See below for using any key management server meeting the Key Management Interoperability Protocol (KMIP).

To create a  KMIP key manager

  1. Log in as an administrator with either:
  2. Go to Control > Key Managers.
  3. Click Create to configure the following settings. 
  4. Click Verify to check the connection with the key manager.

Label

A descriptive name of the key manager.

Mandatory: Yes

Owner

The username of the person responsible for the key manager.

The user who adds the key manager is automatically made the owner.  You can later edit this field and assign ownership to someone else. 

Description

A description of the key manager.

Mandatory: No

Authorization Tags

A list of authorization tags. The Custom Roles with any of these tags will grant permissions on the key manager.

Mandatory: No

Plugin Type

Select KMIP-KeyManagement-Plugin.

Mandatory: Yes

KMIP Server URL  

The URL of the KMIP server.

https://<host>:<port>/kmip

Where:

  • <host> is the hostname or IP address of the KMIP server.
  • <port> is the port of the KMIP server.

For example:

https://172.30.141.241:5696/kmip

Mandatory: Yes

Client Credential file format    

The file format for importing the client credentials. When selecting PKCS#12, configure the following additional parameters.

Parameter

Value

​Client PKCS#12    

A PKCS#12 file containing the key pair, certificate, and certification chain of the client.

PKCS 12 and Key Password    

The password of the PKCS#12 file and the private key of the client.

When selecting PEM, configure the following additional parameters. 

The parameters below do not support encrypted PEM keys.

Parameter

Value

Client Key & Certificate 

A file in PEM format containing the private key and certificate of the client.

CA Certificate Chain    

A file in PEM format containing the certification chain of the client certificate.

Mandatory: Yes

Key Algorithm

The algorithm for generating the keys. 

Mandatory: No. This optional value defaults to RSA (the only supported option).

Key Size    

The bit size of the generated keys. 

Mandatory: No. This optional value defaults to 2048 (the only supported option).

Digital Signature Algorithm    

The algorithm for signing the certificate requests:

  • SHA256
  • SHA512

Mandatory: No. This optional value defaults to SHA256.

Start Date    

The starting date for the background job that synchronizes the certificate states in Certificate Manager with the certificate states in the KMIP server.

Mandatory: Yes

Enable hostname verification    

Check this box for validating the KMIP server certificate in each connection.

KMIP Version    

The version used by the KMIP server. 

The dropdown menu only lists supported versions.

Mandatory: Yes

Allow private key export

Check this box to allow exporting the private key from the key manager – for example, to push the same certificate and key to other destinations.

 The key manager server must support key export.