PrivX CA as Sub CA in CA Hierarchy
PrivX Authorizer issues access certificates using its own CA, which is self-signed by default. For production deployments we recommend replacing the Authorizer CA with one signed by a trusted certificate authority.
The exact commands for generating a certificate signing request (CSR) depend on whether the CSR is generated for the default or non-default access group.
Note
The following procedures use
<key_id>
,<cert_id>
and<ag_id>
to substitute for PrivX-CA-key ID, the Authorizer-certificate ID, and the access-group ID respectively. Be careful not to mix them up.
Generating a Sub-CA Certificate for Default Access Group
-
Gain root-terminal access to a PrivX server, and display the PrivX-CA-key ID by running:
# /opt/privx/bin/keyvault-tool -name "PrivX CA Key" list-asymmetric
-
Generate a Certificate-Signing Request (CSR) for the CA private key (replace
<key_id>
with the PrivX-CA-key ID):# /opt/privx/bin/cert-tool -command create -type authorizer-ca \ -subject "OU=PrivX Authorizer CA/CN=PrivX CA" \ -nv -key <key_id> -csr -csrout privx-im-ca.csr
This creates the CSR to the file
privx-im-ca.csr
in your current working directory. -
Request a trusted CA to sign the CSR with the following constraints:
-
keyUsage
must include: Digital Signature, Key Agreement, Certificate Sign, CRL Sign -
basicConstraints
must be: CA:TRUE, pathlen:0
-
Optionally the CA may attach name constraints. See X.509 Certificate Name Constraints for more information.
After the trusted CA provides you with the signed certificate, you may verify its constraints with (replace privx-im-ca.crt
with the path to the signed certificate):
$ openssl x509 -text -noout -in privx-im-ca.crt
-
Replace the Authorizer certificate. First, obtain the ID of the current Authorizer certificate:
# /opt/privx/bin/cert-tool -command list -type authorizer-ca
Then delete the current Authorizer certificate (replace
<cert_id>
with the Authorizer-certificate ID):# /opt/privx/bin/cert-tool -command delete -id <cert_id>
Finally, import the signed certificate (replace
<key_id>
with the PrivX-CA-key ID, replace privx-im-ca.crt
with the path to the signed certificate):# /opt/privx/bin/cert-tool -command import -type authorizer-ca \ -key <key_id> -in privx-im-ca.crt
-
On all PrivX servers, restart the PrivX services to apply the changes:
# systemctl restart privx
Subsequent certificates issued by PrivX are signed using the new trusted Authorizer CA certificate.
Generating a Sub CA Certificate for Non-default Access Group
-
Resolve the access-group ID.
-
Gain root-terminal access to a PrivX server, and display the access-group-CA-key IDs by running:
# keyvault-tool -nv -format name,id list-asymmetric | grep "/ca/accessgroup/"
The access-group-CA-key name is "/ca/accessgroup/<ag_id>". Find the correct access group and its CA-key ID.
-
Generate a Certificate-Signing Request (CSR) for the CA private key (replace
<key_id>
with the access-group-CA-key ID andag_id
with the access-group ID):# /opt/privx/bin/cert-tool -command create -type authorizer-ca \ -subject "OU=PrivX Authorizer CA <ag_id>/CN=PrivX CA" \ -nv -key <key_id> -csr -csrout privx-im-ca.csr
This creates the CSR to the file
privx-im-ca.csr
in your current working directory. -
Request a trusted CA to sign the CSR with the following constraints:
-
keyUsage
must include: Digital Signature, Key Agreement, Certificate Sign, CRL Sign -
basicConstraints
must be: CA:TRUE, pathlen:0
-
Optionally the CA may attach name constraints. See X.509 Certificate Name Constraints for more information.
After the trusted CA provides you with the signed certificate, you may verify its constraints with (replace privx-im-ca.crt
with the path to the signed certificate):
$ openssl x509 -text -noout -in privx-im-ca.crt
-
Replace the Authorizer certificate. First, obtain the ID of the current Authorizer certificate:
# /opt/privx/bin/cert-tool -command list -type authorizer-ca
Then delete the current Authorizer certificate (replace
<cert_id>
with the Authorizer-certificate ID):# /opt/privx/bin/cert-tool -command delete -id <cert_id>
Finally, import the signed certificate (replace
<key_id>
with the PrivX-CA-key ID, replace privx-im-ca.crt
with the path to the signed certificate):# /opt/privx/bin/cert-tool -command import -type authorizer-ca \ -key <key_id> -in privx-im-ca.crt
-
On all PrivX servers, restart the PrivX services to apply the changes:
# systemctl restart privx
Subsequent certificates issued by PrivX are signed using the new trusted Authorizer CA certificate.
Updated about 2 months ago