To allow an SGX application to access outside services, we need the certificate authority (CA) public key.
Each account has its certificate authority, so applications will have different parent CA based on their respective accounts.
How to obtain an account CA public key
High-level steps include:
Log in to Fortanix Confidential Computing Manager (CCM)
List accounts
Select account
List zones
This can be obtained using em_cli tool, or with direct REST calls.
Using em_cli:
# Install curl and jq sudo apt update; sudo apt install curl jq # Download em_curl.sh for em-cli curl -LO https://github.com/fortanix/rust-sgx/raw/master/em-app/examples/scripts/em_curl.sh source em_curl.sh # Login to CCM with your email and password em-cli user login 'https://ccm.fortanix.com' '[email protected]' 'password' # Show available accounts em-cli user refresh em-cli account list # Select a specific account by acct_id em-cli user refresh em-cli account select 'UUID' # Save zone certificate to a file em-cli user refresh em-cli zone list | jq '.[0].certificate' -r > zone_ca.pemUsing REST APIs:
Follow Steps 3.1 through 3.3 on using-fortanix-confidential-computing-manager-to-build-an-enclave-os-nginx-application to log in to Fortanix CCM and select an account.
Get the list of zones and save the zone certificate to a file:
curl -b $cpath -c $cpath -H "X-CSRF-Header:true" https://ccm.fortanix.com/v1/zones | jq '.[0].certificate' -r > zone_ca.pem
How to configure external services
Services that support 'Trusted CA', for example, Fortanix-Data-Security-Manager (DSM), can be configured by copy-pasting the certificate obtained from the section above to the service and configuring a 'Common Name'.
Figure 1: Adding trusted CA to Fortanix DSM