Configure TLS certificates for mutual authentication between HashiCorp Vault and the KMES Series 3
Before secure connections between HashiCorp Vault and the KMES Series 3 can occur, both parties must establish a mutual trust relationship by validating their respective digitally signed certificates. This section describes how to create X.509 certificates for HashiCorp Vault and the Vault Client connection pair on the KMES Series 3, necessary for TLS communication.
You can use the following optional methods to create the HashiCorp Vault and Vault Client connection pair TLS certificates:
- Use an external CA
- Use the KMES Series 3 as the CA
To use an external CA, you must complete the following tasks:
- Create TLS certificate for Vault.
- Import the certificate and chain to the KMES Series 3.
- Create a TLS certificate for the Vault connection pair on the KMES Series 3.
The following sections show you how to perform these tasks:
The HashiCorp Vault client certificate must use the V3 extension TLS Server Authentication.
Generate a private key by running the following OpenSSL command in a terminal:
Generate a Certificate Signing Request (CSR) by running the following OpenSSL command:
Specify the IP address or hostname of the HashiCorp Vault server as the Common Name in the Certificate Signing Request (CSR).
Get an External CA to sign the CSR by sending the CSR file to the external CA.
After the CSR is signed, download the signed certificate and the chain of CA certificates used to sign it.
Import the Signed HashiCorp Vault certificate and Chain into a new X.509 Certificate Container on the KMES Series 3
Log in to the KMES Series 3 application interface with the default Admin identities.
Go to PKI > Certificate Authorities and select [ Add CA ].
Specify a name for the X.509 certificate container and select [ OK ].
Right-click the new certificate container and select Import > Certificate(s).
In the Import Certificates window, select [ Add ].
Select the signed HashiCorp Vault certificate and all CA certificates in the certificate chain, and select [ Open ].
All of the certificates should display in tree form in the Verified section of the Import Certificates window.
Select [ OK ] to save.
To create the TLS certificate for the connection pair, complete the following tasks:
- Generate a private key and CSR for the connection pair.
- Get the external CA to sign the CSR.
- Configure the connection pair to use the signed CSR.
The following sections show you how to perform these tasks:
Log in to the KMES Series 3 application interface with the default Admin identities.
Go to Administration > Configuration > Network Options. On the TLS/SSL Settings tab, select the Vault Client connection pair from the Connection drop-down menu.
Enable the Vault client connection pair if it is not already enabled.
Uncheck Use System/Host API SSL Parameters if it is selected.
In the User Certificates section, select [ Edit ] next to PKI Keys.
In the Application Public Keys window, select [ Generate ].
When warned that SSL will not be functional until new certificates are installed, select [ Yes ] to continue.
In the PKI Parameters window, leave all fields set to the default values and select [ OK ].
It now says Loaded in the Application Public Keys window.
In the Application Public Keys window, select [ Request ].
On the Subject DN tab, change the Preset drop-down option to Classic and specify the IP address or Hostname of the KMES in the Common Name field.
On the V3 Extensions tab, set the profile to TLS Client Certificate.
On the PKCS #10 Info tab, specify a save location and name for the CSR file, and select [ OK ].
When prompted that the certificate signing request was successfully written to the specified location, select [ OK ].
Select [ OK ] again to save the Application Public Keys settings.
Take the CSR file to the external CA. After the CSR is signed, download the signed certificate and the chain of CA certificates used to sign it.
Log in to the KMES Series 3 application interface with the default Admin identities.
Go to Administration > Configuration > Network Options. On the TLS/SSL settings tab, select Vault Client from the Connection drop-down menu.
In the User Certificates section, select [ Edit ] next to Certificates.
In the Certificate Authority window, right-click on the Vault Client SSL CA X.509 certificate container, and select [ Import ].
In the Import Certificates window, select [ Add ].
In the file browser, select both the root CA certificate and the signed Vault Client connection pair certificate, and select [ Open ].
The certificates should now display in the Verified section of the Import Certificates window.
Select [ OK ].
It now says Signed Loaded next to Certificates in the User Certificates section.
Select [ OK ] to save.
To use the KMES as the CA, you must complete the following tasks:
- Create the CA.
