Configure certificates for TLS authentication between Zettaset and the KMES
Before PKCS #11 and KMIP connections can occur between Zettaset XCrypt Full Disk and , both parties must establish a mutual trust relationship by validating their respective digitally signed certificates.
Use one of the following methods to generate and sign the Zettaset TLS client certificate:
- Use an external CA.
- Use the as the CA.
For this method, import the external CA certificates into an empty certificate container on the . Then, generate a Certificate Signing Request (CSR), which the external CA uses to issue a TLS certificate for the Zettaset instance. Then, import the issued certificate into the certificate container on the that contains the external CA certificate.
Go to PKI > Certificate Authorities, and select [ Add CA ] at the bottom of the page.
Specify a name for the certificate container, such as Externally Issued, then select [ OK ].
The new Certificate Container displays in the Certificate Authorities menu.
Right-click the Externally Issued certificate container and select Import > Certificate(s).
In the Import Certificates window, select [ Add ] at the lower-left corner of the window, and find and select the external CA certificates that should issue the Zettaset TLS client certificate.
The CA certificates populate in the Verified section of the Import Certificates window.
Select [ OK ] to save.
The external CA certificates display now in tree form under the Externally Issued certificate container.
Next, create a placeholder TLS client certificate from which you can generate a CSR. Right-click the lowest level CA certificate in the tree and select Add Certificate > Pending.
In the Subject DN tab of the Create X.509 Certificate window, set a Common Name for the certificate, such as Zettaset.
Leave all other fields set to the default values and select [ OK ].
The Zettaset placeholder certificate now displays under the external CA certificates.
Right-click on the placeholder Zettaset certificate and select Export > Signing Request.
In the Create PKCS #10 Request window, leave all settings in the Subject DN tab set to the default values.
In the V3 Extensions tab, select the TLS Client Certificate profile.
In the PKCS #10 Info tab, specify a save location for the CSR and select [ OK ].
A message states that the certificate signing request was successfully written to the location you specified.
Take the CSR file to an external certificate authority.
The external CA uses the CSR to issue a TLS certificate.
After the external CA issues the signed certificate, copy the certificate to the storage medium configured on the KMES.
In the PKI > Certificate Authorities menu on the , right-click the placeholder Zettaset certificate and select Replace > With Signed Certificate.
In the Import Certificates window, select [ Add ] in the lower-left corner of the window, and find and select the externally signed TLS certificate.
The certificate populates under the CA certificates in the Verified section.
Select [ OK ] to save.
The remaining steps in this section involve exporting the Zettaset certificate as a PKCS #12 file. To be able to do this, you must enable a configuration option in the Administration > Configuration > Options menu. Then, select the Allow export of certificates using passwords checkbox next to the second menu option. Then, select [ Save ].
Right-click the Zettaset certificate and select Export > PKCS12.
In the Export PKCS12 window, set a password for the PKCS #12 file, set Export Options to Export Selected Certificate with Parents, and select [ Next ].
In the file browser, specify a name for the file, select a save location, and select [ Open ].
The PKCS #12 file contains the signed Zettaset certificate, its associated private key, and the CA certificate(s), all encrypted under the password set for the file. Copy this file to the machine where the Zettaset XCrypt Full Disk is running.
Go to PKI > Certificate Authorities, and select [ Add CA ] at the bottom of the page.
Specify a name for the certificate container, such as KMES Issued, and select [ OK ].
The new certificate container displays in the Certificate Authorities menu.
Right-click the newly created KMES Issued certificate container and select Add Certificate > New Certificate.
In the Subject DN tab, select the Classic preset and set a Common Name for the certificate, such as Root.
In the Basic Info tab, change the key size to 4096. Leave all other settings at their default values.
In the V3 Extensions tab, select the Certificate Authority profile and select [ OK ].
The Root CA certificate now displays inside the KMES Issued certificate container.
Right-click the Root CA certificate you just created and select Add Certificate > New Certificate.
In the Subject DN tab, set a Common Name for the certificate, such as Zettaset.
In the Basic Info tab, leave all values set to the defaults.
In the V3 Extensions tab, change the profile to TLS Client Certificate and select [ OK ] to finish generating the certificate.
The remaining steps in this section involve exporting the Zettaset certificate as a PKCS #12 file. To be able to do this, enable a configuration option in the Administration > Configuration > Options menu. Then, select the Allow export of certificates using passwords checkbox next to the second menu option. Then, select [ Save ].
Right-click the Zettaset certificate and select Export > PKCS12.
In the Export PKCS12 window, set a password for the PKCS #12 file, set Export Options to Export Selected Certificate with Parents, and select [ Next ].
In the file browser, specify a name for the file, select a save location, and select [ Open ].
The PKCS #12 file contains the signed Zettaset certificate, its associated private key, and the CA certificates, all encrypted under the password set for the file. Copy it to the machine where the Zettaset XCrypt Full Disk is running.
