Configure TLS certificates for mutual authentication between MySQL Server and the KMES Series 3

before kmip connections between mysql server and the {{k3}} can occur, both parties must establish a mutual trust relationship by validating their respective digitally signed certificates this section shows you how to create x 509 certificates for mysql server and the kmip connection pair on the {{k3}} , which they use for tls communication create the x 509 certificates for tls mutual authentication use one of the following optional methods for creating the mysql server and kmip connection pair tls certificates use an external ca use the {{k3}} as the ca method 1 use an external ca to use an external ca to create the tls certificates, perform the following tasks generate a private key pair and create a certificate signing request (csr) for mysql server create a tls certificate for the kmip connection pair on the kmes series 3 generate a private key and csr perform the following tasks in this section to create the private key and csr for mysql server generate a private key get the csr signed import the certificate and chain onto the kmes series 3 generate a private key perform the following steps to generate a private key in a terminal, run the following openssl command to generate a private key openssl genpkey algorithm rsa out key pem run the following openssl command to generate a csr, specifying mysql as the common name in the csr openssl req new key key pem out client csr get the csr signed perform the following steps to get the csr signed by an external ca send the csr file to the external ca after the csr is signed, download the signed certificate and the chain of ca certificates that were used to sign it import the certificate perform the following steps to import the signed mysql server certificate and chain into a new x 509 certificate container on the {{k3}} log in to the {{k3}} application interface with the default admin identities go to pki > certificate authorities and select \[ add ca ] specify a name for the x 509 certificate container and select \[ ok ] right click the new certificate container and select import > certificate(s) in the import certificates window, select \[ add ] select the signed mysql server certificate and all ca certificates in the certificate chain, and select \[ open ] all of the certificates display in tree form in the verified section of the import certificates window select \[ ok ] to save create a tls certificate for the kmip connection pair on the {{k3}} to create the tls certificate, perform the following tasks generate a private key and create a csr get the csr signed configure a kmip connection pair generate a private key and csr perform the following steps to generate a private key and construct a csr log in to the {{k3}} application interface with the default admin identities go to administration > configuration > network options and go to the tls/ssl settings tab select the connection drop down option and select the kmip connection pair enable the kmip connection pair if it is not already enabled uncheck the use system/host api ssl parameters checkbox if it is selected in the user certificates section, select \[ edit ] next to pki keys in the application public keys window, select \[ generate ] when prompted that ssl will not be functional until new certificates are imported , select \[ yes ] to continue in the pki parameters window, leave all fields set to the default values and select \[ ok ] the application public keys window now shows that a pki key pair is loaded select \[ request ] on the subject dn tab, select classic in the preset drop down list and specify the hostname or ip address of the kmes in the common name field on the v3 extensions tab, set the profile to tls server certificate on the pkcs #10 info tab, specify a save location and name for the csr file and select \[ ok ] when prompted that the certificate signing request was successfully written to the specified location , select \[ ok ] select \[ ok ] again in the application public keys window to finish get the csr signed perform the following steps to get the csr signed by an external ca send the csr file to the external ca after the csr is signed, download the signed certificate and the chain of ca certificates that were used to sign it configure the kmip connection pair perform the following steps to configure the kmip connection pair to use the signed certificate and ca chain log in to the {{k3}} application interface with the default admin identities go to administration > configuration > network options and select the tls/ssl settings tab select the connection drop down option and select the kmip connection pair in the user certificates section, select \[ edit ] next to certificates in the certificate authority window, right click the kmip ssl ca x 509 certificate container and select \[ import ] in the import certificates window, select \[ add ] at the bottom of the window in the file browser, select both the root ca certificate and the signed kmip connection pair certificate and select \[ open ] the certificates now display in the verified section of the import certificates window select \[ ok ] to save you now see signed loaded next to certificates in the user certificates section of the network options window under the kmip connection pair select \[ ok ] to finish method 2 use the {{k3}} as the ca to use the {{k}} as the ca to create the tls certificates, perform