The following has two different ways to have a KMS server for vCenter and not the native key provider on vCenter. I used this for testing purposes. One is with Ubuntu with pykmip and the other is centos with a docker version of pykmip. Enjoy

Install Ubuntu 23.10 install with internet access

Instructions

sudo apt install openssh-client
sudo apt install openssh-server
sudo ufw allow ssh
sudo systemctl enable ssh
sudo systemctl start ssh
sudo systemctl status ssh

Login as normal user my user name is “user”
1.
sudo -i
apt-get update
apt-get upgrade
mkdir /usr/local/PyKMIP
mkdir /etc/pykmip
mkdir /var/log/pykmip
chown user: -R /usr/local/PyKMIP
chown user: -R /etc/pykmip
chown user: -R /var/log/pykmip
apt-get install python3-dev libffi-dev libssl-dev libsqlite3-dev

2. Then fill out the form for the SSL certificate. The above certificate will be valid for 10 years. (3650 days)

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/selfsigned.key -out /etc/ssl/certs/selfsigned.crt
AU
VICTORIA
MELBOURNE
pykmip-kms-ub.vcf.sddc.lab

chown user: -R /etc/ssl/private
chown user: /etc/ssl/certs/selfsigned.crt
exit
cd /usr/local
sudo apt-get install git-all
git clone https://github.com/OpenKMIP/PyKMIP

cd /usr/local/PyKMIP
sudo -i
sudo apt-get install python3-setuptools
cd /usr/local/PyKMIP
python3 /usr/local/PyKMIP/setup.py install (be sure you are in the /usr/local/PyKMIP directory! See cd command above)
exit

3.
nano /etc/pykmip/server.conf
Paste the following into the file below: (replace 10.0.0.30 with your VM’s IP) This is your KMS machine certificate location you can replace this with your organization trusted certificate authority 
-------------------------------------------------------------------------
[server]
database_path=/etc/pykmip/pykmip.database
hostname=10.0.0.30
port=5696
certificate_path=/etc/ssl/certs/selfsigned.crt
key_path=/etc/ssl/private/selfsigned.key
ca_path=/etc/ssl/certs/selfsigned.crt
auth_suite=TLS1.2
policy_path=/usr/local/PyKMIP/examples/
enable_tls_client_auth=False
tls_cipher_suites= TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
logging_level=DEBUG

4.
export EDITOR=nano
export VISUAL=nano
crontab -e

Paste the following in on a new line:

@reboot ( sleep 30s; python3 /usr/local/PyKMIP/bin/run_server.py & )

This will make sure that it starts automatically on startup. Reboot your VM or type this in to start it as a background process:

sudo -i
reboot -f
or
python3 /usr/local/PyKMIP/bin/run_server.py &

5.
Login to vcenter
click your venter
click configure tab
under security click key providers
click add Standard Key Provider
give it a name, kms, address and port
example.
pykmip-kms-ub
pykmip-kms-ub.vcf.sddc.lab
10.0.0.30
5696

click on “Add Key Provider”.
Click trust

click your provider
then underneath click your kms server

“Establish Trust”
“Make KMS trust vCenter”.
Click on “KMS certificate and private key” and then on “Next”.

6.
Now, we need to fill in the KMS certificate and private key. On the KMS VM, run:

cat /etc/ssl/certs/selfsigned.crt

Paste the output (with the dashes!) under KMS certificate.

cat /etc/ssl/private/selfsigned.key

Paste the output (with the dashes!) under “KMS Private Key”.

click on “Establish Trust”

If you want to your tighten security, use trusted certificates.

KMS docker with pykmip on centos 8

Centos 8 with ip that has access to internet – change to never black out in power options

Install Docker Engine

    sudo yum install -y yum-utils
    sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
    
    sudo yum install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
    sudo systemctl start docker
    sudo docker run hello-world

    Install pykmip

    docker pull lamw/vmwkmip
    docker run --rm -it -p 5696:5696 lamw/vmwkmip

    Add Key provider on vCenter

    If server is rebooted run the following to start KMS

    sudo systemctl start docker
    sudo docker pull lamw/vmwkmip
    sudo docker run --rm -it -p 5696:5696 lamw/vmwkmip

    By Kader