Configure KMES Series 3
This section covers general configurations on the KMES Series 3 to enable SignTool to integrate with the KMES by using the Futurex CNG library. Then, it shows you how to configure TLS communication between the System/Host API port on the KMES and the Futurex CNG library.
Perform the following tasks to configure the KMES Series 3 for communication with SignTool:
- Create a SignTool role with the required permissions.
- Create a SignTool identity with the correct assigned roles.
- Enable Host API commands.
- Create a signing approval group.
- Export the code signing certificate.
- Export the CA certificate that issued the code signing certificate.
- Apply an issuance policy to the code signing certificate
The following sections show you how to complete these tasks.
Log in to the KMES Series 3 with the default Admin identities.
Go to Identity Management > Roles and select [ Add ].
On the Info tab, set the Type to Application, set a name for the role such as SignTool, and set the Logins Required to 1.
On the Permissions tab, enable the following permissions:
Permission
Subpermission
Certificate Authority
Export, Upload
Keys
Add
On the Advanced tab, configure Allowed Ports to Host API only.
Select [ OK ] to finish creating the role.
Go to Identity Management > Identities, right-click anywhere in the window, and select Add > Client Application.
On the Info tab, set the Storage type to Application and set a name for the identity, such as SignTool.
On the Assigned Roles tab, select the SignTool role you just created.
On the Authentication tab, remove the default API Key mechanism, add the Password authentication mechanism, and configure a password.
Select [ OK ] to finish creating the identity.
A later section shows how to configure the SignTool identity in the fxpkcs11.cfg file to enable the Futurex PKCS #11 library to connect to the KMES Series 3.
Because the Futurex CNG library connects to the Host API port on the KMES, you must define which Host API commands to enable for the FXCNG library. To set the enabled commands, complete the following steps:
Log in to the KMES Series 3 application interface with the default Admin identities.
Go to Administration > Configuration > Host API Options and enable the following commands:
Command
Description
ECHO
Communication Test/Retrieve Version
RAFA
Filter Issuance Policy
RAGA
Retrieve Issuance Policy
RAGO
Retrieve Request (Hash Signing)
RAUO
Upload Request (Hash Signing)
RAGZ
Retrieve Request (Authenticode)
RAUZ
Upload Request (Authenticode)
RAGJ
Retrieve Request (Jar Signing)
RAUJ
Upload Request (Jar Signing)
RKCP
Get Command Permissions
RKLN
Lookup Objects
RKLO
Login User
RKRK
Retrieve Generated Keys
Select [ Save ] to finish.
Go to PKI > Signing Workflow and select [ Add Approval Group ] at the bottom of the page.
Set a name for the Approval Group, such as SignTool and select [ OK ] to save.
Right-click the SignTool approval group and select [ Permission ].
Give the SignTool role the Use permission and select [ OK ] to save.
This section describes three different methods that you can use to issue a code signing certificate.
Go to PKI > Certificate Authorities and select [ Add CA ] at the bottom of the page.
In the Certificate Authority window, enter a Name for the certificate container, such as SignTool. Set the owner field to the SignTool role and select [ OK ].
Right-click the SignTool certificate container and select Add Certificate > New Certificate.
On the Subject DN tab, set a Common Name for the certificate, such as Root.
On the Basic Info tab, leave the fields set to the default values.
On the V3 Extensions tab, select the Certificate Authority profile and select [ OK ].
The Root CA certificate now displays under the SignTool certificate container.
Right-click the Root CA certificate you created and select Add Certificate > New Certificate.
On the Subject DN tab, set a Common Name for the certificate, such as Code Signing.
On the V3 Extensions tab, select the Code Signing Certificate profile and select [ OK ].
The code signing certificate now displays under the Root CA certificate in the SignTool certificate container.
For this method, you must import the external CA certificates into an empty certificate container on the KMES. Then, generate a Certificate Signing Request (CSR), which the external CA uses to issue a code signing certificate. Finally, import the code signing certificate into the certificate container on the KMES that contains the external CA certificate.