- Create a TLS certificate for the Vault.
- Create and configure the TLS certificate for the Vault client connection pair.
The following sections show you how to perform these tasks:
Log in to the KMES Series 3 application interface with the default Admin users.
Go to PKI > Certificate Authorities and select [ Add CA ].
Specify a name for the CA and select [ OK ].
The new certificate container now displays in the Certificate Authorities window.
Right-click the new certificate container and select Add Certificate > New Certificate.
Change the Preset drop-down option to Classic and set the Common Name value to Root.
On the Basic Info tab, change the Major Key to the PMK. Leave all other fields set to the default values.
On the V3 Extensions tab, set the Profile to Certificate Authority and select [ OK ].
The Root certificate now displays under the Certificate Container you created.
To create the TLS certificate, you must perform the following steps:
- Generate a private key and CSR.
- Sign the CSR.
The following sections show you how to perform these tasks:
In a terminal, run the following OpenSSL command to generate a private key.
In a terminal, run the following OpenSSL command to generate a CSR, specifying the IP address or hostname of the HashiCorp Vault server as the Common Name:
Go to PKI > Certificate Authorities.
Right-click the Root CA certificate you created and select Add Certificate > From Request.
In the file browser, select the HashCorp Vault CSR.
Certificate information populates in the Create X.509 From CSR window.
On the V3 Extensions tab, set the profile to TLS Server Certificate and select [ OK ] to save.
The signed HashiCorp Vault certificate should display now under the Root CA certificate in the CA tree.
To create and configure the TLS certificate, you must complete the following tasks:
- Generate a private key and construct a CSR.
- Sign the CSR.
- Export the certificates in the CA tree and add them to the Vault client connection pair.
The following sections show you how to perform these tasks:
Log in to the KMES Series 3 application interface with the default Admin identities.
Go to Administration > Configuration > Network Options. On the TLS/SSL Settings tab, select the Vault Client connection pair from the Connection drop-down menu.
Enable the Vault Client connection pair if it is not already enabled.
Uncheck Use System/Host API SSL Parameters if it is selected.
In the User Certificates section, select [ Edit ] next to PKI Keys.
In the Application Public Keys window, select [ Generate ].
When warned that SSL will not be functional until new certificates are installed, select [ Yes ] to continue.
In the PKI Parameters window, leave all fields set to the default values and select [ OK ].
It now says Loaded in the Application Public Keys window.
In the Application Public Keys window, select [ Request ].
On the Subject DN tab, change the Preset drop-down option to Classic and specify the IP address or Hostname of the KMES in the Common Name field.
On the V3 Extensions tab, set the profile to TLS Client Certificate.
On the PKCS #10 Info tab, specify a save location and name for the CSR file and select [ OK ].
When prompted that the certificate signing request was successfully written to the specified location, select [ OK ].
Select [ OK ] again to save the Application Public Keys settings.
Go to PKI > Certificate Authorities.
Right-click the Root CA certificate you created and select Add Certificate > From Request.
In the file browser, select the Vault Client connection pair CSR.
Certificate information populates in the Create X.509 From CSR window.
Leave all settings set to the defaults and select [ OK ] to save.
The signed Vault Client connection pair certificate now displays under the Root CA certificate in the CA tree.
To export the certificates, right-click each certificate in the certificate tree and select Export > Certificate(s). In the Export Certificate dialog for each of them, change the encoding to PEM, and specify a save location for the file.
Then, perform the following instructions to import them to the Vault client connection pair:
Log in to KMES Series 3 application interface with the default Admin identities.
Go to Administration > Configuration > Network Options. Under the TLS/SSL settings tab, select Vault Client from the Connection drop-down menu.
In the User Certificates section, select [ Edit ] next to Certificates.
In the Certificate Authority window, right-click on the Vault Client SSL CA X.509 certificate container and select [ Import ].
In the Import Certificates window, select [ Add ].
In the file browser, select both the root CA certificate and the signed Vault Client connection pair certificate, and select [ Open ].
The certificates should now display in the Verified section of the Import Certificates window.
Select [ OK ].
It now says Signed Loaded next to Certificates in the User Certificates section.
Select [ OK ] to save.