Virtualization
VMware vSphere
Configure TLS certificates for the KMIP port on the KMES Series 3
6 min
before kmip connections can occur between vcenter server and {{k3}} , both parties must establish a mutual trust relationship by validating their respective digitally signed certificates this section shows how to generate and sign a certificate for the kmip connection pair on the {{k3}} in the next section, while registering the {{k}} as a standard key provider in the vsphere client, the kmes presents the tls certificate configured for the kmip connection pair after accepting the presented certificate, vcenter trusts the {{k}} moving forward learn how to generate, sign, and register tls certificates for the vcenter server in a later section create a ca perform the following steps to create a certificate authority (ca) log in to the {{k3}} application interface with the default admin users go to pki > certificate authorities and select \[ add ca ] at the bottom of the page on the certificate authority window, specify a name for the certificate container and select \[ ok ] right click the newly created certificate container and select add certificate > new certificate on the subject dn tab, change the preset to classic , and set a common name for the certificate on the basic info tab, change the major key to the pmk on the v3 extensions tab, set the profile to certificate authority an select \[ ok ] the root ca displays under the certificate container you created in the certificate authorities menu configure tls certificates for the kmip connection pair this section covers the following tasks generate a new oki pair and csr sign the csr import the certificate generate a key pair and csr perform the following steps to generate a new pki key pair and csr for the kmip connection pair go to administration > configuration > network options and go to the tls/ssl settings tab select the connection drop down menu and select the kmip connection pair if it is not already enabled, enable it uncheck use system/host api ssl parameters if it is selected in the user certificates section, uncheck use futurex certificates if it is selected, and select \[ edit ] next to pki keys in the application public keys window, select \[ generate ] in the pki parameters window, leave the settings as default and select \[ ok ] the application public keys window now shows that a pki key pair is loaded select \[ request ] on the subject dn tab of the create pkcs #10 request window, change the common name value to the ip of the kmes on the v3 extensions tab, set the profile to tls server certificate on the pkcs #10 info tab, specify a save location and name for the csr file and select \[ ok ] when prompted that the certificate signing request was successfully written to the specified location, select \[ ok ] select \[ ok ] in the application public keys window, and select \[ ok ] in the main network options window sign the csr perform the following steps to sign the kmip connection pair csr go to pki > certificate authorities right click the root ca certificate and select add certificate > from request in the file browser, find and select the kmip connection pair csr certificate information should populate in the create x 509 from csr window after it loads, you don't need to modify any certificate settings select \[ ok ] the signed kmip server certificate displays under the root ca certificate import the certificate perform the following steps to import the signed kmip connection pair certificate go to administration > configuration > network options and go to the tls/ssl settings tab select the connection drop down menu and select the kmip connection pair select \[ edit ] next to certificates in the user certificate section in the certificate authority window, right click the kmip ssl ca x 509 certificate container and select \[ import ] select \[ add ] at the bottom of the import certificates window in the file browser, select both the root ca certificate and the signed kmip server certificate and select \[ open ] the certificates should now display in the verified section of the import certificates window select \[ ok ] to save it now says signed loaded next to certificates in the user certificates section for the kmip connection pair select \[ ok ] to save