Go to PKI > Certificate Authorities and select [ Add CA] at the bottom of the page.
In the Certificate Authority window, enter a Name for the certificate container, such as SignTool. Set the owner field to the SignTool role and select [ OK ].
Right-click the SignTool certificate container and select Import > Certificates.
In the Import Certificates window, select [ Add ], and select the external CA certificates for issuing the code signing certificate.
The CA certificates display in the Verified section of the Import Certificates window.
Select [ OK ] to save.
The external CA certificates should now display in tree form under the SignTool certificate container.
To create a placeholder code signing certificate, from which you can generate a CSR, right-click the lowest level CA certificate in the tree and select Add Certificate > Pending.
On the Subject DN tab of the Create X.509 Certificate window, set a Common Name for the certificate, such as Code Signing.
On the V3 Extensions tab, select the code signing certificate profile.
Select [ OK ].
The code signing placeholder certificate now displays under the external CA certificates.
Right-click the placeholder code signing certificate and select Export > Signing Request.
On the Subject DN tab of the Create PKCS #10 Request window, leave all fields set to the default values.0
On the V3 Extensions tab, select the code signing certificate profile.
On the PKCS #10 Info tab, specify a save location for the CSR and select [ OK ].
A message box states that the certificate signing request was successfully written to the location you specified.
Send the CSR file to an external certificate authority (CA).
Using the CSR, the external CA issues a code signing certificate.
After the external CA issues the code signing certificate, copy it to the storage medium you configured on the KMES.
In the Certificate Authorities menu on the KMES, right-click the placeholder code signing certificate and select Replace > With Signed Certificate.
In the Import Certificates window, select [ Add ], and select the externally signed code signing certificate in the file browser.
The code signing certificate displays under the CA certificates in the Verified section of the Import Certificates window.
Select [ OK ] to save.
To perform the steps in this section, you must go to Administration > Configuration > Options and enable the Allow import of certificates using passwords option.
Go to PKI > Certificate Authorities and select [ Add CA ] at the bottom of the page.
In the Certificate Authority window, enter a Name for the certificate container, such as imported. Set the owner field to the SignTool role and select [ OK ].
Right-click the Imported certificate container, and select Import > PKCS12.
In the Import PKCS12 window, select the PKCS #12 file to import and select [ Next ].
Input the file password and select [ Next ].
Select [ Finish ] to initiate the import.
Perform the following steps to export the code signing certificate no matter which of the preceding methods you used to create it:
Go to PKI > Certificate Authorities.
Right-click the code signing certificate you configured in the previous section, then select Export > Certificate(s).
Change the encoding to PEM and select [ Browse ]. Specify the location where you want to save the file.
Select [ OK ] to initiate the export.
Perform the following steps to export the CA certificate no matter which method you used to create it:
Go to PKI > Certificate Authorities.
Right-click the CA certificate that issued the code signing certificate and select Export > Certificate(s).
Change the encoding to PEM and select [ Browse ]. Specify the location where you want to save the file.
Select [ OK ] to initiate the export.
Repeat steps 1-4 for any additional CA certificates that are in the certificate tree (if applicable).
Go to PKI > Certificate Authorities.
Right-click the code signing certificate and select Issuance Policy > Add.
On the Basic Info tab, set Approvals to 0 to allow anonymous signing, and select any hashes that you want to allow.
On the X.509 tab, set the Default approval group to SignTool.
On the Object Signing tab, select the Allow object signing checkbox.
Select [ OK ] to apply the issuance policy to the SignTool code signing certificate.
Perform the following tasks to configure TLS communication between the KMES Series 3 and the FXCL CNG library:
- Create a Certificate Authority.
- Generate a CSR for the System/Host API connection pair.
- Sign the System/Host API CSR.
- Export the Root CA and the signed System/Host API TLS certificate.
- Load the exported certificates into the System/Host API connection pair.
- Generate a signed client certificate for SignTool and FXCNG.
- Allow export of certificates using passwords.
- Export the signed SignTool certificate as a PKCS #12 file.
The following sections describe how to perform these tasks.
