When making connections from the Virtru SaaS to the Virtru Private Keystore (for Virtru Solutions) the session must be secured with CA-signed Transport Layer Security(TLS) certificate. TLS ensures that the information cannot be accessed while in-transit and is a method to further validate the authenticity of the target server and verify ownership of the domain.
Please note, Wildcard certificates are not supported due to the complexity involved in their validation.
Your organization can choose between Domain Validation (DV), Organization Validation (OV), or Extended Validation (EV) certificates from a Certificate Authority (i.e., DigiCert, GoDaddy etc.) , depending on your needs and timeline:
DV (Domain Validation):
Description: The simplest certificate type, verifying only domain ownership.
Validation Level: Minimal, with no identity verification.
Time to Issue: Typically issued within minutes to hours.
Use Case: Suitable for encryption to meet compliance or internal standards.
OV (Organization Validation):
Description: Offers more trust than DV by verifying domain control and the organization’s legitimacy.
Validation Level: Moderate, including verification of official business records.
Time to Issue: Typically issued within a few days.
Use Case: Ideal for businesses offering client portals to their organization.
EV (Extended Validation):
Description: The highest level of validation, providing maximum trust through extensive background checks on the organization.
Validation Level: High, verifying the legal, physical, and operational existence of the organization.
Time to Issue: Longer due to the thorough validation process.
Use Case: Best for organizations that require online payment processing.
Certificate Generation
If your organization does not already have an SSL cert for your server's fully qualified domain name, you must first generate a Certificate Signing Request(CSR).Refer to this guide for upgrading your SSL certificate for your key server.
The correct order of certificates for SSL/TLS in a certificate chain is generally as follows:
-
Server Certificate: This is the actual certificate issued for your domain (e.g.,
yourdomain.com
). - Intermediate Certificate(s): These certificates form the chain of trust between the root certificate authority (CA) and your server certificate. There may be multiple intermediates, and they need to be placed in the order specified by your CA.
- Root Certificate: This is the top certificate in the hierarchy and the ultimate trust anchor for the certificate chain. In many cases, you don’t need to include the root certificate, as most clients already trust well-known root certificates installed in their systems.
When configuring, the certificate chain file should look like this from top to bottom:
- Server Certificate
- Intermediate Certificate(s) (from lowest to highest in the chain)
- Root Certificate (if required)
This order ensures that the client can verify the full chain of trust up to the root CA.