Create a Certificate Signing Request to Establish a Trusted Key Provider Trusted Connection

Some key server (KMS) vendors require that you generate a Certificate Signing Request (CSR) and send that CSR to the key server vendor. The key server vendor signs the CSR and returns the signed certificate. After you configure this signed certificate as the trusted key provider's client certificate, the key server accepts traffic that comes from the trusted key provider.

This task is a two-step process. First you generate the CSR and send it to your key server vendor. Then you upload the signed certificate that you receive from the key server vendor.

Prerequisites

Procedure

Ensure that you are connected to the vCenter Server of the Trust Authority Cluster. For example, you can enter $global:defaultviservers to show all the connected servers.

(Optional) If necessary, you can run the following commands to ensure that you are connected to the vCenter Server of the Trust Authority Cluster.

Disconnect-VIServer -server * -Confirm:$false
Connect-VIServer -server TrustAuthorityCluster_VC_ip_address -User trust_admin_user -Password 'password'

Assign the Get-TrustAuthorityKeyProvider -TrustAuthorityCluster $vTA information to a variable.
For example:
```
$kp = Get-TrustAuthorityKeyProvider -TrustAuthorityCluster $vTA
```
If you are following these tasks in order, you previously assigned Get-TrustAuthorityCluster information to a variable (for example, $vTA = Get-TrustAuthorityCluster 'vTA Cluster').
This variable obtains the trusted key providers in the given Trust Authority Cluster, in this case, $vTA.
Note: If you have more than one trusted key provider, use commands similar to the following to select the one you want:
```
Get-TrustAuthorityKeyProvider -TrustAuthorityCluster $vTA
<The trusted key providers listing is displayed.>
$kp = Get-TrustAuthorityKeyProvider -TrustAuthorityCluster $vTA | Select-Object -Last 1
```
Using Select-Object -Last 1 selects the last trusted key provider in the list.
To generate a CSR, use the New-TrustAuthorityKeyProviderClientCertificateCSR cmdlet.
For example:
```
New-TrustAuthorityKeyProviderClientCertificateCSR -KeyProvider $kp
```
The CSR is displayed. You can also use the Get-TrustAuthorityKeyProviderClientCertificateCSR -KeyProvider $kp cmdlet to obtain the CSR.
To get a signed certificate, submit the CSR to your key server vendor.
The certificate must be in PEM format. If the certificate is returned in a format other than PEM, convert it to PEM by using the openssl command. For example:
- To convert a certificate from CRT to PEM format:
```
openssl x509 -in clientcert.crt -out clientcert.pem -outform PEM
```
- To convert a certificate from DER to PEM format:
```
openssl x509 -inform DER -in clientcert.der -out clientcert.pem
```
When you receive the signed certificate from the key server vendor, upload the certificate to the key server using the Set-TrustAuthorityKeyProviderClientCertificate cmdlet.
For example:
```
Set-TrustAuthorityKeyProviderClientCertificate -KeyProvider $kp -CertificateFilePath <path/tp/certfile.pem>
```

Results

The trusted key provider has established trust with the key server.