Blindfold your TLS Certificates

Objective

This document provides instructions on how to encrypt your TLS certificates using the Volterra Blindfold. This ensures additional security measures for the certificates stored in Volterra SaaS portal. To know more about Blindfold and secrets management, see Volterra Blindfold.

The following image illustrates the sequence of actions performed by Volterra in securing the certificates.

image4
Figure: Volterra Blindfold

Using the instructions provided in this guide, you can encrypt TLS certificate with Blindfod and apply it to a virtual host.


Prerequisites

The following prerequisites apply:

  • VES account

    Note: If you do not have an account, see Create a VES Account.

  • A virtual host with a signed TLS certificate

    Note: If you do not have a virtual host, see Create a Virtual Host.

  • The vesctl tool. Download vesctl on your local machine as it is used to apply Blindfold to the TLS certificate.
  • Optionally, one or more cloud or edge locations with Volterra site

    Note: Install the Volterra node or cluster image in your cloud or edge location. See How to Create a Site for more information.


Configuration

The following image shows the configuration sequence of applying Blindfold encryption to your TLS certificate.

image3
Figure: Encrypting TLS-Key using Blindfold

Configuration Sequence

Applying Blindfold to the certificates of your WebApp includes performing the following sequence of actions:

Phase Description
Create a Secret Policy Create a policy to permit Volterra Wingman and data plane to access the TLS certificate.
Prepare Credentials and Policy Retrieve API credentials from VoltConsole, derive certificates, derive keys, and obtain policy.
Encrypt TLS Certificate Perform the encryption on a local computer. It is recommended to use an air-gapped computer.
Enable TLS on the Virtual Host Update the Virtual Host configuration with the TLS certificate and key encrypted with Volterra Blindfold.

Note: The API credentials are required to be downloaded in PKCS #12 file format.


Create a Secret Policy

The secret policy allows Wingman and Volterra data plane access to the TLS certificate.

Step 1: Select the namespace where you want to create your Secret Policy. Select Security from the configuration menu and Secret Management from the options pane. Select Policies and click Add secret policy. The policy creation form gets loaded.

Step 2: In the loaded form, select First Rule Match for the Rule Combining Algorithm field. Click Allow Volterra to allow volterra data plane to decrypt encrypted TLS private key.

secret pol https
Figure: Create Secret Policy


Prepare Credentials and Policy

Step 1: Select system namespace. Select IAM from the configuration menu and API Credentials from the options pane. Click Create credentials.

image7
Figure: Create Volterra API Credentials

Step 2: Provide a name for the credentials, select Credential type as API Certificate, and provide a password to access the credentials. Click Download. The credentials are returned in the JSON format.

image9
Figure: Volterra API Credentials

Step 3: Derive a certificate from the downloaded PKCS #12 file. This example shows how to derive the certificate using OpenSSL.

openssl pkcs12 -nokeys -in demo-api-credentials.p12 -out demo-api.crt

Note: This step prompts for password. Enter the password used in Step 1 to generate the certificate file in the .crt file.

Step 4: Derive a key from the downloaded PKCS 12 file. Enter the following command:

openssl pkcs12 -nocerts -nodes -in demo-api-credentials.p12 -out demo-api.key

Note: This step prompts for password. Enter the password used in Step 1 and a passphrase to generate the key file in the .key format.

Step 5: Obtain a public-key using vesctl and store the output to a file. This example stores the output to a file named demo-api-pubkey.

vesctl --cert file:///demo-api.crt --key file:///demo-api.key -u https://demo-api.console.ves.volterra.io/api request secrets get-public-key > demo-api-pubkey

Note: For the --cert and --key options, specify the path to the certificate file and key file derived in Step 3 and Step 4 respectively.

The following output capture shows a sample public key:

data:
  keyVersion: 1
  modulusBase64:   rc3DxZa69sWeIn9NRrHGcZlZaXLHWYjc57jIS76Z47AcU0jDmodz3lNEysVO2swNAUn8p6yiuvf8Vj4LUuWB++LdP2yYX5ftEHmMgnHVq4AdKFBp5zbrh15g7mS0lpdX/xG6h0+IdHyrWPoIg/hZwYyV9xmIOcFc1Jk5PZC554hchHbToQ==
  publicExponentBase64: A6ur/Xk=
  tenant: volterra-demo1

Step 6: Obtain a policy-document using vesctl and store the output to a file. This example stores the output to a file named demo-api-policy.

vesctl --cert file:///demo-api.crt --key file:///demo-api.key -u https://demo-api.console.ves.volterra.io/api request secrets get-policy-document --namespace system --name demo-api-https-policy > demo-api-policy

Note: For the --cert and --key options, specify the path to the certificate file and key file derived in Step 3 and Step 4 respectively. For the --name field, enter the API credentials object name.

The following output capture shows a sample policy document.

data:
  policyId: "104"
  policyInfo:
    rules: []
  tenant: volterra-demo1

Step 7: Convert the certificate into the URL format using the base64 encoding. This string is used to associate the certificate with the virtual host.

openssl base64 -in <certificate>

Note: The <certificate> can be your certificate with intermediate if required.


Encrypt TLS Key Using Blindfold

Step 1: Use vesctl to encrypt TLS key using Blindfold and store the returned encrypted key for using it in the virtual host configuration. This example stores the output to a file named bl-enckey.

vesctl --cert file:///demo-api.crt --key file:///demo-api.key -u https://demo-api.console.ves.volterra.io/api request secrets encrypt --policy-document demo-api-policy --public-key demo-api-pubkey privkey.pem > bl-enckey

Note: Provide the certificate, key, public key, and policy document obtained in the Prepare Credentials and Policy chapter.

The following output capture shows a sample encrypted key.

sample-output:

Encrypted Secret (Base64 encoded):
AAAACWN1c3RvbWVyMQAAAAEAAAAAAAAAaAIAAAAFA6ur/XkAAAEArc3DxZa69sWeIn9NRrHGcZlZaXLHWYjc57jIS76Z47AcU0jDmodz3lNEysVO2s

Enable TLS on the Virtual Host

Step 1: Select Manage from the configuration menu and Virtual Hosts from the options pane. Choose your virtual host from the list displayed and open virtual host edit form.

Step 2: Click TLS parameters to load the for TLS parameters configuration form.

vh https prx
Figure: Virtual Host TLS Config

Step 3: Click Add TLS certificate to load the TLS certificate configuration form.

image5
Figure: Virtual Host Add TLS Certificate

Step 4: Enter a URL in clear format in the Certificate URL field and click Private key.

image1
Figure: Virtual Host Add TLS Certificate

Step 4: Select Blindfold Secret Info for the Secret info oneof field.

image8
Figure: Virtual Host Add TLS Certificate Private Key

Step 5: Enter the encrypted string in the Location field. Use the string obtained in the Encrypt TLS Key Using Blindfold chapter. Select EncodingNone as the secret encoding type which is default.

image10
Figure: Virtual Host Add TLS Certificate Private Key

Applying the above configuration enables the Virtual Host with a TLS key encrypted with Blindfold.


Concepts


API References