Configure TLS certificates for the KMIP port on the KMES Series 3
Before KMIP connections can occur between vCenter Server and , both parties must establish a mutual trust relationship by validating their respective digitally signed certificates.
This section shows how to generate and sign a certificate for the KMIP connection pair on the .
In the next section, while registering the as a Standard Key Provider in the vSphere Client, the KMES presents the TLS certificate configured for the KMIP connection pair. After accepting the presented certificate, vCenter trusts the moving forward.
TLS certificates for the vCenter Server will be generated, signed, and registered in a later section.
Log in to the application interface with the default Admin users.
Go to PKI > Certificate Authorities and select [ Add CA ] at the bottom of the page.
On the Certificate Authority window, specify a name for the Certificate Container and select [ OK ].
Right-click the newly created Certificate Container and select Add Certificate > New Certificate.
On the Subject DN tab, change the Preset to Classic, and set a Common Name for the certificate.
On the Basic Info tab, change the Major Key to the PMK.
On the V3 Extensions tab, set the profile to Certificate Authority an select [ OK ].
The root CA displays under the Certificate Container you created in the Certificate Authorities menu.
This section covers the following tasks:
- Generate a new OKI pair and CSR.
- Sign the CSR.
- Import the certificate.
Go to Administration > Configuration > Network Options and go to the TLS/SSL Settings tab.
Select the Connection drop-down menu and select the KMIP connection pair. If it is not already enabled, enable it.
Uncheck Use System/Host API SSL Parameters if it is selected.
In the User Certificates section, uncheck Use Futurex certificates if it is selected and select [ Edit ] next to PKI keys.
In the Application Public Keys window, select [ Generate ].
In the PKI Parameters window, leave the settings as default and select [ OK ].
The Application Public Keys window now shows that a PKI Key Pair is Loaded.
Select [ Request ].
On the Subject DN tab of the Create PKCS #10 Request window., change the Common Name value to the IP of the KMES.
On the V3 Extensions tab, set the profile to TLS Server Certificate.
On the PKCS #10 Info tab, specify a save location and name for the CSR file and select [ OK ].
When prompted that the certificate signing request was successfully written to the specified location, select [ OK ].
Select [ OK ] in the Application Public Keys window, and select [ OK ] in the main Network Options window.
Go to PKI > Certificate Authorities.
Right-click the Root CA certificate and select Add Certificate > From Request.
In the file browser, find and select the KMIP connection pair CSR. Certificate information should populate in the Create X.509 From CSR window.
After it loads, you don't need to modify any certificate settings. Select [ OK ].
The signed KMIP server certificate displays under the Root CA certificate.
Go to Administration > Configuration > Network Options and go to the TLS/SSL Settings tab.
Select the Connection drop-down menu and select the KMIP connection pair.
Select [ Edit ] next to Certificates in the User Certificate section.
In the Certificate Authority window, right-click the KMIP SSL CA X.509 Certificate Container and select [ Import ].
Select [ Add ] at the bottom of the Import Certificates window.
In the file browser, select both the root CA certificate and the signed KMIP server certificate and select [ Open ].
The certificates should now display in the Verified section of the Import Certificates window.
Select [ OK ] to save.
It now says Signed loaded next to Certificates in the User Certificates section for the KMIP connection pair.
Select [ OK ] to save.