ESKM server certificates are used by the client to authenticate the ESKM server during the TLS/SSL handshake. ESKM supports two types of clients. Clients that use the ESKM protocol are referred to as ESKM clients. Clients that use the KMIP protocol are referred to as KMIP-enabled clients. The ESKM clients communicate with the KMS server, and KMIP-enabled clients communicate with the KMIP server.
During the execution of the Setup utility, a default KMIP Server Certificate is automatically created. This certificate should only be used for testing purposes, as it is a self-signed certificate. If your ESKM system will be communicating with KMIP-enabled clients, Utimaco highly recommends that you create a new KMIP server certificate. The name you assign to these server certificates should clearly indicate their purpose. For example: ESKM KMS Server and ESKM KMIP Server.
KMIP requires mutual authentication. After configuring the KMIP server, enable KMIP client certificate authentication. The KMIP client certificate authentication status is disabled by default.
If you will be using a third-party CA and wish to use an existing server certificate, see Import a third-party server certificate
To create an ESKM server certificate, perform the following steps:
-
Click the Security tab.
-
In Certificates & CAs, select Certificates.
-
Scroll down to the Create Certificate section.
-
Enter Certificate Name, Country Name, State or Province Name, Locality Name,
Organization Name and Organization Unit Name -
Select RSA-2408 from the Algorithm dropdown list.
-
Select the previously created CA certificate name from the Local CA drop-down list.
-
Select Server from the Certificate Purpose dropdown list.
-
-
Click on Create
Create Certificate
The “certificate name” must remain the same on all ESKM servers across the cluster.