Configure KMES Series 3
Before SCEP connections can occur, the SCEP client and KMES Series 3 must establish a mutual trust relationship by validating their respective digitally signed certificates.
This section describes how to perform the following tasks:
- Create a CA on the KMES Series 3.
- Generate and sign the SCEP client certificate.
- Configure a TLS certificate for the SCEP Server connection pair.
Log in to the KMES Series 3 application interface with the default Admin identities.
Go to PKI > Certificate Authorities, and select [ Add CA ].
Specify a name for the CA, and select [ OK ].
Right-click the newly created CA, and select Add Certificate > New Certificate.
On the Subject DN tab, change the Preset to Classic, and set the common name value to Root.
On the Basic Info tab, change the Major Key to the PMK. Leave all other settings set to the default values.
On the V3 Extensions tab, set the Profile to Certificate Authority, and select [ OK ] to save.
Choose one of the following optional methods for generating and signing the SCEP client certificate and perform the related steps:
- Use an external CA
- Use the KMES Series 3 as the CA
You can run the OpenSSL commands in this section from the default terminal application for your operating system.
Generate a private key
In a terminal, run the following OpenSSL command:
Construct a Certificate Signing Request (CSR)
Run the following OpenSSL command to generate a CSR:
Get the CSR signed by an external CA.
Take the CSR file to the external CA. After the CSR is signed, download the signed certificate and the chain of CA certificates that were used to sign it.
Perform the following steps to import the signed SCEP client certificate and chain in a new X.509 Certificate Container on the KMES Series 3:
Go to PKI > Certificate Authorities, and select [ Add CA ].
Give the new X.509 Certificate Container a name, and select [ OK ].
Right-click the Certificate Container you created, and select Import > Certificate(s).
In the Import Certificates window, select [ Add ].
Select the signed SCEP client certificate and all CA certificates in the certificate chain, and select [ Open ].
All of the certificates display in tree form in the Import Certificates window
Select [ OK ] to save.
Right-click the Root CA certificate created previously (in Create a certificate authority on the KMES Series 3) and select Add Certificate > New Certificate.
Modify the options on the Subject DN tab as needed.
On the V3 Extensions tab, change the profile to TLS Client Certificate. Then select [ OK ].
The remaining steps in this section involve exporting the SCEP client certificate as a PKCS #12 file. To do this, you must enable a configuration option. Go to Administration > Configuration > Options and select the Allow export of certificates using passwords checkbox. Then, select [ Save ].
Now, right-click the SCEP client certificate and select Export > PKCS12.
In the Export PKCS12 window, set the password by selecting [ Set Password ]. Enter the desired password and select [ Save ].
For export options, select [ Export Selected Certificate with Parents ], set the Cipher Options to AES-256, and select [ Next ].
Browse for the folder in which to save the PKCS12 file on your designated storage medium. Enter a file name and then select [ Open ].
After the PKCS #12 file saves to the specified location, select [ OK ]. This PKCS #12 file contains the signed SCEP client certificate, associated private key, and root certificate, all encrypted under the password that was set for the file.
Perform the following tasks to configure a TLS certificate for the SCEP Server connection pair:
- Generate a new PKI key pair and CSR for the SCEP connection pair.
- Sign the SCEP connection pair CSR.
- Export all of the certificates in the certificate tree.
- Import the signed SCEP connection pair certificate.
Go to Administration > Configuration > Network Options. On the TLS/SSL tab, select the Connection drop-down option and select the SCEP connection pair.
Enable the SCEP connection pair if it is not already enabled.
Uncheck Use System/Host API SSL Parameters if it is selected.
In the User Certificates section, select [ Edit ] next to PKI keys.
Select [ Generate ] to create a new PKI Key Pair.
Select [ Yes ] and bypass the warning about SSL not being functional until new certificates are imported.
In the PKI Parameters window, set the PMK as the Encrypting Key, and change the Key Size to 2048. Select [ OK ].
The Application Public Keys window now shows that the PKI Key Pair is Loaded.
Select [ Request ].
On the Subject DN tab, leave all fields set to the default values.
On the V3 Extensions tab, set the profile to TLS Server Certificate.
On the PKCS #10 tab, specify a save location and name for the CSR file.
Select [ OK ].
When a message box saying that the certificate signing request was successfully written to the specified location opens, select [ OK ] to close the message box.
Select [ OK ] in the Application Public Keys window, then select [ OK ] in the main Network Options window.
Navigate to PKI > Certificate Authorities. Right-click the Root CA certificate and select Add Certificate > From Request.
In the file browser, select the SCEP connection pair CSR.
Certificate information for the SCEP server certificate should automatically populate in the window.
Leave all settings exactly as they are and select [ OK ] to save.
The signed SCEP server certificate displays under the Root CA certificate in the CA tree now.
For each of the certificates in the certificate tree, perform the following steps:
Right-click the certificate and select Export > Certificate(s).
In the Export Certificates dialog for the certificate, change the encoding to PEM, and specify a save location for the file.
Go to Administration > Configuration > Network Options. On the TLS/SSL tab, select the Connection drop-down menu and select the SCEP connection pair.
In the User Certificates section, select [ Edit ] next to Certificates.
In the Certificate Authority dialog, right-click the SCEP SSL CA X.509 certificate container, and select [ Import ].
In the Import Certificates dialog, select [ Add ] at the bottom of the window. In the file browser, select both the root CA certificate and the signed SCEP server certificate and select [ Open ].
The certificates should now be listed in the Verified section of the Import Certificates dialog.
Select [ OK ] to save.
You should now see Signed loaded next to Certificates in the User Certificates section of the Network Options dialog.
Select [ OK ] to save.