How to configure trusted CA to outside parties

To allow an SGX application to access outside services, we need the certificate authority (CA) public key.
Each account has its certificate authority, so applications will have different parent CA based on their respective accounts.

How to obtain an account CA public key

High-level steps include:

  • Log in to Fortanix Confidential Computing Manager (CCM)  
  • List accounts   
  • Select account
  • List zones

This can be obtained using em_cli tool, or with direct REST calls.

  1. Using em_cli:
    # Install curl and jq
    sudo apt update; sudo apt install curl jq
    # Download for em-cli
    curl -LO
    # Login to CCM with your email and password
    em-cli user login '' '' 'password'
    # Show available accounts
    em-cli user refresh
    em-cli account list
    # Select a specific account by acct_id
    em-cli user refresh
    em-cli account select 'UUID'
    # Save zone certificate to a file
    em-cli user refresh
    em-cli zone list | jq '.[0].certificate' -r > zone_ca.pem
  2. Using REST APIs:
    1. Follow Steps 3.1 through 3.3 on to log in to Fortanix CCM and select an account.
    2. Get the list of zones and save the zone certificate to a file:
      curl -b $cpath -c $cpath -H "X-CSRF-Header:true" | jq '.[0].certificate' -r > zone_ca.pem

How to configure external services

Services that support 'Trusted CA', for example, Fortanix Data Security Manager (DSM), can be configured by copy-pasting the certificate obtained from the section above to the service and configuring a 'Common Name'.ConfigureTrustedCA.png                                        Figure 1: Adding trusted CA to Fortanix DSM


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful