This guide includes instructions to configure the Virtru Private Keystore for CSE.
Assumptions:
-
This document assumes you completed the Google Console/Admin Changes.
-
Virtru Private Keystore for Google CSE is configured within your environment.
In the context of Virtru CSE for Gmail with Virtru Private Keystore, the "user's private key" refers to an S/MIME (Secure/Multipurpose Internet Mail Extensions) private key that corresponds to a certificate issued to each user who will use encryption services. This private key is essential for the encryption/decryption process of emails. The user’s private key is part of an S/MIME certificate pair (private key and public key certificate). This key is unique to each user and enables:
- Encryption: Only the intended recipient (with the correct private key) can decrypt emails.
- Decryption: The user’s private key decrypts incoming encrypted emails.
- Digital Signing: Verifies the sender’s identity to prevent tampering.
How to Acquire the User's Private Key
To acquire the private key for each user, you typically need to request an S/MIME certificate from a Certificate Authority (CA) that is trusted by Google Workspace. Here’s the step-by-step process:
1. Choose a Supported Certificate Authority (CA):
- Ensure the CA is compatible with Google Workspace’s S/MIME requirements. Google provides a list of supported CAs in its documentation e.g., supported CAs.
2. Request an S/MIME Certificate for Each User:
- For each user who needs to send or receive encrypted emails, request an S/MIME certificate from the CA.
- When issuing the certificate, ensure that the user’s primary Gmail address is included in the certificate’s Subject Name or in the Subject Alternative Name (SAN) field.
Example of Certificate Fields with Email Address
1. Subject Name (Common Name - CN):
- The Subject Name field often includes a Common Name (CN), which is typically the user’s full name or their primary email address.
2. Subject Alternative Name (SAN):
- The SAN field allows you to specify multiple identifiers (like email addresses) that the certificate is valid for.
Example Format
Here’s how these fields might look for a user with the email john.doe@example.com:
Subject Name (Primary Identity of the Certificate)
- Common Name (CN): john.doe@example.com
Subject Alternative Name (SAN) (Additional Valid Identities)
- Email: john.doe@example.com
Example in Certificate Format
An example certificate with both fields might look like this:
Subject:
CN = john.doe@example.com
Subject Alternative Name (SAN):
Email = john.doe@example.com
Example in OpenSSL Format
When generating a certificate with OpenSSL, you might specify these fields in a configuration file like this:
[ req ]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
CN = john.doe@example.com
[ req_ext ]
subjectAltName = email:john.doe@example.com
In this configuration:
- The Common Name (CN) field under [req_distinguished_name] is set to the user’s email.
- The subjectAltName under [req_ext] specifies the email in the SAN field.
Why This Matters
Having the user’s email address in these fields ensures that the certificate is associated with the correct user account in Google Workspace, enabling secure S/MIME functionality for encrypted communication in Gmail.
Do the following on your CSE server (if possible).Create necessary directories to store the wrapped private keys and certificates needed for Google Workspace uploads:
sudo mkdir -p /var/virtru/cse/wrapped-private-keys
sudo mkdir -p /var/virtru/cse/private-keys
sudo mkdir -p /var/virtru/cse/p7pem-certs
3. Download and Export the Certificate and Private Key:
- Once the certificate is issued, download it, usually in PKCS12 (
.pfx
or.p12
) format, which includes both the certificate (public key) and the private key.
-
Extract the Private Key: Use tools like OpenSSL to extract the private key in
.key
format.
openssl pkcs12 -in user_certificate.pfx -nocerts -out user1@domain.com.key -nodes
Or
openssl pkcs12 -in user_certificate.p12 -nocerts -out user1@domain.com.key -nodes
then enter the password and the private key will be generated. -
Extract the Certificate:
openssl pkcs12 -in user_certificate.p12 -clcerts -nokeys -out user1@domain.com.pem
then enter the password and the downloaded user1@domain.com.pem file will contain the extracted certificate. -
Convert the Certificate: to a PKCS#7 using OpenSSL.
openssl crl2pkcs7 -nocrl -certfile user1@domain.com.pem -out user1@domain.com.p7pem -outform PEM
4. Store the User’s Private Key Securely:
- Place the
.key
file in a secure directory on the server where you’re running Virtru CSE, as specified in the instructions. - Each user’s private key file should follow the naming convention (e.g., user1@domain.com.key) and be stored in the appropriate directory. e.g.,
/var/virtru/cse/private-keys
/var/virtru/cse/p7pem-certs
For next steps, see the CSE for Gmail Integration Linux