This guide includes instructions to configure the Virtru Private Keystore for CSE.
Assumptions:
-
This document assumes you completed the Google Console/Admin Changes.
-
Virtru Private Keystore for Google CSE is configured within your environment.
In the context of Virtru CSE for Gmail with Virtru Private Keystore, the "user's private key" refers to an S/MIME (Secure/Multipurpose Internet Mail Extensions) private key that corresponds to a certificate issued to each user who will use encryption services. This private key is essential for the encryption/decryption process of emails. The user’s private key is part of an S/MIME certificate pair (private key and public key certificate). This key is unique to each user and enables:
- Encryption: Only the intended recipient (with the correct private key) can decrypt emails.
- Decryption: The user’s private key decrypts incoming encrypted emails.
- Digital Signing: Verifies the sender’s identity to prevent tampering.
How to Acquire the User's Private Key
To acquire the private key for each user, you typically need to request an S/MIME certificate from a Certificate Authority (CA) that is trusted by Google Workspace. Here’s the step-by-step process:
1. Choose a Supported Certificate Authority (CA):
- Ensure the CA is compatible with Google Workspace’s S/MIME requirements. Google provides a list of supported CAs in their documentation linked here.
2. Request an S/MIME Certificate for Each User:
- For each user who needs to send or receive encrypted emails, request an S/MIME certificate from the CA.
- When issuing the certificate, ensure that the user’s primary Gmail address is included in the certificate’s Subject Name or in the Subject Alternative Name (SAN) field.
Example of Certificate Fields with Email Address:
1. Subject Name (Common Name - CN):
- The Subject Name field often includes a Common Name (CN), which is typically the user’s full name or their primary email address.
2. Subject Alternative Name (SAN):
- The SAN field allows you to specify multiple identifiers (like email addresses) that the certificate is valid for.
Example Format:
Here’s how these fields might look for a user with the email john.doe@example.com:
Subject Name (Primary Identity of the Certificate)
- Common Name (CN): john.doe@example.com
Subject Alternative Name (SAN) (Additional Valid Identities)
- Email: john.doe@example.com
Example in Certificate Format:
An example certificate with both fields might look like this:
Subject:
CN = john.doe@example.com
Subject Alternative Name (SAN):
Email = john.doe@example.com
Example in OpenSSL Format
When generating a certificate with OpenSSL, you might specify these fields in a configuration file like this:
[ req ]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
CN = john.doe@example.com
[ req_ext ]
subjectAltName = email:john.doe@example.com
In this configuration:
- The Common Name (CN) field under [req_distinguished_name] is set to the user’s email.
- The subjectAltName under [req_ext] specifies the email in the SAN field.
Why This Matters
Having the user’s email address in these fields ensures that the certificate is associated with the correct user account in Google Workspace, enabling secure S/MIME functionality for encrypted communication in Gmail.
Do the following on your CSE server (if possible).Create necessary directories to store the wrapped private keys and certificates needed for Google Workspace uploads:
sudo mkdir -p /var/virtru/cse/wrapped-private-keys
sudo mkdir -p /var/virtru/cse/private-keys
sudo mkdir -p /var/virtru/cse/p7pem-certs
3. Download and Export the Certificate and Private Key:
- Once the certificate is issued, download it, usually in PKCS12 (
.pfxor.p12) format, which includes both the certificate (public key) and the private key.
-
Extract the Private Key: Use tools like OpenSSL to extract the private key in
.keyformat.
openssl pkcs12 -in user_certificate.pfx -nocerts -out user1@domain.com.key -nodesOr
openssl pkcs12 -in user_certificate.p12 -nocerts -out user1@domain.com.key -nodesthen enter the password and the private key will be generated. -
Extract the Certificate:
openssl pkcs12 -in user_certificate.p12 -clcerts -nokeys -out user1@domain.com.pemthen enter the password and the downloaded user1@domain.com.pem file will contain the extracted certificate. -
Convert the Certificate: to a PKCS#7 using OpenSSL.
openssl crl2pkcs7 -nocrl -certfile user1@domain.com.pem -out user1@domain.com.p7pem -outform PEM
You should now have 3 additional files after running the above commands for cert extraction and conversion.
user1@domain.com.p7pem
user1@domain.com.pem
user1@domain.com.key
4. Store the User’s Private Key Securely:
- Place the private key (
.key) file in a secure directory in the server where you’re running Virtru CSE-
- You may create an optional separate directory to hold your SMIME-related certs and private keys. (i.e.
/var/virtru/cse/smime)
- You may create an optional separate directory to hold your SMIME-related certs and private keys. (i.e.
-
- Each user’s private key file should follow the naming convention (e.g., user1@domain.com.key) and should be stored in the appropriate directory. e.g.,
/var/virtru/cse/private-keys/var/virtru/cse/p7pem-certs
For next steps, see the CSE for Gmail Integration Linux