Managing KMIP Client Certificates

KMIP clients require a client certificate and a private key issued by KeyControl to perform KMIP operations.

KMIP client certificates downloaded from the KeyControl Vault for KMIP webGUI can be used to create and manage KMIP objects only in that vault's namespace.

Creating KMIP Client Certificate Bundles

Each client that you want to connect to the KeyControl KMIP server must use a user certificate/key pem file and a server certificate pem file that has been generated by the KMIP server.

Important: The KeyControl KMIP server does not support client logins via username/password credentials. If the client sends a user password to the KMIP server, the connection attempt may fail.

You can download an existing certificate bundle at any time. One or more KMIP clients can then use the certificates in the bundle when contacting the KMIP server.

We recommend that you create a separate client certificate for each client for tracking purposes, but it is not mandatory.

Note: If you are creating a KMIP user account to use with VMware vSphere Encryption, see KeyControl with VSAN and VMware vSphere VM Encryption.

  1. Log in to the KeyControl Vault for KMIP webGUI.
  2. From the KeyControl Vault for KMIP webGUI, select Security > Client Certificates.
  3. On the Client Certificates tab, click the + icon on right top corner to create new client certificate.
  4. In the Create Client Certificate dialogue, specify the options you want to use and click Create.

    Field

    Description

    Certificate Name

    A user-defined name for this bundle. If you are going to create multiple KMIP certificate bundles, this name should be descriptive enough that you can tell the certificate bundles apart.

    The name must start and end with an alphanumeric character. The only other characters allowed are hyphens (-) and underscores (_). The name cannot be changed after the bundle is created.

    Certificate Expiration

    The date on which the certificates in the bundle will expire. If the certificates expire, communication between the KeyControl KMIP server and the client will be disrupted until a new certificate bundle is uploaded to the client.

    Important: The KeyControl Vault for KMIP webGUI does not show any alert about expiring KMIP client certificates. Users should monitor and periodically update client certificates that are about to expire.

    Certificate Signing Request (CSR)

    If you want the KMIP server to use an external CSR, click Load File and upload the CSR you want to use. The custom CSR must:

    • Be in PKCS#10 format.
    • Have a non-empty Common Name.
    • If keyUsage is specified, it must include 'digitalSignature'.

    If you do not specify an external CSR, KeyControl uses an internally-generated CSR to create the certificate.

    Certificate Password/Confirm Password

    If you have selected Encrypt Certificate Bundle, provide a passphrase to encrypt the certificates in the bundle.

    Whether the certificates need to be encrypted depends on the way your security is configured and the type of implementation you are using. Not all third-party KMIP clients can accept encrypted certificates.

    For example, if you are integrating KeyControl with VMware vSphere Encryption, you cannot specify a certificate passphrase due to limitations with vSphere.

  5. Select the certificate bundle you just created.
  6. Click the Download button on right top corner to download the certificate bundle.

  7. Upload the certificates on the KMIP client. You can now use standard API calls to interact with the KMIP server.

Renewing a KMIP Client Certificate

Client certificates cannot be renewed in the KeyControl Vault for KMIP webGUI. If the client certificate used by a KMIP client has expired, a new client certificate has to be created and the KMIP client needs to be reconfigured with the new certificate.