When connecting from the Virtru SaaS to the Virtru Private Keystore (for Google Workspace CSE), the session must be secured with a CA-signed Transport Layer Security (TLS) certificate. TLS ensures that the information cannot be accessed while in transit and is a method to validate the authenticity of the target server further and verify the domain's ownership.
Please note, Wildcard certificates are not supported due to the complexity involved in their validation.
Step 1: Backup Your CSE
Log into the VPK server.
Before performing any updates, ensure you back up all directories and files.
Commands:
cd /var/virtru
mkdir backup
cd backup
cp -r /var/virtru/cse .Step 2: Generate a Certificate Signing Request (CSR)
Option A (Recommended): Generate a new key + CSR
If you need a new certificate, generate a CSR to send to your certificate authority. Leave the password blank when prompted.
Commands:
cd /var/virtru/cse
openssl req -new -newkey rsa:2048 -nodes -keyout csesrv.example.com.key -out csesrv.example.com.csr- OpenSSL will prompt you for the following details:
- Country Name: (e.g.,
US) - State or Province Name: (e.g.,
California) - Locality Name: (e.g.,
San Francisco) - Organization Name: (e.g.,
Example Inc.) - Organizational Unit Name: (e.g.,
IT) - Common Name: (e.g.,
csesrv.example.com)
- Country Name: (e.g.,
Once complete, you’ll have two files:
- Private key:
csesrv.example.com.key - CSR:
csesrv.example.com.csr
Send the CSR to your certificate authority (i.e., DigiCert, GoDaddy etc.) to obtain the new certificate bundle.
Option B (Optional): Reuse an existing key to make a new CSR
- i) Go to your SSL folder
cd /var/virtru/cse- ii) Verify the existing key information (This confirms the key type, size, and that the file is valid):
openssl rsa -in csesrv.example.com.key -noout -text- Look for the Private-Key section (e.g.,
2048 bit,4096 bit, orECC key). - There should not be a passphrase associated with your private key.
- iii) Generate the new CSR
- Enter this command to use the existing key to create a new CSR:
openssl req -new -key csesrv.example.com.key -out csesrv.example.com_new.csr -sha256- Replace filenames as needed.
- Leave the password field blank.
- When prompted, enter your organization info. The Common Name (CN) should be the FQDN (e.g.,
csesrv.example.com).- Subject → Country, State, Org, Common Name (CN/FQDN)
- Public Key Info → Algorithm (RSA/ECDSA) and key size
Requested Extensions → e.g., Subject Alternative Names (if included)
To inspect the contents of an existing CSR file, you can use:
openssl req -in csesrv.example.com.csr -noout -textCheck that the Subject and all fields are correct.
- iv) Submit the CSR
- Send the CSR (
csesrv.example.com_new.csr) to your Certificate Authority (DigiCert, GoDaddy, etc.) to issue the new certificate.
- Send the CSR (
Step 3: Validate the Certificate and Private Key
Note:
After obtaining the new certificate, convert the certificate bundle into a .cert (certificate) and .key (private key) then verify the certificate matches the private key by comparing their modulus values.
Ensure the acquired certificate is moved and/or copied to the VPK server, then validate your certs with the previously generated private key.
To prevent decryption errors, the order of cert chain in the .cert file must be formatted correctly. The certificate for your CSE FQDN must come before the intermediate and/or root certificates within the .cert file.
Commands:
- Validate the Private Key:
openssl rsa -modulus -noout -in csesrv.example.com.key | openssl md5- Validate the Certificate:
openssl x509 -modulus -noout -in csesrv.example.com.cert | openssl md5- Validate the Certificate Signing Request file:
openssl req -in csesrv.example.com.csr -noout -modulus | openssl md5Compare the Output:
- The MD5 hashes from the private key, certificate signing request file, and the certificate received from the CA provider should match. If they do, the certificate and private key are correctly paired.
- Example:
MD5(stdin)= 6c1560a0ff7a6e2562fe551ff419436eStep 4: Convert the Certificate Bundle to the Correct Format
Ensure the acquired certificate is moved and/or copied to the VPK CSE server.
The VPK CSE requires the SSL certificate in .cert and .key formats:
- .cert bundle: Public certificate and intermediate/root certificates combined.
- .key: Private key.
Ensure the .cert file follows this order:
- Your CSE certificate (must match your CSE server's FQDN)
- Intermediate certificate (if one is provided)
- Root CA certificate
Create the .cert file:
cd /var/virtru/cse
cat [path-to-public-cert][path-to-intermediate-cert][path-to-root-cert] > server.cert
cat [path-to-private-key] > server.key
cat public_cert.pem intermediate.cert root.cert > server.cert
cp csesrv.example.com.key server.key
chmod 644 server.key(Optional) Re-run the modulus comparison to confirm the certificate/key pair.
Step 5: Stop Your Running CSE Container
Stop and remove the running Docker container to ensure the certificate changes take effect.
If you are running multiple CSE servers, remove one server from the load balancer and complete the certificate replacement on that server first. Once you confirm the update is successful, repeat the process on the next server—one server at a time.
Commands:
cd /var/virtru/cse
docker ps -a
docker stop <container-ID>
docker rm <container-ID>Step 5: Start the CSE Containers
After placing the new certificate files in the cse directory, restart the CSE container.
Commands:
cd /var/virtru/cse
sh run.shStep 6: Check the Logs (Optional)
Verify the absence of errors and ensure the Docker containers do not restart repeatedly.
Commands:
cd /var/virtru/cse
docker logs <container-ID> -fStep 7: Validate the CSE Setup (Optional)
Test the /status Endpoint:
Using
curl:curl https://csesrv.example.com/statusUsing a browser: Navigate to:
https://csesrv.example.com/status
Verify the certificate’s updated expiration date.
Validate TLS Configuration: Use the
opensslcommand to verify the certificate:openssl s_client -starttls smtp -crlf -connect csesrv.example.com:443csesrv.example.comcsesrv.example.com
Example Output:--- SSL handshake has read 1528 bytes and written 360 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit ... Verify return code: 0 (ok)
Conclusion
Following these steps ensures your Virtru Private Keystore (CSE) is updated with a valid TLS certificate, providing secure communication and maintaining compliance.