Configuring HyTrust server for vSAN Encryption (Part-2)

In this blog post, we will discuss about registration of KMS with vCenter

Configuring a KMIP Server:

I have two KMS servers and here is the list: / / Primary KMS / / Secondary KMS

Login to and click on KMIP

By default, the state is disabled, if you want to use this appliance as KMS, change the state to enable and click on apply

Now, move to client certificates in KMIP only and click on Actions ⇒ create certificate ⇒ put certificate name as vCenter

Do not put certificate password and confirm the password

Go to Actions again and download certificate which you will use to create trust between vcenter and KMS

Now, KMIP has been enabled and certificates have been downloaded

Next task is to set up vcenter with KMS

Login to webclient ⇒ select vCenter server ⇒ configure ⇒ key management servers

Put the KMS server information as below, in server address put the primary KMS server ip and server port is 5696. If customer is using proxy between vcenter and KMS server then put the proxy settings. vCenter & KMS server communication is on SSL & TLS

Click on Trust

Now, we have added the KMS server as HyTrust-Primary Port 5696 but in connection status it shows the warning “cannot establish trust connection”. For vCenter server to trust KMS server we need to upload certificate and private key which we have downloaded from KMS server. Click on Establish trust with KMS & choose the option “upload certificate and private key”. This option can be changed as it depends on the KMS vendors

Upload vcenter.pem file twice which will fulfill the purpose of certificate and private key

Add secondary KMS server and follow the same procedure for certificates

You can login to KMS webUI & see the success logs

If you like this blog post, please feel free to share with your friends on social media.

Thanks for reading!!