How to generate TLS keys
When making connections from the Virtru SaaS to the Virtru Customer Key Server (CKS) the session must be secured with CA-signed Transport Layer Security(TLS) certificate. TLS ensures that the information cannot be accessed while in-transit and is a method to further validate the authenticity of the target server and verify ownership of the domain.
If your organization does not already have an SSL cert for your server's fully qualified domain name (or a wildcard cert), you must first generate a Certificate Signing Request(CSR).Shell
openssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out server.csr
Once you execute this command, OpenSSL will ask you a number of important certificate information. Answer each question based on your organization, contact info and server FQDN. Once complete you will now have your private key(myserver.key) and the CSR(server.csr). Use this CSR to request a CA-signed certificate from the CA your organization has approved for use.
Once the CA has returned a certificate, one must create a PEM file for use by the CKS.
cat [path-to-private-key] [path-to-certificate] [path-to-intermediate-cert-1] ... [path-to-intermediate-cert-N] > ssl.pem
Once you have generated your SSL certificates and following the steps in the Installation section you will have a Virtru Email Gateway instance running with TLS support. Once it is up and running you can use the following openssl syntax to confirm it is utilizing the correct certificates:Shell
openssl s_client -starttls smtp -crlf -connect <server FQDN or IP>:<port>
Example output from this command sequence can be found below for reference:
--- SSL handshake has read 1528 bytes and written 360 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 06F03A7C2AB0EA3E97cut7CD4A4A6166D551B Session-ID-ctx: Master-Key: 1A2FF452C3E09F9D7B2DECEcutFB67158960BA6 Key-Arg : None Start Time: 1370375286 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) ...