Go to PKI > Certificate Authorities and select [ Add CA ] at the bottom of the page.

In the Certificate Authority window, enter a name for the certificate container, leave all other fields set to the default values, and select [ OK ].

Right-click the certificate container and select Add Certificate > New Certificate.

On the Subject DN tab, change the Preset drop-down option to Classic and specify a Common Name for the certificate, such as System TLS CA Root.

On the Basic Info tab, leave all fields set to the default values.

On the V3 Extensions tab, select the Certificate Authority profile and select [ OK ].

Go to Administration > Configuration > Network Options.

In the Network Options window, go to the TLS/SSL Settings tab.

Under the System/Host API connection pair, uncheck theUse Futurex certificates checkbox and select [ Edit ] next to PKI keys in the User Certificates section.

In the Application Public Keys window, select [ Generate ].

When warned that SSL will not be functional until new certificates are imported, select [ Yes ] to continue.

In the PKI Parameters window, leave the fields set to the default values set and select [ OK ].

Select [ Request ].

On the Subject DN tab, set a Common Name for the certificate, such as KMES.

On the V3 Extensions tab, select the TLS Server Certificate profile.

On the PKCS #10 Info tab, select a save location for the CSR and select [ OK ].

When prompted that the certificate signing request was successfully written to the file location that was selected, select [ OK ].

Select [ OK ] again to save the Application Public Keys settings.

Select [ OK ] to save.

Go to PKI > Certificate Authorities.

Right-click the root CA certificate you created and select Add Certificate > From Request.

In the file browser, select the CSR that you generated for the System/Host API connection pair.

Agter it loads, you don't need to modify any settings for the certificate. Select [ OK ].

Go to PKI > Certificate Authorities.

Right-click the System TLS CA Root certificate and select Export > Certificate(s).

In the Export Certificate window, change the encoding to PEM and select [ Browse ].

In the file browser, go to the location where you want to save the root CA certificate. Specify a unique name for the file, such as root_cert.pem and select [ Open ].

Select [ OK ].

Move the root CA certificate to the computer where the Microsoft SQL Server instance is running.

A later section shows you how to configure and use it for TLS communication with the KMES Series 3.

Right-click the KMES certificate and select Export > Certificate(s).

In the Export Certificate window, change the encoding to PEM and select [ Browse ].

In the file browser, go to the location where you want to save the signed System/Host API certificate. Specify a unique name for the file, such as signed_kmes_cert.pem, and select [ Open ].

Select [ OK ].

Go to Administration > Configuration > Network Options.

In the Network Options window, go to the TLS/SSL Settings tab.

Select [ Edit ] next to Certificates in the User Certificates section.

Right-click the System/Host API SSL CA X.509 certificate container and select [ Import ].

Select [ Add ] at the bottom of the Import Certificates window.

In the file browser, select both the root CA certificate and the signed System/Host API certificate, and select [ Open ]. Select [ OK ] to save the changes.

Select [ OK ] to save and exit the Network Options window.

Go to PKI > Certificate Authorities.

Right-click the System TLS CA Root certificate and select Add Certificate > From Request.

In the file browser, select the Microsoft SQL Server CSR file and select [ Open ].

On the Subject DN and Basic Info tabs, leave all fields set to the values that auto-populate from the CSR.

On the V3 Extensions tab, select the TLS Client Certificate profile and select [ OK ].

Go to PKI > Certificate Authorities.

Right-click the SqlServer certificate and select Export > Certificate(s).

In the Export Certificate window, change the encoding to PEM and select [ Browse ].

In the file browser, go to the location where you want to save the signed Microsoft SQL Server certificate. Specify a name for the file and select [ Open ].

Select [ OK ].

Move the signed Microsoft SQL Server certificate to the computer where the SQL Server instance is running.

A later section shows you how to configure and use it for TLS communication with the KMES Series 3.

Go to Identity Management > Roles and select [ Add ].

On the Info tab of the Role Editor window, specify a Name for the role and change the number of logins required to 1. Leave all other fields set to the default values.

On the Permissions tab, select the following permissions:

On the Advanced tab, set Allowed Ports to only Host API. Leave the other fields set to the default values.

Select [ OK ] to finish creating the role.

Go to Identity Management > Identities, right-click anywhere in the window, and select Add > Client Application.

On the Info tab, specify SqlServer in the Name field. Leave all other fields set to the default values.

On the Assigned Roles tab, select the Microsoft SQL Server role.

On the Authentication tab, select [ Add ].

In the Configure Credential window, select Password in the Type drop-down list. Select [ Change ], set a password for the credential, and select [ Save ].

Select [ OK ] to finish configuring the password credential.

Remove the default API Key mechanism, leaving only the Password credential, and select [ OK ] to save.

Go to Administration > Configuration > Host API Options and enable the following commands:

Select [ Save ].

Go to PKI > Certificate Authorities.

Right-click the CA container you created in the Create a Certificate Authority (CA) section and select [ Permission ].

Grant the Microsoft SQL Server role the Use permission, select Apply to children recursively, and select [ OK ] to save.