Configure TLS Certificates for the connection between the KMIP client and the KMES Series 3
Before KMIP connections can occur, the KMIP client and must establish a mutual trust relationship by validating their respective digitally signed certificates.
The following sections show how to generate and sign certificates for both the KMIP client and the KMIP server connection pair on the . The KMIP client and the register both certificates and use them thereafter each time they establish a TCP/IP session secured by TLS.
Perform the following steps to create a CA:
Log in to the application interface with the default Admin identities.
Go to PKI > Certificate Authorities and select [ Add CA ] at the bottom of the page.
In the Certificate Authority window, enter a name for the certificate container, leave all other fields as the default values, and select [ OK ].
The certificate container you created displays now in the Certificate Authorities menu.
Right-click the certificate container you just created and select Add Certificate > New Certificate.
On the Subject DN tab, set a Common Name for the certificate, such as System TLS CA Root.
On the Basic Info tab, leave all of the default values set
On the V3 Extensions tab, select the Certificate Authority profile and select [ OK ].
The root CA certificate now displays under the previously created certificate container.
Choose one of the following optional methods for generating and signing the KMIP client certificate and perform the related steps:
- Use an external CA
- Use the as the CA
You can run the OpenSSL commands in this section from the default terminal application for your operating system.
Generate a private key.
In a terminal, run the following OpenSSL command:
Construct a CSR.
Run the following OpenSSL command to generate a CSR:
Get the CSR signed by an external CA.
Take the CSR file to the external CA. After the CSR is signed, download the signed certificate and the chain of CA certificates that were used to sign it.
Perform the following steps to import the signed KMIP client certificate and chain in a new X.509 Certificate Container on the :
Go to PKI > Certificate Authorities, and select [ Add CA ].
Give the new X.509 Certificate Container a name, and select [ OK ].
Right-click the certificate container you created, and select Import > Certificate(s).
On the Import Certificates window, select [ Add ].
Select the signed KMIP client certificate and all CA certificates in the certificate chain, and select [ Open ].
All of the certificates display in tree form in the Import Certificates window
Select [ OK ] to save.
Right-click the Root CA certificate created previously (in Create a certificate authority on the KMES Series 3) and select Add Certificate > New Certificate.
Modify the options on the Subject DN tab as needed.
On the V3 Extensions tab, change the profile to TLS Client Certificate. Then select [ OK ].
The remaining steps in this section involve exporting the KMIP client certificate as a PKCS #12 file. To do this, you must enable a configuration option. Go to Administration > Configuration > Options and select the Allow export of certificates using passwords checkbox. Then, select [ Save ].
Now, right-click the KMIP client certificate and select Export > PKCS12.
In the Export PKCS12 window, set the password by selecting [ Set Password ]. Enter the desired password and select [ Save ].
For export options, select [ Export Selected Certificate with Parents ], set the Cipher Options to AES-256, and select [ Next ].
Browse for the folder in which to save the PKCS12 file on your designated storage medium. Enter a file name and then select [ Open ].
After the PKCS #12 file saves to the specified location, select [ OK ]. This PKCS #12 file contains the signed KMIP client certificate, associated private key, and root certificate, all encrypted under the password that was set for the file.
This section provides instructions for the following tasks:
- Generate a new PKI key pair and CSR for the KMIP connection pair.
- Issue a certificate from the KMIP connection pair CSR.
- Export the root CA and KMIP certificates as PEM files.
- Import the signed KMIP connection pair certificate.
Go to Administration > Configuration > Network Options and go to the TLS/SSL Settings tab.
Select the Connection drop-down option and select the KMIP connection pair. If it is not already enabled, enable it.
Uncheck Use System/Host API SSL Parameters if it is selected.
In the User Certificates section, uncheck Use Futurex certificates if it is selected and select [ Edit ] next to PKI keys.
In the Application Public Keys window, select [ Generate ].
In the PKI Parameters window, leave all fields set to the defaults and select [ OK ].
The Application Public Keys window now shows that a PKI Key Pair is Loaded.
Select [ Request ].
On the Subject DN tab of the Create PKCS #10 Request window, change the Common Name value to the IP address of the KMES.
On the V3 Extensions tab, set the profile to TLS Server Certificate.
On the PKCS #10 Info tab, specify a save location and name for the CSR file, and select [ OK ].
When prompted that the certificate signing request was successfully written to the specified location, select [ OK ].
Select [ OK ] in the Application Public Keys window, and select [ OK ] in the main Network Options window.
Go to PKI > Certificate Authorities.
Right-click the System TLS Root CA certificate and select Add Certificate > From Request.
In the file browser, select the KMIP connection pair CSR.
Certificate information should populate in the Create X.509 From CSR window.
Leave all settings exactly as they are and select [ OK ] to save.
The signed KMIP server certificate now displays under the System TLS CA Root certificate
Perform the following steps for both the root CA certificate and the signed KMIP connection pair certificate:
Right-click the certificate and select Export > Certificate(s).
In the Export Certificate window for each, change the encoding to PEM, and specify a save location for the file.
You must copy the root CA certificate to the machine that is running the KMIP application.
Go to Administration > Configuration > Network Options and select the TLS/SSL Settings tab.
Select the Connection drop-down option and select the KMIP connection pair.
Select [ Edit ] next to Certificates in the User Certificate section.
In the Certificate Authority window, right-click the KMIP SSL CA X.509 certificate container, and select [ Import ].
Select [ Add ] at the bottom of the Import Certificates window.
In the file browser, select both the root CA certificate and the signed KMIP server certificate and select [ Open ].
The certificates should now display in the Verified section of the Import Certificates window.
Select [ OK ] to save.
It now shows Signed loaded next to Certificates in the User Certificates section for the KMIP connection pair.
Select [ OK ] to save.