Certificate Authority
Venafi Adaptable CA

Configure general KMES Series 3 settings

12min

This section shows you the configurations to make on the KMES Series 3 to enable Venafi TTP to integrate through its Adaptable CA functionality.

To configure the KMES, perform the following tasks, detailed in this section:

  1. Enable the required Host API commands.
  2. Create KMES credentials for Venafi TPP.
  3. Create a signing approval group.
  4. Create an issuing CA.
  5. Add an issuance policy.
  6. Allow user-defined extensions for X.509 Extension Profiles (optional).

Enable the required Host API commands

Because Venafi TPP connects to the Host API port on the KMES, you must define which Host API commands to enable. To set the allowed commands, complete the following steps:

1

Log in to the KMES Series 3 application interface with the default Admin identities.

2

Go to Administration > Configuration > Host API Options and enable the following commands:

Command

Description



RAGX

Retrieve Request (X.509 CSR)



RASX

Manipulate Signed Request



RAUX

Upload Request (X.509 CSR)



RAYX

Approve Requests



RKLO

Login User



RKRK

Retrieve Generated Keys


3

Select [ Save ] to finish.

Create KMES credentials for Venafi TPP

Venafi TPP supports two options for user credential management. The single-user role option establishes one user per issuance policy that is permitted to submit certificate issuance requests, approve or deny requests, and revoke certificates. The dual-user role option establishes two users per issuance policy, with one permitted only to submit certificate issuance requests and one permitted only to approve or deny issuance requests or revoke issued certificates.

For a greater degree of administrative separation and adherence to principles of role-based access control, we recommend using the dual-user method.

Role and identity creation: Single-user role option

Perform the following steps to set up a single-user role to control certificate requests, approval, and revocation.

1

Log in to the KMES Series 3 application interface with the default Admin identities.

2

Go to Identity Management > Roles and select [ Add ] at the bottom of the page.

3

On the Info tab of the Role Editor window, specify a name for the role and set the number of logins required to 1.

4

On the Permissions tab, enable the following permissions:

Permission

Subpermission



Certificate Authority

Export, Upload



Signing Approval

Approve


5

On the Advanced tab, allow authentication to the Host API port only.

6

Select [ OK ] to finish creating the role.

7

Go to Identity Management > Identities, right-click anywhere in the window, and select Add > Client Application.

8

On the Info tab of the Identity Editor window, select Application for the storage location and specify a name for the identity.

9

On the Assigned Roles tab, select the role you just created.

10

On the Authentication tab, remove the default API Key mechanism, add the Password authentication mechanism, and configure it.

11

Select [ OK ] to finish creating the identity.

Role and identity creation: Dual-user role option (recommended)

Perform the following steps to set up a dual-user role to control certificate requests, approval, and revocation. One user is solely responsible for submitting certificate issuance requests, while the other is solely responsible for approving, rejecting, and revoking certificates.

1

Log in to the KMES Series 3 application interface with the default Admin identities.

2

Go to Identity Management > Roles and select [ Add ] at the bottom of the window.

3

On the Info tab of the Role Editor window, specify a name for the role and set the number of logins required to 1.

4

On the Permissions tab, enable the following permissions:

Permission

Subpermission



Certificate Authority

Export, Upload


5

On the Advanced tab, allow authentication to the Host API port only.

6

Select [ OK ] to finish creating the role.

7

Go to Identity Management > Identities, right-click anywhere in the window, and select Add > Client Application.

8

On the Info tab of the Identity Editor window, select Application for the storage location, and specify a name for the identity.

9

On the Assigned Roles tab, select the role you just created.

10

On the Authentication tab, remove the default API Key authentication mechanism, add the Password authentication mechanism, and configure it.

11

Select [ OK ] to finish creating the identity.

12

Use the preceding steps to configure a second role and identity, but enable the Approve permission under the Signing Approval permission category instead.

Create a signing approval group

To enable certificate signing approval workflows on the KMES Series 3, perform the following steps to create a signing approval group:

1

Log in to the KMES Series 3 application interface with the default Admin identities.

