Configure TLS certificates for mutual authentication between MySQL Server and the KMES Series 3
Before KMIP connections between MySQL Server and the KMES Series 3 can occur, both parties must establish a mutual trust relationship by validating their respective digitally signed certificates. This section shows you how to create X.509 certificates for MySQL Server and the KMIP connection pair on the KMES Series 3, which they use for TLS communication.
Use one of the following optional methods for creating the MySQL Server and KMIP connection pair TLS certificates:
- Use an external CA
- Use the KMES Series 3 as the CA
To use an external CA to create the TLS certificates, perform the following tasks:
- Generate a private key pair and create a Certificate Signing Request (CSR) for MySQL Server.
- Create a TLS certificate for the KMIP connection pair on the KMES Series 3.
Perform the following tasks in this section to create the private key and CSR:
- Generate a private key.
- Get the CSR signed.
- Import the certificate and chain onto the KMES Series 3.
In a terminal, run the following OpenSSL command to generate a private key:
Run the following OpenSSL command to generate a CSR, specifying MySQL as the Common Name in the CSR.:
Send the CSR file to the external CA.
After the CSR is signed, download the signed certificate and the chain of CA certificates that were used to sign it.
Import the signed MySQL Server certificate and chain into a new X.509 certificate container on the KMES Series 3
Log in to the KMES Series 3 application interface with the default Admin identities.
Go to PKI > Certificate Authorities and select [ Add CA ].
Specify a name for the X.509 certificate container and select [ OK ].
Right-click the new certificate container and select Import > Certificate(s).
In the Import Certificates window, select [ Add ].
Select the signed MySQL Server certificate and all CA certificates in the certificate chain, and select [ Open ].
All of the certificates display in tree form in the Verified section of the Import Certificates window.
Select [ OK ] to save.
To create the TLS certificate, perform the following tasks:
- Generate a private key and create a CSR.
- Get the CSR signed.
- Configure a KMIP connection pair.
Log in to the KMES Series 3 application interface with the default Admin identities.
Go to Administration > Configuration > Network Options and go to the TLS/SSL Settings tab.
Select the Connection drop-down option and select the KMIP connection pair.
Enable the KMIP connection pair if it is not already enabled.
Uncheck the Use System/Host API SSL Parameters checkbox if it is selected.
In the User Certificates section, select [ Edit ] next to PKI Keys.
In the Application Public Keys window, select [ Generate ].
When prompted that SSL will not be functional until new certificates are imported, select [ Yes ] to continue.
In the PKI Parameters window, leave all fields set to the default values and select [ OK ].
The Application Public Keys window now shows that a PKI Key Pair is Loaded.
Select [ Request ].
On the Subject DN tab, select Classic in the Preset drop-down list and specify the hostname or IP address of the KMES in the Common Name field.
On the V3 Extensions tab, set the profile to TLS Server Certificate.
On the PKCS #10 Info tab, specify a save location and name for the CSR file and select [ OK ].
When prompted that the certificate signing request was successfully written to the specified location, select [ OK ].
Select [ OK ] again in the Application Public Keys window to finish.
Send the CSR file to the external CA.
After the CSR is signed, download the signed certificate and the chain of CA certificates that were used to sign it.
Log in to the KMES Series 3 application interface with the default Admin identities.
Go to Administration > Configuration > Network Options and select the TLS/SSL Settings tab.
Select the Connection drop-down option and select the KMIP connection pair.
In the User Certificates section, select [ Edit ] next to Certificates.
In the Certificate Authority window, right-click the KMIP SSL CA X.509 certificate container and select [ Import ].
In the Import Certificates window, select [ Add ] at the bottom of the window.
In the file browser, select both the root CA certificate and the signed KMIP connection pair certificate and select [ Open ].
The certificates now display in the Verified section of the Import Certificates window.
Select [ OK ] to save.
You now see Signed loaded next to Certificates in the User Certificates section of the Network Options window under the KMIP connection pair.
Select [ OK ] to finish.
To use the KMES as the CA to create the TLS certificates, perform the following tasks:
- Create the CA.
