Establishing a Trusted Connection with a vSphere7-Generated CSR

The following procedure describes how to generate a Certificate Signing Request (CSR) in vCenter and then use that CSR to create a certificate bundle on the Entrust KMIP server. The KMIP certificate can then be uploaded to vSphere to establish a trusted connection between vCenter and the Entrust KMIP server.

You can also establish a trusted connection using a KeyControl-generated CSR. For details, see Establishing a Trusted Connection with a KeyControl-Generated CSR.

  1. Use the following VMware documentation to configure the KMS cluster: 

    Add a Standard Key Provider Using the vSphere Client

  2. Use the following VMware documentation to establish Trust: 

    Establish a Standard Key Provider Trusted Connection by Exchanging Certificates

    Note: Ensure that you select the option "New Certificate Signing Request". Continue to follow the VMware procedures until you reach the point where it says "Follow the instructions from your KMS vendor to submit the CSR".

  3. Log in to the KeyControl Vault for KMIP webGUI.
  4. From the KeyControl Vault for KMIP webGUI, select Security > Client Certificates.
  5. On the Client Certificates tab, click the + icon on right top corner to create new client certificate.

  6. In the Create Client Certificate dialogue, specify the options you want to use and click Create.

    Field

    Description

    Certificate Name

    A user-defined name for this bundle. If you are going to create multiple KMIP certificate bundles, this name should be descriptive enough that you can tell the certificate bundles apart.

    The name can only contain letters, numbers, dashes, periods, underscores, and spaces, and cannot be changed after the bundle is created.

    Certificate Expiration

    The date on which the certificates in the bundle will expire. If the certificates expire, communication between the KeyControl KMIP server and the client will be disrupted until a new certificate bundle is uploaded to the client.

    Certificate Signing Request (CSR)

    To use an external CSR, click Load File and upload the file that you just obtained from vSphere.

    Certificate Password/Confirm Password

    If you have selected Encrypt Certificate Bundle, provide a passphrase to encrypt the certificates in the bundle.

    Whether the certificates need to be encrypted depends on the way your security is configured and the type of implementation you are using. Not all third-party KMIP clients can accept encrypted certificates.

    For example, if you are integrating KeyControl with VMware vSphere Encryption, you cannot specify a certificate passphrase due to limitations with vSphere.
  7. Select the certificate bundle you just created.

  8. Click the Download button on right top corner to download the certificate bundle.

    The webGUI downloads <certname_datetimestamp>.zip, which contains a user certification/key file called <certname>.pem and a server certification file called cacert.pem.

  9. Unzip the file so that you have the <certname>.pem file available to upload into vCenter. In the example above the certificate file would be named KMIPvSphereCert.pem.

  10. Return to vCenter and follow the instructions in the following VMware documentation to upload the <certname>.pem file:

    Use the New Certificate Signing Request Option to Establish a Standard Key Provider Trusted Connection

    You do not need to do anything with the cacert.pem file.

After you have finished, please click the radio button (dot) to the left of the KMS cluster name and ensure that the Connection Status for each KMIP server in the cluster is Normal, and the Certificate Status for the overall KMS cluster is listed. The certificate status for the individual KMIP servers in the cluster can be ignored.