When connecting from the Virtru SaaS to the Virtru Private Keystore (for Google Workspace CSE), the session must be secured with a CA-signed Transport Layer Security(TLS) certificate. TLS ensures that the information cannot be accessed while in transit and is a method to validate the authenticity of the target server further and verify the domain's ownership.
Step 1: Backup Your CSE
Before performing any updates, ensure you back up all directories and files.
Commands:
cd /var/virtru
mkdir backup
cd backup
cp -r /var/virtru/cse .
Step 2: Stop Your Running CSE
Stop the Docker containers before proceeding. If you have multiple CSE servers, take one out of the load balancer before stopping.
Commands:
cd /var/virtru/cse
docker ps -a
docker stop <container-ID>
docker rm <container-ID>
Step 3: Generate a Certificate Signing Request (CSR)
If you need a new certificate, generate a CSR to send to your certificate authority. Leave the password blank when prompted.
Commands:
cd /var/virtru/cse/ssl
openssl req -new -newkey rsa:2048 -nodes -keyout csesrv.example.com.key -out csesrv.example.com.csr
- OpenSSL will prompt you for the following details:
- Country Name: (e.g.,
US
) - State or Province Name: (e.g.,
California
) - Locality Name: (e.g.,
San Francisco
) - Organization Name: (e.g.,
Example Inc.
) - Organizational Unit Name: (e.g.,
IT
) - Common Name: (e.g.,
csesrv.example.com
)
- Country Name: (e.g.,
Once complete, you’ll have two files:
- Private key:
csesrv.example.com.key
- CSR:
csesrv.example.com.csr
Send the CSR to your certificate authority (i.e., DigiCert, GoDaddy etc.) to obtain the new certificate bundle.
Step 4: Validate and Convert the Certificate
After obtaining the new certificate, ensure the certificate matches the private key, then convert the certificate bundle into .cert
and .key
files and the .cert
file follow this order:
- Your CKS certificate (FQDN-specific)
- Intermediate certificates
- Root certificate
Validate the Certificate and Key Pair:
openssl rsa -modulus -noout -in csesrv.example.com.key | openssl md5
openssl x509 -modulus -noout -in csesrv.example.com.cert | openssl md5
- The MD5 hashes must match. If they do, the private key and certificate are correctly paired.
- Example:
MD5(stdin)= 6c1560a0ff7a6e2562fe551ff419436e
Convert Certificate Bundle to Proper Format:
- Place the certificate and bundle in the
ssl
directory. - Create the
.cert
file:cat [path-to-certificate] [path-to-intermediate-cert-1] ... [path-to-intermediate-cert-N] > csesrv.example.com.cert
- Place the private key:
cat csesrv.example.com.key > csesrv.example.com.key
Step 5: Start the CSE Containers
After placing the new certificate files in the ssl
directory, restart the CSE.
Commands:
cd /var/virtru/cse
sh run.sh
Step 6: Check the Logs
Verify the absence of errors and ensure the Docker containers do not restart repeatedly.
Commands:
cd /var/virtru/cse
docker logs <container-ID> -f
Step 7: Validate the CSE Setup
-
Test the /status Endpoint:
- Using
curl
:curl https://csesrv.example.com/status
- Using a browser: Navigate to:
https://csesrv.example.com/status
Verify the certificate’s updated expiration date.
- Using
-
Validate TLS Configuration: Use the
openssl
command to verify the certificate:openssl s_client -starttls smtp -crlf -connect csesrv.example.com:443
openssl rsa -noout -in
csesrv.example.com
.key -textopenssl x509 -noout -in
csesrv.example.com
.cert -text
Example Output:--- SSL handshake has read 1528 bytes and written 360 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit ... Verify return code: 0 (ok)
Conclusion
Following these steps ensures your Virtru Private Keystore (CSE) is updated with a valid TLS certificate, providing secure communication and maintaining compliance.