- Create a TLS certificate for MySQL Server.
- Create and configure the TLS certificate for the KMIP connection pair on the KMES Series 3
- Generate a private key pair and create a Certificate Signing Request (CSR) for MySQL Server.
Log in to the KMES Series 3 application interface with the default Admin users.
Go to PKI > Certificate Authorities and select [ Add CA ].
Specify a name for the CA and select [ OK ].
Right-click the new certificate container and select Add Certificate > New Certificate.
Select Classic in the Preset drop-down list, then set Common Name to Root.
On the Basic Info tab, change the Major key to the PMK. Leave all other fields set to the default values.
On the V3 Extensions tab, set Profile to Certificate Authority and select [ OK ] to save.
Perform the following tasks to create the TLS certificate for MySQL Server:
- Generate a private key and construct a CSR for MySQL Server.
- Sign the MySQL Server CSR.
In a terminal, run the following OpenSSL command to generate a private key:
Run the following OpenSSL command to generate a CSR, specifying MySQL as the Common Name in the Certificate Signing Request (CSR).:
Go to PKI > Certificate Authorities.
Right-click the Root CA certificate and select Add Certificate > From Request.
In the file browser, select the MySQL Server CSR.
Certificate information populates in the Create X.509 From CSR window.
Leave all settings exactly as they are and select [ OK ] to save.
The signed MySQL Server certificate now displays under the Root CA certificate in the CA tree.
Perform the following tasks:
- Generate a private key and construct a CSR.
- Sign the KMIP connection pair CSR.
- Export all certificates in the CA tree.
- Configure the KMIP connection pair to use the signed certificate and CA chain.
Log in to the KMES Series 3 application interface with the default Admin identities.
Go to Administration > Configuration > Network Options and go to the TLS/SSL Settings tab.
Select the Connection drop-down option and select the KMIP connection pair.
Enable the KMIP connection pair if it is not already enabled.
Uncheck the Use System/Host API SSL Parameters checkbox if it is selected.
In the User Certificates section, select [ Edit ] next to PKI Keys.
In the Application Public Keys window, select [ Generate ].
When prompted that SSL will not be functional until new certificates are imported, select [ Yes ] to continue.
In the PKI Parameters window, leave all fields set to the default values and select [ OK ].
The Application Public Keys window now shows that a PKI Key Pair is Loaded.
Select [ Request ].
In the Subject DN tab, select Classic from the Preset drop-down list and specify the hostname or IP address of the KMES in Common Name.
On the V3 Extensions tab, set the profile to TLS Server Certificate.
On the PKCS #10 Info tab, specify a save location and name for the CSR file and select [ OK ].
When prompted that the certificate signing request was successfully written to the specified location, select [ OK ].
Select [ OK ] again in the Application Public Keys window to finish.
Go to PKI > Certificate Authorities.
Right-click the Root CA certificate and select Add Certificate > From Request.
In the file browser, select the KMIP connection pair CSR.
Certificate information populates in the Create X.509 From CSR window.
Leave all settings exactly as they are and select [ OK ] to save.
The signed KMIP connection pair certificate now displays under the Root CA certificate in the CA tree.
Perform the following steps for each certificate in the certificate tree:
Right-click the certificates in the certificate tree and select Export > Certificate(s).
In the Export Certificate window, change the encoding to PEM and specify a save location for the file.
Log in to the KMES Series 3 application interface with the default Admin identities.
Go to Administration > Configuration > Network Options and go to the TLS/SSL Settings tab.
Select the Connection drop-down option and select the KMIP connection pair.
In the User Certificates section, select [ Edit ] next to Certificates.
In the Certificate Authority window, right-click the KMIP SSL CA X.509 certificate container and select [ Import ].
In the Import Certificates window, select [ Add ] at the bottom of the window.
In the file browser, select both the root CA certificate and the signed KMIP connection pair certificate, and select [ Open ].
The certificates now display in the Verified section of the Import Certificates window.
Select [ OK ] to save.
You now see Signed loaded next to Certificates in the User Certificates section of the Network Options window under the KMIP connection pair.
Select [ OK ] to save and finish.