Configure TLS Certificates for the connection between the KMIP client and the KMES Series 3

before kmip connections can occur, the kmip client and {{k3}} must establish a mutual trust relationship by validating their respective digitally signed certificates the following sections show how to generate and sign certificates for both the kmip client and the kmip server connection pair on the {{k3}} the kmip client and the {{k}} register both certificates and use them thereafter each time they establish a tcp/ip session secured by tls create a ca perform the following steps to create a certificate authority (ca) log in to the {{k3}} application interface with the default admin identities go to pki > certificate authorities and select \[ add ca ] at the bottom of the page in the certificate authority window, enter a name for the certificate container, leave all other fields as the default values, and select \[ ok ] the certificate container you created displays now in the certificate authorities menu right click the certificate container you just created and select add certificate > new certificate on the subject dn tab, set a common name for the certificate, such as system tls ca root on the basic info tab, leave all of the default values set on the v3 extensions tab, select the certificate authority profile and select \[ ok ] the root ca certificate now displays under the previously created certificate container generate and sign the kmip client certificate choose one of the following optional methods for generating and signing the kmip client certificate and perform the related steps use an external ca (get and import the certificate) use the {{k3}} as the ca use an external ca step 1 get the certificate you can run the openssl commands in this section from the default terminal application for your operating system generate a private key in a terminal, run the following openssl command openssl genrsa out ssl client privatekey pem 2048 construct a csr run the following openssl command to generate a csr openssl req new key ssl client privatekey pem out ssl client cert req pem days 365 get the csr signed by an external ca take the csr file to the external ca after the csr is signed, download the signed certificate and the chain of ca certificates that were used to sign it use an external ca step 2 import the signed kmip client certificate perform the following steps to import the signed kmip client certificate and chain in a new x 509 certificate container on the {{k3}} go to pki > certificate authorities , and select \[ add ca ] give the new x 509 certificate container a name, and select \[ ok ] right click the certificate container you created, and select import > certificate(s) on the import certificates window, select \[ add ] select the signed kmip client certificate and all ca certificates in the certificate chain, and select \[ open ] all of the certificates display in tree form in the import certificates window select \[ ok ] to save use the {{k3}} as the ca perform the following steps to use the {{k3}} as the ca right click the root ca certificate created previously (in create a certificate authority on the kmes series 3 ) and select add certificate > new certificate modify the options on the subject dn tab as needed on the v3 extensions tab, change the profile to tls client certificate then select \[ ok ] the remaining steps in this section involve exporting the kmip client certificate as a pkcs #12 file to do this, you must enable a configuration option go to administration > configuration > options and select the allow export of certificates using passwords checkbox then, select \[ save ] now, right click the kmip client certificate and select export > pkcs12 in the export pkcs12 window, set the password by selecting \[ set password ] enter the desired password and select \[ save ] for export options, select \[ export selected certificate with parents ], set the cipher options to aes 256 , and select \[ next ] browse for the folder in which to save the pkcs12 file on your designated storage medium enter a file name and then select \[ open ] after the pkcs #12 file saves to the specified location, select \[ ok ] this pkcs #12 file contains the signed kmip client certificate, associated private key, and root certificate, all encrypted under the password that was set for the file configure tls certificates for the kmip server connection pair this section provides instructions for the following tasks generate a new pki key pair and csr for the kmip connection pair issue a certificate from the kmip connection pair csr export the root ca and kmip certificates as pem files import the signed kmip connection pair certificate generate a key pair and csr perform the following steps to generate a new pki key pair and csr for the kmip connection pair go to administration > configuration > network options and go to the tls/ssl settings tab select the connection drop down option and select the kmip connection pair if it is not already enabled, enable it uncheck use system/host api ssl parameters if it is selected in the user certificates section, uncheck use futurex certificates if it is selected and select \[ edit ] next to pki keys in the application public keys window, select \[ generate ] in the pki parameters window, leave all fields set to the defaults and select \[ ok ] the application public keys window now shows that a pki key pair is loaded select \[ request ] on the subject dn tab of the create pkcs #10 request window, change the common name value to the ip address of the {{k}} on the v3 extensions tab, set the profile to tls server certificate on the pkcs #10 info tab, specify a save location and name for the csr file, and select \[ ok ] when prompted that the certificate signing request was successfully written to the specified location, select \[ ok ] select \[ ok ] in the application public keys window, and select \[ ok ] in the main network options window issue a certificate perform the following steps to issue a certificate from the kmip connection pair csr go to pki > certificate authorities right click the system tls root ca certificate and select add certificate > from request in the file browser, select the kmip connection pair csr certificate information should populate in the create x 509 from csr window leave all settings exactly as they are and select \[ ok ] to save the signed kmip server certificate now displays under the system tls ca root certificate export the certificates perform the following steps to export the root ca certificate and the signed kmip connection pair certificates as pem files right click the certificate and select export > certificate(s) in the export certificate window for each, change the encoding to pem , and specify a save location for the file you must copy the root ca certificate to the machine that is running the kmip application import the connection pair certificate perform the following steps to import the signed kmip connection pair certificate go to administration > configuration > network options and select the tls/ssl settings tab select the connection drop down option and select the kmip connection pair select \[ edit ] next to certificates in the user certificate section in the certificate authority window, right click the kmip ssl ca x 509 certificate container, and select \[ import ] select \[ add ] at the bottom of the import certificates window in the file browser, select both the root ca certificate and the signed kmip server certificate and select \[ open ] the certificates should now display in the verified section of the import certificates window select \[ ok ] to save it now shows signed loaded next to certificates in the user certificates section for the kmip connection pair select \[ ok ] to save