] for export options, select \[ export selected certificate with parents ], set the cipher options to aes 256 , and select \[ next ] browse for the folder in which to save the pkcs12 file on your designated storage medium enter a file name and then select \[ open ] after the pkcs #12 file is saved to the specified location, select \[ ok ] this pkcs #12 file contains the signed scep client certificate, associated private key, and root certificate, all encrypted under the password that was set for the file configure a tls certificate for the scep server connection pair perform the following tasks to configure a tls certificate for the scep server connection pair generate a new pki key pair and csr for the scep connection pair sign the scep connection pair csr export all of the certificates in the certificate tree import the signed scep connection pair certificate generate a key pair and csr perform the following steps to generate a new pki key pair and csr for the scep connection pair go to administration > configuration > network options on the tls/ssl tab, select the connection drop down option and select the scep connection pair enable the scep connection pair if it is not already enabled uncheck use system/host api ssl parameters if it is selected in the user certificates section, select \[ edit ] next to pki keys select \[ generate ] to create a new pki key pair select \[ yes ] and bypass the warning about ssl not being functional until new certificates are imported in the pki parameters window, set the pmk as the encrypting key, and change the key size to 2048 select \[ ok ] the application public keys window now shows that the pki key pair is loaded select \[ request ] on the subject dn tab, leave all fields set to the default values on the v3 extensions tab, set the profile to tls server certificate on the pkcs #10 tab, specify a save location and name for the csr file select \[ ok ] when a message box saying that the certificate signing request was successfully written to the specified location opens , select \[ ok ] to close the message box select \[ ok ] in the application public keys window, then select \[ ok ] in the main network options window sign the csr perform the following steps to sign the scep connection pair csr go to pki > certificate authorities right click the root ca certificate and select add certificate > from request in the file browser, select the scep connection pair csr certificate information for the scep server certificate should automatically populate in the window leave all settings exactly as they are and select \[ ok ] to save the signed scep server certificate displays under the root ca certificate in the ca tree now export all of the certificates for each of the certificates in the certificate tree, perform the following steps right click the certificate and select export > certificate(s) in the export certificates dialog for the certificate, change the encoding to pem , and specify a save location for the file import the signed certificate perform the following steps to import the signed scep connection pair certificate go to administration > configuration > network options on the tls/ssl tab, select the connection drop down menu and select the scep connection pair in the user certificates section, select \[ edit ] next to certificates in the certificate authority dialog, right click the scep ssl ca x 509 certificate container, and select \[ import ] in the import certificates dialog, select \[ add ] at the bottom of the window in the file browser, select both the root ca certificate and the signed scep server certificate and select \[ open ] the certificates should now be listed in the verified section of the import certificates dialog select \[ ok ] to save you should now see signed loaded next to certificates in the user certificates section of the network options dialog select \[ ok ] to save

Before you start

Authenticate to the KMES Series 3 through SCEP