2

Go to PKI > Signing Workflow.

3

Select [ Add Approval Group ].

4

Specify a name for the approval group and select [ OK ] to save.

5

Right-click the newly-created approval group and select [ Permission ].

6

Grant the Venafi Adaptable CA role the Use permission and select [ OK ] to save.

Remember the group name because you use it to configure the Adaptable CA driver configuration in a later section of this guide.

Create an issuing CA

Perform the following steps to create an issuing CA certificate tree on the KMES Series 3:

1

Log in to the KMES Series 3 application interface with the default Admin identities.

2

Go to PKI > Certificate Authorities and select [ Add CA ] at the bottom of the page.

3

In the Certificate Authority window, enter a name for the certificate container, select the Venafi Adaptable CA role in the Owner group drop-down menu, and select [ OK ].

4

Right-click the certificate container and select Add Certificate > New Certificate.

5

On the Subject DN tab, set a Common Name for the certificate, such as RootCA.

6

On the Basic Info tab, leave the fields set to the default values.

7

On the V3 Extensions tab, select the Certificate Authority profile and select [ OK ] to create the certificate.

8

Right-click the root CA certificate and select Add Certificate > New Certificate.

9

On the Subject DN tab, set a Common Name for the certificate, such as IssuingCA.

10

On the Basic Info tab, leave the default values set.

11

On the V3 Extensions tab, select the Certificate Authority profile, then select [ OK ] to create the certificate

The root and issuing CA certificates now display in the Venafi Adaptable CA certificate container.

Add an issuance policy

1

Log in to the KMES Series 3 application interface with the default Admin identities.

2

Go to PKI > Certificate Authorities.

3

Right-click the issuing CA certificate and select Issuance Policy > Add.

4

On the Basic Info tab of the Issuance Policy window, set an alias for the issuance policy (optional), set the desired number of approvals required for certificate requests, and set the hashes that you want to allow.

5

On the X.509 tab, perform the following actions:

  • Select the Allow CSR uploads checkbox.
  • Set the Default approval group to the approval group you created.
  • If you set the number of required approvals to 0, you must select the Allow self approval checkbox. Otherwise, leave it unchecked.
  • Add at least one Extension Profile.
6

If you set the number of approvals required to 0, you must set Anonymous Signing security usage on the issuing CA certificate. To do so, right-click on the issuing CA certificate and select Change Security Usage. Then, in the drop-down menu, select Anonymous Signing and select [ OK ] to save the changes.

7

Select [ OK ] to save the issuance policy.

Allow user-defined extensions for X.509 Extension Profiles (optional)

If you want to allow users to define Subject Alternate Names (SANs) or other custom X.509 v3 extensions in Venafi TPP when creating certificates, choose one of the following options:

Enable the Allow User-Defined Extensions option for the X.509 extension profile

Perform the following steps to enable the Allow User-Defined Extensions option for the X.509 v3 extension profiles you plan to use with Venafi Adaptable CA:

1

Log in to the KMES Series 3 application interface with the default Admin identities.

2

Go to PKI > X.509 Extensions.

3

Right-click the X.509 v3 extension profile you want to modify and select [ Edit ].

4

Select the Allow User-Defined Extensions checkbox.

5

Select [ OK ] to save changes.

Add Subject Alternate Names (SANs) to the X.509 extension profile

Perform the following steps to add Subject Alternate Names (SANs) to the X.509 v3 extension profiles you plan to use with Venafi Adaptable CA:

1

Log in to the KMES Series 3 application interface with the default Admin identities.

2

Go to PKI > X.509 Extensions.

3

Right-click the X.509 v3 extension profile you want to modify and select [ Edit ].

4

Select [ Add ], select the Subject Alternate Name extension type in the drop-down menu, and select [ OK ].

5

Add at least one subject alternate name entry and select [ OK ].

6

Select [ OK ] to save changes.































































































































































































































































































































































Updated 27 Feb 2024
Did this page help you?
PREVIOUS
Before you start
NEXT
Configure KMES TLS communication
Docs powered by Archbee