the following tasks create the ca create a tls certificate for mysql server create and configure the tls certificate for the kmip connection pair on the {{k3}} generate a private key pair and create a certificate signing request (csr) for mysql server create the ca perform the following steps to create the ca log in to the {{k3}} application interface with the default admin users go to pki > certificate authorities and select \[ add ca ] specify a name for the ca and select \[ ok ] right click the new certificate container and select add certificate > new certificate select classic in the preset drop down list, then set common name to root on the basic info tab, change the major key to the pmk leave all other fields set to the default values on the v3 extensions tab, set profile to certificate authority and select \[ ok ] to save create the tls certificate perform the following tasks to create the tls certificate for mysql server generate a private key and construct a csr for mysql server sign the mysql server csr generate a private key and csr perform the following steps to generate a private key and construct a csr for mysql server in a terminal, run the following openssl command to generate a private key openssl genpkey algorithm rsa out key pem run the following openssl command to generate a csr, specifying mysql as the common name in the certificate signing request (csr) openssl req new key key pem out client csr sign the csr perform the following steps to sign the mysql server csr go to pki > certificate authorities right click the root ca certificate and select add certificate > from request in the file browser, select the mysql server csr certificate information populates in the create x 509 from csr window leave all settings exactly as they are and select \[ ok ] to save the signed mysql server certificate now displays under the root ca certificate in the ca tree create and configure the certificate perform the following tasks to create and configure the tls certificate for the kmip connection pair on the {{k3}} generate a private key and construct a csr sign the kmip connection pair csr export all certificates in the ca tree configure the kmip connection pair to use the signed certificate and ca chain generate a private key and a csr perform the following steps to generate a private key and construct a csr log in to the {{k3}} application interface with the default admin identities go to administration > configuration > network options and go to the tls/ssl settings tab select the connection drop down option and select the kmip connection pair enable the kmip connection pair if it is not already enabled uncheck the use system/host api ssl parameters checkbox if it is selected in the user certificates section, select \[ edit ] next to pki keys in the application public keys window, select \[ generate ] when prompted that ssl will not be functional until new certificates are imported , select \[ yes ] to continue in the pki parameters window, leave all fields set to the default values and select \[ ok ] the application public keys window now shows that a pki key pair is loaded select \[ request ] in the subject dn tab, select classic from the preset drop down list and specify the hostname or ip address of the kmes in common name on the v3 extensions tab, set the profile to tls server certificate on the pkcs #10 info tab, specify a save location and name for the csr file and select \[ ok ] when prompted that the certificate signing request was successfully written to the specified location , select \[ ok ] select \[ ok ] again in the application public keys window to finish sign the csr perform the following steps to sign the kmip connection pair csr go to pki > certificate authorities right click the root ca certificate and select add certificate > from request in the file browser, select the kmip connection pair csr certificate information populates in the create x 509 from csr window leave all settings exactly as they are and select \[ ok ] to save the signed kmip connection pair certificate now displays under the root ca certificate in the ca tree export all certificates perform the following steps to export each certificate in the certificate tree right click the certificates in the certificate tree and select export > certificate(s) in the export certificate window, change the encoding to pem and specify a save location for the file configure the connection pair perform the following steps to configure the kmip connection pair to use the signed certificate and ca chain log in to the {{k3}} application interface with the default admin identities go to administration > configuration > network options and go to the tls/ssl settings tab select the connection drop down option and select the kmip connection pair in the user certificates section, select \[ edit ] next to certificates in the certificate authority window, right click the kmip ssl ca x 509 certificate container and select \[ import ] in the import certificates window, select \[ add ] at the bottom of the window in the file browser, select both the root ca certificate and the signed kmip connection pair certificate, and select \[ open ] the certificates now display in the verified section of the import certificates window select \[ ok ] to save you now see signed loaded next to certificates in the user certificates section of the network options window under the kmip connection pair select \[ ok ] to save and finish