Breadcrumbs

Setting Up an ESKM Certificate

The client uses ESKM server certificates to authenticate the ESKM server during the TLS/SSL handshake. ESKM supports two types of clients: ESKM clients and KMIP-enabled clients. ESKM clients communicate with the KMS server, and KMIP-enabled clients communicate with the KMIP server.

During the execution of the Setup utility, a default KMIP Server Certificate is automatically created. This certificate should only be used for testing purposes, as it is a self-signed certificate. If your ESKM system will be communicating with KMIP-enabled clients, Utimaco highly recommends that you create a new KMIP server certificate. The name you assign to these server certificates should clearly indicate their purpose. For example: ESKM KMS Server and ESKM KMIP Server.

If you will be using a third-party CA and wish to use an existing server certificate, see Import a third-party server certificate.

To create an ESKM server certificate, perform the following steps:

  1. Click the Security tab.

  2. In Certificates and CAs, select Certificates.

  3. Enter the information required by the Create Certificate Request section of the window to create the ESKM server certificate.

d1164dba-48bd-471a-9d5e-44d8dd824f1e.png


Create Certificate

  1. Enter a Certificate Name and Common Name, for example, ESKM_KMIP_Server.

  2. Enter your Organizational information.

  3. Enter/select the Subject Alternative Name, Algorithm, Creation Type as Certificate Signed by Local CA, Local CA(CA name you created in Setting up local CA, for example ESKMCA), and Certificate Purpose

  4. Click Create.

1bda7e60-d501-4fe3-b58d-e131992bf390.png


Certificate Information


Key Size refers to the size of the key or elliptic curve associated with this certificate.

The “certificate name” must remain the same on all ESKM servers across the cluster.


Import a third-party server certificate

An externally generated public/private key pair can be imported into the ESKM system for use as a server certificate. The encrypted private key data and the public key certificate must be present in the third-party server certificate file. For example:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBAB..........vvbKI=
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDhjCCA..........MKH9Fk
-----END CERTIFICATE-----

In addition, the password for the private key file must be known. To import a third-party server certificate, perform the following steps:

  1. In Certificates & CAs, click Certificates to display the Import Certificate section.

  2. Provide the source location of the certificate file.

  3. Enter the Certificate Name and private key password.

  4. Click Import Certificate.