Configuring TLS
To configure TLS between the Nutanix cluster and the CipherTrust Manager:
Generate CSR(s)
On the Nutanix VCP UI, go to Settings > Data at Rest Encryption.
Click Edit Configuration.
Under Select Key Management Server, select An external KMS and click Save KMS Type.
In the Certificate Signing Request section:
Specify Email, Organization, Organizational Unit, Country Code, City, and State.
Click Save CSR Info.
Click Download CSRs.
Download the desired CSRs. For cluster setups, click Download CSRs for all nodes.
Get the CSR(s) Signed from CA
In this section, we are using CipherTrust Manager as the CA. However, you can use any other CA as per your convenience.
Log on to the CipherTrust Manager.
Download the CA certificate.
Sign the CSRs and download the certificates for all the nodes.
Create a registration token.
Turn ON Auto Registration.
Go to Admin Settings > Interfaces.
Click the overflow icon next to the kmip interface.
Click Edit top open the Configure KMIP dialog box.
Select Auto Registration.
Paste the Registration Token.
Select OU from the Username Location in Certificate drop-down list.
Click Update.
Create a new user with the same name that was specified in the Organizational Unit field of the CSR created on Nutanix VCP.
Add the newly created user to the Key Users Group.
For more information on these steps, refer to CipherTrust Manager Administrator Guide and KMIP Reference Guide.