This document provides instructions on how to encrypt your TLS certificates using the Volterra Blindfold. This ensures additional security measures for the certificates stored in Volterra SaaS portal. To know more about Blindfold and secrets management, see Volterra Blindfold.
The following image illustrates the sequence of actions performed by Volterra in securing the certificates.
Using the instructions provided in this guide, you can encrypt TLS certificate with Blindfod and apply it to a virtual host.
The following prerequisites apply:
Note: If you do not have an account, see Create a VES Account.
A virtual host with a signed TLS certificate
Note: If you do not have a virtual host, see Create a Virtual Host.
The vesctl tool. Download vesctl on your local machine as it is used to apply Blindfold to the TLS certificate.
Note: Install the Volterra node or cluster image in your cloud or edge location. See How to Create a Site for more information.
The following image shows the configuration sequence of applying Blindfold encryption to your TLS certificate.
Applying Blindfold to the certificates of your WebApp includes performing the following sequence of actions:
|Create a Secret Policy||Create a policy to permit Volterra Wingman and data plane to access the TLS certificate.|
|Prepare Credentials and Policy||Retrieve API credentials from Volterra Console, derive certificates, derive keys, and obtain policy.|
|Encrypt TLS Certificate||Perform the encryption on a local computer. It is recommended to use an air-gapped computer.|
|Enable TLS on the Virtual Host||Update the Virtual Host configuration with the TLS certificate and key encrypted with Volterra Blindfold.|
Note: The API credentials are required to be downloaded in PKCS #12 file format.
The secret policy allows Wingman and Volterra data plane access to the TLS certificate.
Step 1: Select the namespace where you want to create your Secret Policy. Select Security from the configuration menu and Secret Management from the options pane. Select Policies and click Add secret policy. The policy creation form gets loaded.
Step 2: In the loaded form, select
First Rule Match for the
Rule Combining Algorithm field. Click
Allow Volterra to allow volterra data plane to decrypt encrypted TLS private key.
Step 1: Select
system namespace. Select
IAM from the configuration menu and
API Credentials from the options pane. Click
Step 2: Provide a name for the credentials, select
Credential type as
API Certificate, and provide a password to access the credentials. Click
Download. The credentials are returned in the JSON format.
Step 3: Derive a certificate from the downloaded PKCS #12 file. This example shows how to derive the certificate using OpenSSL.
openssl pkcs12 -nokeys -in demo-api-credentials.p12 -out demo-api.crt
Note: This step prompts for password. Enter the password used in Step 1 to generate the certificate file in the
Step 4: Derive a key from the downloaded PKCS 12 file. Enter the following command:
openssl pkcs12 -nocerts -nodes -in demo-api-credentials.p12 -out demo-api.key
Note: This step prompts for password. Enter the password used in Step 1 and a passphrase to generate the key file in the
Step 5: Obtain a public-key using vesctl and store the output to a file. This example stores the output to a file named
vesctl --cert file:///demo-api.crt --key file:///demo-api.key -u https://demo-api.console.ves.volterra.io/api request secrets get-public-key > demo-api-pubkey
Note: For the
--keyoptions, specify the path to the certificate file and key file derived in Step 3 and Step 4 respectively.
The following output capture shows a sample public key:
data: keyVersion: 1 modulusBase64: rc3DxZa69sWeIn9NRrHGcZlZaXLHWYjc57jIS76Z47AcU0jDmodz3lNEysVO2swNAUn8p6yiuvf8Vj4LUuWB++LdP2yYX5ftEHmMgnHVq4AdKFBp5zbrh15g7mS0lpdX/xG6h0+IdHyrWPoIg/hZwYyV9xmIOcFc1Jk5PZC554hchHbToQ== publicExponentBase64: A6ur/Xk= tenant: volterra-demo1
Step 6: Obtain a policy-document using vesctl and store the output to a file. This example stores the output to a file named
vesctl --cert file:///demo-api.crt --key file:///demo-api.key -u https://demo-api.console.ves.volterra.io/api request secrets get-policy-document --namespace system --name demo-api-https-policy > demo-api-policy
Note: For the
--keyoptions, specify the path to the certificate file and key file derived in Step 3 and Step 4 respectively. For the
--namefield, enter the API credentials object name.
The following output capture shows a sample policy document.
data: policyId: "104" policyInfo: rules:  tenant: volterra-demo1
Step 7: Convert the certificate into the URL format using the base64 encoding. This string is used to associate the certificate with the virtual host.
openssl base64 -in <certificate>
<certificate>can be your certificate with intermediate if required.
Step 1: Use vesctl to encrypt TLS key using Blindfold and store the returned encrypted key for using it in the virtual host configuration. This example stores the output to a file named
vesctl --cert file:///demo-api.crt --key file:///demo-api.key -u https://demo-api.console.ves.volterra.io/api request secrets encrypt --policy-document demo-api-policy --public-key demo-api-pubkey privkey.pem > bl-enckey
Note: Provide the certificate, key, public key, and policy document obtained in the Prepare Credentials and Policy chapter.
The following output capture shows a sample encrypted key.
Encrypted Secret (Base64 encoded): AAAACWN1c3RvbWVyMQAAAAEAAAAAAAAAaAIAAAAFA6ur/XkAAAEArc3DxZa69sWeIn9NRrHGcZlZaXLHWYjc57jIS76Z47AcU0jDmodz3lNEysVO2s
Step 1: Select
Manage from the configuration menu and
Virtual Hosts from the options pane. Choose your virtual host from the list displayed and open virtual host edit form.
Step 2: Click
TLS parameters to load the for TLS parameters configuration form.
Step 3: Click
Add TLS certificate to load the TLS certificate configuration form.
Step 4: Enter a URL in clear format in the
Certificate URL field and click
Step 4: Select
Blindfold Secret Info for the
Secret info oneof field.
Step 5: Enter the encrypted string in the
Location field. Use the string obtained in the Encrypt TLS Key Using Blindfold chapter. Select
EncodingNone as the secret encoding type which is default.
Applying the above configuration enables the Virtual Host with a TLS key encrypted with Blindfold.