Configure KMES TLS communication
This section shows users how to set up TLS certificates for the connection between the Venafi TPP instance and the System/Host API connection pair on the KMES Series 3.
To configure communications, perform the following tasks detailed in this section:
- Create a CA.
- Generate a CSR for the System/Host API connection pair.
- Sign the System/Host API CSR.
- Export the Root CA certificate.
- Export the signed System/Host API certificate.
- Load the exported certificates into the System/Host API connection pair.
- Issue a client certificate for Venafi TPP.
- Export the Venafi certificate as a PKCS #12 file.
Log in to the KMES Series 3 application interface with the default Admin identities.
Go to PKI > Certificate Authorities.
Select [ Add CA ] at the bottom of the page.
In the Certificate Authority window, enter a name for the certificate container, select the Venafi Adaptable CA role in the Owner group drop-down menu, and select [ OK ].
The certificate container that you just created now displays in the Certificate Authorities menu.
Right-click the certificate container and select Add Certificate > New Certificate.
On the Subject DN tab, set a Common Name for the certificate, such as System TLS CA Root.
On the Basic Info tab, leave the fields set to the default values.
On the V3 Extensions tab, select the Certificate Authority profile and select [ OK ].
The root CA certificate now displays under the previously created certificate container.
Go to Administration > Configuration > Network Options.
In the Network Options window, go to the TLS/SSL Settings tab.
Under the System/Host API connection pair, uncheck the Use Futurex certificates checkbox and then select [ Edit ] next to PKI Keys in the User Certificates section.
In the Application Public Keys window, select [ Generate ].
When warned that SSL will not be functional until new certificates are imported, select [ Yes ] to continue.
In the PKI Parameters window, set the Encrypting key to PMK, Key type to RSA, and Key size to 2048. Select [ OK ] to save.
The Application Public Keys window now shows that a PKI key pair is Loaded.
Select [ Request ].
On the Subject DN tab, you can leave the Common Name set to the default value of System/Host API.
On the V3 Extensions tab, select the TLS Server Certificate profile.
On the PKCS #10 Info tab, select a save location for the CSR and select [ OK ].
When notified that the certificate signing request was successfully written to the file location that was selected, select [ OK ].
Select [ OK ] again to save the Application Public Keys settings.
The main Network Options window now shows Loaded next to PKI Keys for the System/Host API connection pair.
Select [ OK ] to save and close the Network Options window.
Go to PKI > Certificate Authorities.
Right-click the root CA certificate you created for TLS and select Add Certificate > From Request.
In the file browser, select the CSR that you generated for the System/Host API connection pair.
After it loads, don't modify any certificate settings. Select [ OK ].
The signed System/Host API certificate now shows under the root CA certificate on the Certificate Authorities page.
Go to PKI > Certificate Authorities.
Right-click the System TLS CA Root certificate and select Export > Certificate(s).
In the Export Certificate window, change the encoding to PEM and select [ Browse ].
In the file browser, navigate to the location where you want to save the Root CA certificate. Specify a name for the file and select [ Open ].
Select [ OK ].
A message box states that the PEM file was successfully written to the location that you specified.
Go to PKI > Certificate Authorities.
Right-click the System/Host API TLS certificate and select Export > Certificate(s).
In the Export Certificate window, change the encoding to PEM and select [ Browse ].
In the file browser, navigate to the location where you want to save the System/Host API TLS certificate. Specify a name for the file and select [ Open ].
Select [ OK ].
A message box states that the PEM file was successfully written to the location that you specified.
Go to Administration > Configuration > Network Options.
In the Network Options window, go to the TLS/SSL Settings tab.
Under the System/Host API connection pair, select [ Edit ] next to Certificates in the User Certificates section.
Right-click the System/Host API SSL CA X.509 certificate container and select [ Import ].
Select [ Add ] at the bottom of the Import Certificates window.
In the file browser, select both the root CA certificate and the signed System/Host API certificate and select [ Open ].
Select [ OK ] to save the changes.
In the Network Options window, the System/Host API connection pair now shows Signed loaded next to Certificates in the User Certificates section.
Select [ OK ] to save and exit the Network Options window.
Go to PKI > Certificate Authorities.
Right-click the System TLS CA Root certificate and select Add Certificate > New Certificate.
On the Subject DN tab, set a Common Name for the certificate, such as Venafi.
Leave all fields on the Basic Info tab set to the default values.
On the V3 Extensions tab, select the TLS Client Certificate profile and select [ OK ].
The Venafi certificate now displays under the System TLS CA Root certificate.
To perform the following steps, you must go to Administration > Configuration > Options and enable the Allow export of certificates using passwords option.
Go to PKI > Certificate Authorities.
Right-click the Venafi certificate and select Export > PKCS12.
Select the Export Selected option, specify a unique name for the export file, and select [ Next ].
Enter a file password of your choice and select [ Next ].
Select [ Finish ] to initiate the export.
Move both the Venafi certificate and the Root CA certificate that you exported in the Export the Root CA Certificate section to the computer that runs the Venafi TPP instance.
A later section shows you how to configure and use them for TLS communication with the KMES Series 3.