This guide includes instructions to wrap your smime certs using the Virtru Private Keystore for CSE, as well as steps to validate the configuration.
Assumptions:
-
This document assumes you have completed the Google Console/Admin Changes.
-
Virtru Private Keystore for Google CSE is configured within your environment.
-
You have S/MIME certificates on behalf of your users.
-
Log into your CSE Server and Set Up Directories/Install Dependencies:
- Install required dependencies:
sudo apt update
sudo apt install python3 python3-venv python3-pip - Create necessary directories to store the wrapped private keys and certificates needed for Google Workspace uploads:
mkdir -p /var/virtru/cse/wrapped-private-keys
mkdir -p /var/virtru/cse/private-keys
mkdir -p /var/virtru/cse/p7pem-certs - Create the
credentials/keyFile.json
file in+
secrets.json/var/virtru/cse/
if they don’t exist and paste thekeyFile.json
content. The run.sh should reflect the mapping:-v /var/virtru/cse/keyFile.json:/app/cse/credentials.json \
e.g.,keyFile.json
{
"type": "service_account",
"project_id": "smimie",
"private_key_id": "4b8e9fbc031b0ab1761c023df4d575a32f2e3cab",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBK\n-----END PRIVATE KEY-----\n",
"client_email": "virtru-sa@smimie.iam.gserviceaccount.com",
"client_id": "123456789",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/virtru-sa%40smimie-cse-for-gmail.iam.gserviceaccount.com",
"universe_domain": "googleapis.com"
}
e.g.,secrets.json
{"active":"secret-key","secrets":[{"name":"secret-key","value":"thisisabase64secretvalue="}]}
- Set Directory Permissions: Ensure the
/var/virtru/cse
directory and all necessary subdirectories have read and execute permissions:sudo chmod 755 /var/virtru/cse
if you run into any issues, use:
sudo chmod 755 /var/virtru/cse/private-keys
sudo chmod 755 /var/virtru/cse/wrapped-private-keyssudo chmod 777 /var/virtru/cse/wrapped-private-keys
Set File Permissions: Specifically for
secrets.json
, set the permissions to be readable by all users (644):sudo chmod 644 /var/virtru/cse/secrets.json
sudo chmod 644 /var/virtru/cse/server.key
sudo chmod 644 /var/virtru/cse/server.certVerify Ownership: The files should be owned by the user who runs the container, typically root. Check ownership with:
ls -l /var/virtru/cse
- Install required dependencies:
- Acquire and Wrap Keys:
-
- Run the following commands:
sudo su
- to assume admin privileges.docker ps
- to acquire the container ID.
CSE Release Notes - to acquire the latest container image for later use.
cse:v<Latest Tagged Version>
- Run the following commands:
Note: The key wrap script can also work using the container ID
Use docker inspect for the Full container ID:
docker inspect --format="{{.Id}}" <container_name_or_partial_id>
Similarly, use or the Full container ID:
docker ps --no-trunc
- Copy the keyFile.json content to
/var/virtru/cse/
this will target thesecrets.json
in the container/var/virtru/cse/keyFile.json,target=/app/cse/secrets.json
- Ensure that the secrets path exist in the cse.env file, if not add
SECRET_KEYS_PATH=/app/cse/secrets.json
- Confirm your secret.json exist and the value matches what’s in the cse.env and the
/var/virtru/cse/secrets.json
:cat /var/virtru/cse/secrets.json | python3 -m json.tool
- Copy your user's private key (ex. user1@domain.com.key) to your server running CSE and place it in a new directory called
wrapped-private-keys
- Place private keys in
/var/virtru/cse/private-keys
- Create in
/var/virtru/cse/
wrapkeys.sh
, copy the command below and Run the script command to wrap keys. Enter the correct FQDN (https://csesrv.yourdomain.com
) in the script
docker run --env-file /var/virtru/cse/cse.env \
--mount type=bind,source=/var/virtru/cse/keyFile.json,target=/app/cse/secrets.json \
--mount type=bind,source=/var/virtru/cse/private-keys,target=/app/private-keys \
--mount type=bind,source=/var/virtru/cse/wrapped-private-keys,target=/app/wrapped-private-keys \
-p 8443:9000 containers.virtru.com/cse:v5.9.1 wrap-private-keys \
--private_keys_path="/app/private-keys" --kacls_url="https://csesrv.yourdomain.com" \
--wrapped-private-keys_path="/app/wrapped-private-keys"
sh wrapkeys.sh
to run the script
We are using port 8443 because port 443 is already in use by the CSE container. This script will create an init temporary container to wrap the private keys
3. Validate Configuration:
- Ensure each output key matches the following JSON format:
{
"kacls_url": "https://csesrv.yourdomain.com",
"wrapped-private-key": "base64 encoded encrypted RSA key"
}
- Confirm that keys are successfully wrapped and stored in
/var/virtru/cse/wrapped-private-keys
.
For next steps, see the CSE for Gmail Integration Python Script Certificates Upload.