Perform the following tasks to configure a TLS server certificate for the System/Host API connection pair.
Go to Administration > Configuration > Network Options > TLS/SSL Settings.
Use the Connection drop-down menu and select the System/Host API connection pair.
In the User Certificates section, uncheck Use Futurex certificates and select [ Edit ] next to PKI Keys.
In the Application Public Keys window, select [ Generate ].
In the PKI Parameters window, leave the default settings and select [ OK ].
The Application Public Keys window now shows that the PKI Key Pair is loaded.
Select [ Request ].
In the Subject DN tab of the Create PKCS #10 Request window, change the Common Name value to the KMES IP address or hostname.
In the V3 Extensions tab, set the profile to TLS Server Certificate.
In the PKCS #10 Info tab, specify a save location and name for the CSR file, and select [ OK ].
A message box states that the certificate signing request was successfully written to the specified location.
Select [ OK ].
Select [ OK ] in the Application Public Keys window and select [ OK ] in the main Network Options window.
Go to PKI > Certificate Authorities, right-click on the root CA certificate that issued the Zettaset TLS certificate, and select Add Certificate > From Request.
In the file browser, find and select the System/Host API connection pair CSR.
Certificate information populates in the Create X.509 From CSR window.
Leave all settings exactly as they are and select [ OK ] to save.
The signed System/Host API server certificate now displays under the root CA certificate that issued it.
Right-click on the root CA certificate and the signed System/Host API connection pair certificate and select Export > Certificate(s). In the Export Certificate window for each, change the encoding to PEM and specify a save location for the file.
In addition to configuring the root CA certificate for the System/Host API connection pair, you must copy the root CA certificate to the machine where the Zettaset XCrypt Full Disk is running.
Go to Administration > Configuration > Network Options > TLS/SSL Settings.
In the Connection drop-down menu, select the System/Host API connection pair.
Select [ Edit ] next to Certificates in the User Certificates section.
In the Certificate Authority window, right-click on the System/Host API SSL CA X.509 certificate container and select Import.
Select [ Add ] at the bottom of the Import Certificates window. In the file browser, select both the root CA certificate and the signed System/Host API server certificate, then select [ Open ].
The certificates now display in the Verified section of the Import Certificates window.
Select [ OK ] to save.
It now says Signed Loaded next to Certificates in the User Certificates section of the System/Host API connection pair.
Select [ OK ] again to save.
Perform the following tasks to configure a TLS server certificate for the KMIP server connection pair.
Go to Administration > Configuration > Network Options > TLS/SSL Settings.
Using the Connection drop-down menu, select the KMIP connection pair. Enable the KMIP connection pair if it is not already enabled.
Uncheck Use System/Host API SSL Parameters if it is selected.
In the User Certificates section, uncheck Use Futurex certificates, and select [ Edit ] next to PKI Keys.
In the Application Public Keys window, select [ Generate ] to create a new PKI Key Pair.
In the PKI Parameters window, leave the default settings and select [ OK ].
The Application Public Keys window now shows that the PKI Key Pair is Loaded.
Select [ Request ].
In the Subject DN tab of the Create PKCS #10 Request window, change the Common Name value to the KMES IP address or hostname.
In the V3 Extensions tab, set the profile to TLS Server Certificate.
In the PKCS #10 Info tab, specify a save location and name for the CSR file and select [ OK ].
A message states that the certificate signing request was successfully written to the specified location.
Select [ OK ].
Select [ OK ] in the Application Public Keys window, and select [ OK ] in the main Network Options window.
Go to PKI > Certificate Authorities, right-click on the root CA certificate that issued the Zettaset TLS certificate, and select Add Certificate > From Request.
In the file browser, find and select the KMIP connection pair CSR.
Certificate information populates in the Create X.509 From CSR window.
Leave all settings exactly as they are and select [ OK ] to save.
The signed KMIP server certificate now displays under the root CA certificate that issued it.
Right-click the root CA certificate and the signed KMIP connection pair certificate and select Export > Certificate(s). In the Export Certificate window for each, change the encoding to PEM, and specify a save location for the file.
Go to Administration > Configuration > Network Options > TLS/SSL Settings.
In the Connection drop-down menu, select the KMIP connection pair.
Select [ Edit ] next to Certificates in the User Certificates section.
In the Certificate Authority window, right-click the KMIP SSL CA X.509 certificate container and select Import.
Select [ Add ] at the bottom of the Import Certificates window. In the file browser, select both the root CA certificate and the signed KMIP server certificate and select [ Open ].
The certificates now displays in the Verified section of the Import Certificates window.
Select [ OK ] to save.
You now see Signed Loaded next to Certificates in the User Certificates section of the KMIP connection pair.
Select [ OK ] to save.