Creating KMIP Client Certificate Bundles

Each client that you want to connect to the KeyControl KMIP server must use a user certificate/key pem file and a server certificate pem file that has been generated by the KMIP server.

Important: The KeyControl KMIP server does not support client logins via username/password credentials. If the client sends a user password to the KMIP server, the connection attempt may fail.

You can download an existing certificate bundle at any time. One or more KMIP clients can then use the certificates in the bundle when contacting the KMIP server.

We recommend that you create a separate user account for each client for tracking purposes, but it is not required. Because all KMIP users can see all KMIP objects, you could use the same certificates for all clients.

Note: If you are creating a KMIP user account to use with VMware vSphere Encryption, see HyTrust KeyControl® with VMware VSAN and vSphere VM Encryption.
  1. Log into the KeyControl webGUI on any node in the cluster using an account with Security Admin privileges.
  2. In the top menu bar, click KMIP.
  3. On the Basic tab, make sure that the state is set to Enabled. The server must be enabled before you can create certificate bundles.
  4. Click the Client Certificates tab.
  5. Select Actions > Create Certificate.

  6. In the Create a New Client Certificate dialog box, specify the options you want to use.

    Field

    Description

    Certificate Name

    A user-defined name for this bundle. If you are going to create multiple KMIP certificate bundles, this name should be descriptive enough that you can tell the certificate bundles apart.

    The name can contain only alphanumeric characters and it must start with a letter. You cannot include any special characters or spaces. The name cannot be changed after the bundle is created.

    Certificate Expiration

    The date on which the certificates in the bundle will expire. If the certificates expire, communication between the KeyControl KMIP server and the client will be disrupted until a new certificate bundle is uploaded to the client.

    Certificate Signing Request (CSR)

    If you want the KMIP server to use an external CSR, click Load File and upload the CSR you want to use. The custom CSR must:

    • Be in PKCS#10 format.
    • Have a non-empty Common Name.
    • If keyUsage is specified, it must include 'digitalSignature'.

    If you do not specify an external CSR, KeyControl uses an internally-generated CSR to create the certificate.

    Certificate Password/Confirm Password

    An optional passphrase used to encrypt the certificates in the bundle.

    Whether the certificates need to be encrypted depends on the way your security is configured and the type of implementation you are using. Not all third-party KMIP clients can accept encrypted certificates.

    For example, if you are integrating KeyControl with VMware vSphere Encryption, you cannot specify a certificate passphrase due to limitations with vSphere.
  7. Select the certificate bundle you just created.
  8. Select Actions > Download Certificate. The webGUI downloads <username_datetimestamp>.zip, which contains a user certification/key file called username.pem and a server certification file called cacert.pem.

  9. Upload the certificates on the KMIP client. You can now use standard API calls to interact with the KMIP server.

 

HyTrust DataControl v 4.3

Copyright © 2019 HyTrust, Inc. All Rights Reserved.

Follow us: