HomeDocumentationAPI Reference
Log In

PrivX CA as Sub CA in CA Hierarchy

Suggest Edits

PrivX Authorizer issues access certificates using its own CA, which is self-signed by default. For production deployments we recommend replacing the Authorizer CA with one signed by a trusted certificate authority.

The exact commands for generating a certificate signing request (CSR) depend on whether the CSR is generated for the default or non-default access group.

📘

Note

The following procedures use ​<key_id>, ​<cert_id>​​ and <ag_id> to substitute for PrivX-CA-key ID, the Authorizer-certificate ID, and the access-group ID respectively. Be careful not to mix them up.

Generating a Sub-CA Certificate for Default Access Group

  1. Gain root-terminal access to a PrivX server, and display the PrivX-CA-key ID by running:

    # /opt/privx/bin/keyvault-tool -name "PrivX CA Key" list-asymmetric

  2. Generate a Certificate-Signing Request (CSR) for the CA private key (replace ​<key_id>​​ with the PrivX-CA-key ID):

    # /opt/privx/bin/cert-tool -command create -type authorizer-ca \
-subject "OU=PrivX Authorizer CA/CN=PrivX CA" \
-nv -key <key_id> -csr -csrout privx-im-ca.csr

    This creates the CSR to the file ​privx-im-ca.csr​​ in your current working directory.

  3. Request a trusted CA to sign the CSR with the following constraints:

    • ​​keyUsage​ must include: ​Digital Signature, Key Agreement, Certificate Sign, CRL Sign​​

    • ​​basicConstraints​ must be: ​CA:TRUE, pathlen:0​​

Optionally the CA may attach name constraints. See X.509 Certificate Name Constraints for more information.

After the trusted CA provides you with the signed certificate, you may verify its constraints with (replace ​privx-im-ca.crt ​​ with the path to the signed certificate):

$ openssl x509 -text -noout -in ​privx-im-ca.crt ​​

  1. Replace the Authorizer certificate. First, obtain the ID of the current Authorizer certificate:

    # /opt/privx/bin/cert-tool -command list -type authorizer-ca

    Then delete the current Authorizer certificate (replace ​<cert_id>​​ with the Authorizer-certificate ID):

    # /opt/privx/bin/cert-tool -command delete -id ​<cert_id>​​

    Finally, import the signed certificate (replace ​<key_id> with the PrivX-CA-key ID, replace ​privx-im-ca.crt ​​ with the path to the signed certificate):

    # /opt/privx/bin/cert-tool -command import -type authorizer-ca \
-key ​<key_id>​ -in ​privx-im-ca.crt​​

  2. On all PrivX servers, restart the PrivX services to apply the changes:

    # systemctl restart privx

    Subsequent certificates issued by PrivX are signed using the new trusted Authorizer CA certificate.

Generating a Sub CA Certificate for Non-default Access Group

  1. Resolve the access-group ID.

  2. Gain root-terminal access to a PrivX server, and display the access-group-CA-key IDs by running:

    # keyvault-tool -nv -format name,id list-asymmetric | grep "/ca/accessgroup/"

The access-group-CA-key name is "/ca/accessgroup/<ag_id>". Find the correct access group and its CA-key ID.

  1. Generate a Certificate-Signing Request (CSR) for the CA private key (replace ​<key_id>​​ with the access-group-CA-key ID and ag_id with the access-group ID):

    # /opt/privx/bin/cert-tool -command create -type authorizer-ca \
-subject "OU=PrivX Authorizer CA <ag_id>/CN=PrivX CA" \
-nv -key <key_id> -csr -csrout privx-im-ca.csr

    This creates the CSR to the file ​privx-im-ca.csr​​ in your current working directory.

  2. Request a trusted CA to sign the CSR with the following constraints:

    • ​​keyUsage​ must include: ​Digital Signature, Key Agreement, Certificate Sign, CRL Sign​​

    • ​​basicConstraints​ must be: ​CA:TRUE, pathlen:0​​

Optionally the CA may attach name constraints. See X.509 Certificate Name Constraints for more information.

After the trusted CA provides you with the signed certificate, you may verify its constraints with (replace ​privx-im-ca.crt ​​ with the path to the signed certificate):

$ openssl x509 -text -noout -in ​privx-im-ca.crt ​​

  1. Replace the Authorizer certificate. First, obtain the ID of the current Authorizer certificate:

    # /opt/privx/bin/cert-tool -command list -type authorizer-ca

    Then delete the current Authorizer certificate (replace ​<cert_id>​​ with the Authorizer-certificate ID):

    # /opt/privx/bin/cert-tool -command delete -id ​<cert_id>​​

    Finally, import the signed certificate (replace ​<key_id> with the PrivX-CA-key ID, replace ​privx-im-ca.crt ​​ with the path to the signed certificate):

    # /opt/privx/bin/cert-tool -command import -type authorizer-ca \
-key ​<key_id>​ -in ​privx-im-ca.crt​​

  2. On all PrivX servers, restart the PrivX services to apply the changes:

    # systemctl restart privx

    Subsequent certificates issued by PrivX are signed using the new trusted Authorizer CA certificate.

Updated about 2 months ago