Import TLS certificates into TrueNAS and configure KMIP

4min
This section shows how to import the TrueNAS TLS certificate created in the previous section into TrueNAS, along with the CA certificate that issued the TLS certificates for both TrueNAS and the KMIP server connection pair on the . 
Before doing so, you must extract the certificates and private key from the PKCS #12 file exported from  by using OpenSSL. 
Extract the PKCS #12 File
1
Open a terminal application with OpenSSL installed.
2
Go to the directory where the PKCS #12 file is saved.
3
Run the following OpenSSL command to extract the certificates and private key from the PKCS #12 file and save them to a new file:
Shell
openssl pkcs12 -in tree.p12 -out tree.pem -nodes

openssl pkcs12 -in tree.p12 -out tree.pem -nodes
﻿
When prompted, enter the password that was specified when you exported the PKCS #12 file from the .
4
Open the output file (for example, tree.pem) to view the TrueNAS certificate, its associated private key, and the CA certificate that issued both the TrueNAS certificate and the KMIP server connection pair certificate. Then, copy and paste them into the TrueNAS web interface in the next section.
Import the CA certificate
1
Log in to the TrueNAS web interface.
2
Go to System > CAs and select [ ADD ].
3
In the Type drop-down menu, select  Import CA.
4
Enter a memorable name for the CA, and paste the CA certificate extracted from the PKCS #12 file into the Certificate field.
5
Leave the Private Key and Passphrase fields empty, and select [ SUBMIT ].
Import the TrueNAS certificate
1
Log in to the TrueNAS web interface.
2
Go to System > Certificates and select [ ADD ].
3
In the Type drop-down menu, select Import Certificate.
4
Enter a memorable name for the certificate, and paste the TrueNAS certificate and private key extracted from the PKCS #12 file into the appropriate fields.
5
Leave the Passphrase field empty and select [ SUBMIT ].
Configure KMIP in TrueNAS
1
Log in to the TrueNAS web interface.
2
Go to System > KMIP to complete the configuration.
3
Enter the  IP address or hostname and the default KMIP connection port, 5696. Select the Certificate and Certificate Authority imported in the previous section. To check that the Certificate and CA chain is correct, check the Validate Connection box and select [ SAVE ]. 
4
When you verify the certificate chain, choose the encryption values, SED passwords, or ZFS data pool encryption keys to move to the KMES Series 3. Set Enabled to begin moving the passwords and keys immediately after selecting [ SAVE ]. 
5
Refresh the KMIP page to see the current KMIP Key Status. 
You should see Synced displayed.
To cancel a pending key synchronization, set Force Clear and select [ SAVE ]. 
﻿
Configure TLS certificates
Create an encrypted dataset