Establishing a Trusted Connection with a vSphere-Generated CSR

The following procedure describes how to generate a Certificate Signing Request (CSR) in vSphere and then use that CSR to create a certificate bundle on the HyTrust KMIP server. The KMIP certificate can then be uploaded to vSphere to establish a trusted connection between vSphere and the HyTrust KMIP server.

You can also establish a trusted connection using a KeyControl-generated CSR. For details, see Establishing a Trusted Connection with a KeyControl-Generated CSR.

Note: The following procedure is based on vCenter Web Client in vSphere 6.5. If your version of the vCenter Web Client is different from what is described below, please see your vCenter documentation to determine how to add the KMS cluster.

  1. In the vSphere Web Client, go to Key Management Servers.
  2. Select the KMS you want to trust in the list then select All Actions > Establish Trust with KMS.
  3. In the Establish Trust with KMS dialog box, select New Certificate Signing Request then click OK.

    vSphere creates a CSR and displays it in the New Certificate-Signing Request dialog box.

  4. Click Download as file and save the CSR to your computer. By default, vSphere names the CSR file cluster-name_signed_csr.pem.

    After you save the file, leave the New Certificate-Signing Request dialog box open.

  5. Log into the KeyControl webGUI using an account with Security Admin privileges.
  6. In the top menu bar, click KMIP.
  7. Click the Client Certificates tab.
  8. Select Actions > Create Certificate.
  9. In the Create a New Client Certificate dialog box:

    1. Enter a name in the Certificate Name field.
    2. Set the date on which you want the certificate to expire in the Certificate Expiration field. If the certificate expires, communication between vSphere and KeyControl will be disrupted until a new certificate is uploaded.
    3.  In the Certificate Signing Request (CSR) field, click Load File.
    4. Navigate to the vSphere-generated CSR you downloaded earlier in this procedure, select the CSR pem file and click Open.

      Important: Do not enter a password for the certificates. Due to a vSphere limitation, you cannot upload encrypted certificates.

      The following example creates a certificate bundle called KMIPvSphereCert with a certificate expiration date of December 31, 2019 and that uses the vSphere-generated CSR file HyTrust-KC-1-cluster_signed_csr.pem.

    5. Click Create. The webGUI returns to the KMIP Client Certificates tab.

  10. Select the certificate bundle you just created in the certificate list.
  11. Select Actions > Download Certificate. The webGUI downloads <certname_datetimestamp>.zip, which contains a user certification/key file called <certname>.pem and a server certification file called cacert.pem.
  12. Unzip the file so that you have the <certname>.pem file available to upload into vCenter. In the example above the certificate file would be named KMIPvSphereCert.pem.
  13. Go back to the New Certificate-Signing Request dialog box in the vSphere Web Client and click Upload file.
  14. Navigate to the KMIP certificate <username>.pem, select the file, and click Open. vSphere displays the certificate in the lower half of the New Certificate-Signing Request dialog box.

  15. Click OK and wait until vCenter reports that the connection status for the KMS cluster has changed to "Normal".
  16. For a multi-node cluster, add the additional KeyControl server IP addresses to the same vSphere KMS cluster to provide a failover mechanism:
    1. Select the HyTrust KMS you created.
    2. Click Add KMS.
    3. In the KMS Cluster field, make sure the HyTrustKMS cluster is selected.
    4. Enter the server alias, address, and port for the additional KeyControl KMIP server.
    5. Click OK.
    6. In the Trust Certificate dialog box, click Trust.

The following illustration shows a HyTrust KMS with three KMIP servers:

HyTrust KMS Cluster in vSphere

The critical information is the Connection Status for each KMIP server in the cluster and the Certificate Status for the overall KMS cluster. The certificate status for the individual KMIP servers in the cluster can be ignored.