Creating KMIP Client Certificate Bundles

Each client that you want to connect to the KeyControl Vault KMIP server must use a client certificate/key pem file and optionally a server (cacert) certificate pem file that has been generated by the KMIP server.

From KeyControl Vault version 10.0, you can configure one of the following authentication methods on the client certificate: User name and password for the certificate or the Certificate name.

You can download an existing certificate bundle at any time. One or more KMIP clients can then use the certificates in the bundle when contacting the KMIP server.

Note: If you are creating a KMIP user account to use with VMware vSphere Encryption, see KeyControl Vault with VSAN and VMware vSphere VM Encryption.

  1. Log into the KeyControl webGUI using an account with Security Admin privileges.
  2. In the top menu bar, click KMIP.
  3. On the Settings tab, make sure that the state is set to Enabled. The server must be enabled before you can create certificate bundles.
  4. Click the Client Certificates tab.
  5. Select Actions > Create Certificate.

  6. In the Create a New Client Certificate dialog box, specify the options you want to use.

    Field

    Description

    User name on the Certificate

    To enable KMIP authentication using a user name and password, select the Add Authentication option for the Certificate and enter the user name for the certificate. This is the user name that will be used to authorize this certificate.

    User password on the Certificate

    To enable KMIP authentication using a user name and password, select the Add Authentication option for the Certificate and enter the user password for the certificate. This is the user password that will be used to authorize this certificate.

    Certificate Name

    If user name and password authentication is not required, ensure Add Authentication option for the Certificate is not selected and add a user-defined name for this bundle. If you are going to create multiple KMIP certificate bundles, this name should be descriptive enough that you can tell the certificate bundles apart.

    The name must start and end with an alphanumeric character. The only other characters allowed are hyphens (-) and underscores (_). The name cannot be changed after the bundle is created.

    Certificate Expiration

    The date on which the certificates in the bundle will expire. If the certificates expire, communication between the KeyControl Vault KMIP server and the client will be disrupted until a new certificate bundle is uploaded to the client.

    Certificate Signing Request (CSR)

    If you want the KMIP server to use an external CSR, click Load File and upload the CSR you want to use. The custom CSR must:

    • Be in PKCS#10 format.
    • Have a non-empty Common Name.
    • If keyUsage is specified, it must include 'digitalSignature'.

    If you do not specify an external CSR, KeyControl Vault uses an internally-generated CSR to create the certificate.

    Certificate Password/Confirm Password

    An optional passphrase used to encrypt the certificates in the bundle.

    Whether the certificates need to be encrypted depends on the way your security is configured and the type of implementation you are using. Not all third-party KMIP clients can accept encrypted certificates.

    For example, if you are integrating KeyControl Vault with VMware vSphere Encryption, you cannot specify a certificate passphrase due to limitations with vSphere.
  7. Select the certificate bundle you just created.
  8. Select Actions > Download Certificate. The webGUI downloads <username_datetimestamp>.zip, which contains a user certification/key file called username.pem and a server certification file called cacert.pem.

  9. Upload the certificates on the KMIP client. You can now use standard API calls to interact with the KMIP server.