Configuring TLS
To configure TLS between the Nutanix cluster and the CipherTrust Manager:
Generate CSR(s)
On the Nutanix VCP UI, go to Settings > Data at Rest Encryption.
Click Edit Configuration.
Under Select Key Management Server, select An external KMS and click Save KMS Type.
In the Certificate Signing Request section:
Specify Email, Organization, Organizational Unit, Country Code, City, and State.
To create resources in the subdomain, use
<domain>||<username>as Organizational unitClick Save CSR Info.
Click Download CSRs.
Download the desired CSRs. For cluster setups, click Download CSRs for all nodes.
Get the CSR(s) Signed from CA
In this section, we are using CipherTrust Manager as the CA. However, you can use any other CA as per your convenience.
Log on to the CipherTrust Manager.
Download the CA certificate.
Sign the CSRs and download the certificates for all the nodes.
Create a registration token in the domain where you want your resources to be created.
Turn ON Auto Registration.
Go to Admin Settings > Interfaces.
Click the overflow icon next to the kmip interface.
Click Edit top open the Configure KMIP dialog box.
Select Auto Registration.
Paste the Registration Token.
Select OU from the Username Location in Certificate drop-down list.
Add the CA used to sign the CSRs from Nutanix to the trusted CAs list.
Click Update.
Create a new user with the same name that was specified in the Organizational Unit field of the CSR created on Nutanix VCP. This user has to be assigned to the sub domain and present in the Key Users/Admins group in the sub domain where you want your resources are created.
Add the newly created user to the Key Users Group.
For more information on these steps, refer to CipherTrust Manager Administrator Guide and KMIP Reference Guide.
