Skip to content

Certificates

Jump to bottom Edit New page
Peter Hamilton edited this page Dec 1, 2016 · 1 revision

The KMIP specification requires all communications between the client and server to be done over TLS connections, preferably TLS 1.2. TLS 1.0 is supported but is less secure. To properly use the PyKMIP client and server, you will need different sets of certificates.

For the server, you will need:

  • a server certificate
  • its corresponding private key
  • a CA certificate

The server certificate can be signed by your certificate authority (CA) or self-signed by you; given the server is mainly for testing, self-signing the certificate is acceptable. You will also need your CA's certificate to validate any client certificates you receive when establishing client connections. The client certificates can be signed by your CA or by your self-signed server certificate, depending upon how you set up your deployment; in this latter case, the CA certificate is also your server certificate. Note that the server will only accept client certificates that (1) have an extended key usage extension set for client authentication, and (2) have a common name defined in their subject field. The server uses this information to establish client identity; if your client certificates do not have either, the server will not allow the client connection to succeed. Update your server.conf file to point to these three files once you have them on your machine. The configuration options to update include:

  • certificate_path
  • key_path
  • ca_path

For the client, you will need:

  • a client certificate
  • its corresponding private key
  • a CA certificate

If you are working with a real appliance, work with your server administrator to get the right client certificate, its private key (if the administrator creates the certificate for you), and the right CA certificate to validate the server certificate when connecting to the server. Some server administrators will allow you to submit a certificate signing request with a certificate that you create yourself; they will sign the certificate and give it back to you, but you'll keep the private key. Update your pykmip.conf file to point to these three files once you have them on your machine. The configuration options to update include:

  • certfile
  • keyfile
  • ca_certs

Hi Peter, Anyone tried to install the PyKMIP client on Windows? Any issue they are facing while using it?

Thanks, Kiran

Add a custom sidebar
Clone this wiki locally