The KMIP specification requires all communications between the client and server to be done over TLS connections, preferably TLS 1.2. TLS 1.0 is supported but is less secure. To properly use the PyKMIP client and server, you will need different sets of certificates.
For the server, you will need:
- a server certificate
- its corresponding private key
- a CA certificate
The server certificate can be signed by your certificate authority (CA) or self-signed by you; given the server is mainly for testing, self-signing the certificate is acceptable. You will also need your CA's certificate to validate any client certificates you receive when establishing client connections. The client certificates can be signed by your CA or by your self-signed server certificate, depending upon how you set up your deployment; in this latter case, the CA certificate is also your server certificate. Note that the server will only accept client certificates that (1) have an extended key usage extension set for client authentication, and (2) have a common name defined in their subject field. The server uses this information to establish client identity; if your client certificates do not have either, the server will not allow the client connection to succeed. Update your server.conf
file to point to these three files once you have them on your machine. The configuration options to update include:
certificate_path
key_path
ca_path
For the client, you will need:
- a client certificate
- its corresponding private key
- a CA certificate
If you are working with a real appliance, work with your server administrator to get the right client certificate, its private key (if the administrator creates the certificate for you), and the right CA certificate to validate the server certificate when connecting to the server. Some server administrators will allow you to submit a certificate signing request with a certificate that you create yourself; they will sign the certificate and give it back to you, but you'll keep the private key. Update your pykmip.conf
file to point to these three files once you have them on your machine. The configuration options to update include:
certfile
keyfile
ca_certs