Virtru Private Keystore (for Virtru Solutions): Reference - Upgrade SSL certs for CKS

Step 1: Backup Your CKS

Before making any updates, perform a full backup of all directories and files.

Commands:

cd /var/virtru
mkdir backup
cd backup
cp -r /var/virtru/cks .

Step 2: Stop Your Running CKS

Stop the running Docker containers before proceeding. If running multiple CKS servers, remove one from the load balancer before stopping it.

Commands:

cd /var/virtru/cks
docker ps -a
docker stop <container-ID>
docker rm <container-ID>

Step 3: Generate a New Certificate Request (CSR)

If you need a renewed SSL certificate, generate a CSR to send to your certificate authority. Enter the relevant company information. Leave the password blank when prompted during key generation.

Commands:

cd /var/virtru/cks/ssl
openssl req -new -newkey rsa:2048 -nodes -keyout cks.example.com.key -out cks.example.com.csr

• OpenSSL will prompt you for the following details:
  • Country Name: (e.g., US)
  • State or Province Name: (e.g., California)
  • Locality Name: (e.g., San Francisco)
  • Organization Name: (e.g., Example Inc.)
  • Organizational Unit Name: (e.g., IT)
  • Common Name: (e.g., cks.example.com)

Once complete, you’ll have two files:

• Private key: cks.example.com.key
• CSR: cks.example.com.csr

Send the CSR to your certificate authority (i.e., DigiCert, GoDaddy etc.) to obtain the new certificate bundle.

Step 4: Validate the Certificate and Private Key

After obtaining the new certificate, convert the certificate bundle into a .crt (certificate) and .key (private key) then validate they match by comparing their modulus values.

Commands:

1. Validate the Private Key:
   

openssl rsa -modulus -noout -in cks.example.com.key | openssl md5

2. Validate the Certificate:
   

openssl x509 -modulus -noout -in cks.example.com.crt | openssl md5

3. Compare the Output:
   
   
   • The MD5 hashes from both commands should match. If they do, the certificate and private key are correctly paired.
   • Example:

MD5(stdin)= 6c1560a0ff7a6e2562fe551ff419436e

Step 5: Convert the Certificate Bundle to the Correct Format

The CKS requires the SSL certificate in .crt and .key formats:

• .crt: Public certificate and intermediate/root certificates combined.
• .key: Private key.

Ensure the .crt file follows this order:

1. Your CKS certificate (FQDN-specific)
2. Intermediate certificates
3. Root certificate

Commands:

cd /var/virtru/cks/ssl
cat [path-to-certificate] [path-to-intermediate-cert-1] ... [path-to-intermediate-cert-N] > cks.example.com.crt
cat [path-to-private-key] > cks.example.com.key

Step 6: Start the CKS Containers

After placing the new certificate files in the ssl directory, restart the CKS.

Commands:

cd /var/virtru/cks
sh run.sh

Step 7: Check the Logs

Verify that the Docker containers start without errors and do not continuously restart.

Commands:

cd /var/virtru/cks
docker logs <container-ID> -f

Step 8: Validate the CKS Setup

1. Test the /status Endpoint:

Using curl or a browser, validate the /status endpoint and check for the updated certificate date.

Commands:

curl https://cks.example.com/status

Open in a browser:

https://cks.example.com/status

2. Validate TLS Configuration:

Verify that the correct certificates are being used.

Commands:

openssl rsa -noout -in cks.example.com.key -text

openssl x509 -noout -in cks.example.com.crt -text

openssl s_client -starttls smtp -crlf -connect <server FQDN or IP>:<port>

Example Output:

--- SSL handshake has read 1528 bytes and written 360 bytes ---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
...
Verify return code: 0 (ok)

Conclusion

Following these steps ensures your Virtru Private Keystore (CKS) is updated with a valid TLS certificate, providing secure communication and maintaining compliance.