Log in to the KMES Series 3 application interface with the default Admin identities.
Go to PKI > Certificate Authorities and select [ Add CA ] at the bottom of the page.
In the Certificate Authority window, enter a Name for the certificate container, leave all other fields set to the default values, and select [ OK ].
The new Certificate Container now displays in the Certificate Authorities menu.
Right-click the certificate container and select Add Certificate > New Certificate.
On the Subject DN tab, set a Common Name for the certificate, such as System TLS CA Root.
On the Basic Info tab, leave fields set to the default values.
In the V3 Extensions tab, select the Certificate Authority profile and select [ OK ].
The root CA certificate now displays under the previously created certificate container.
Go to Administration > Configuration > Network Options.
In the Network Options window, select the TLS/SSL Settings tab.
Under the System/Host API connection pair, uncheck the Use Futurex certificates checkbox and select [ Edit ] next to PKI keys in the User Certificates section.
In the Application Public Keys window, select [ Generate ].
When warned that SSL will not be functional until new certificates are imported, select [ Yes ] to continue.
In the PKI Parameters window, leave the default settings and select [ OK ].
The Application Public Keys window now shows that a PKI Key Pair is loaded.
Select [ Request ].
On the Subject DN tab, you can leave the default System/Host API value set in the Common Name field, or you can change it to a different value.
On the V3 Extensions tab, select the TLS Server Certificate profile.
On the PKCS #10 Info tab, select a save location for the CSR and select [ OK ].
The main Network Options window now shows Loaded next to PKI keys.
Go to PKI > Certificate Authorities.
Right-click the root CA certificate you created and select Add Certificate > From Request.
In the file browser, select the CSR that you generated for the System/Host API connection pair.
After it loads, don't modify any settings for the certificate. Select [ OK ].
The signed System/Host API certificate now displays under the root CA certificate on the Certificate Authorities page.
Right-click the root CA certificate and select Export > Certificate(s).
Change the encoding to PEM and select [ Browse ]. Specify a save location and name for the export file.
When prompted that the file was successfully written to the location that was selected, select [ OK ].
Right-click the signed System/Host API certificate and select Export > Certificate(s).
Change the encoding to PEM and select [ Browse ]. Specify a save location and name for the export file.
When prompted that the file was successfully written to the location that was selected, select [ OK ].
Go to Administration > Configuration > Network Options.
In the Network Options window, go to the TLS/SSL Settings tab.
Select [ Edit ] next to Certificates in the User Certificates section.
Right-click the System/Host API SSL CA X.509 certificate container and select [ Import ].
Select [ Add ] at the bottom of the Import Certificates window.
In the file browser, select both the root CA certificate and the signed System/Host API certificate, and select [ Open ].
Select [ OK ] to save the changes.
In the Network Options window, the System/Host API connection pair shows Signed loaded next to Certificates in the User Certificates section
Select [ OK ] to save and exit the Network Options window.
Go to PKI > Certificate Authorities.
Right-click the root CA certificate and select Add Certificate > New Certificate.
On the Subject DN tab, set a Common Name for the certificate, such as SignTool.
Leave all fields on the Basic Info tab set to the default values.
On the V3 Extensions tab, select the TLS Client Certificate profile and select [ OK ].
The signed SignTool certificate now displays the root CA certificate.
Go to Administration > Configuration > Options.
Select the checkbox next to the second menu option, Allow export of certificates using passwords.
Select [ Save ].
Go to PKI > Certificate Authorities.
Right-click the signed SignTool Client certificate and select Export > PKCS12.
Select [ Set Password ], enter a password for the PKCS #12 file, and select [ Save ].
In the Export Certificate window, select Export Selected Certificate under Export Options and select [ Next ].
Specify a name for the PKCS #12 export file and select [ Open ].
A message box states that the PKCS #12 certificate export was successful.
Move the SignTool certificate and the System TLS CA Root certificate to the computer that uses the Microsoft SignTool application.
A later section shows you how to configure them in the Futurex CNG configuration file and use them for TLS communication with the KMES Series 3.