diff options
| author | Rainer Gerhards <rgerhards@adiscon.com> | 2008-06-20 11:53:05 +0200 |
|---|---|---|
| committer | Rainer Gerhards <rgerhards@adiscon.com> | 2008-06-20 11:53:05 +0200 |
| commit | 064574425b38832f94e51fe31a1f6293ad8ac604 (patch) | |
| tree | 94562699bb16fc2e947d6ab685c6c97915c205f4 | |
| parent | 083d52c86199f64306f1af058b3d4771a37c342f (diff) | |
| download | rsyslog-064574425b38832f94e51fe31a1f6293ad8ac604.tar.gz rsyslog-064574425b38832f94e51fe31a1f6293ad8ac604.tar.xz rsyslog-064574425b38832f94e51fe31a1f6293ad8ac604.zip | |
improved TLS doc
also changed samples to 2048 bit keys, because 1024 will
soon no longer be considered secure.
| -rw-r--r-- | doc/tls_cert_ca.html | 38 | ||||
| -rw-r--r-- | doc/tls_cert_machine.html | 43 | ||||
| -rw-r--r-- | doc/tls_cert_scenario.html | 3 |
3 files changed, 44 insertions, 40 deletions
diff --git a/doc/tls_cert_ca.html b/doc/tls_cert_ca.html index efe34c85..7427bb03 100644 --- a/doc/tls_cert_ca.html +++ b/doc/tls_cert_ca.html @@ -68,19 +68,21 @@ sign other certificates.<br> </li> </ol> <h3>Sample Screen Session</h3> +<p>Text in red is user input. Please note that for some questions, there is no +user input given. This means the default was accepted by simply pressing the +enter key. <code><pre> -[root@rgf9dev sample]# certtool --generate-privkey --outfile ca-key.pem -Generating a 1024 bit RSA private key... -[root@rgf9dev sample]# certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem -[root@rgf9dev sample]# certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem +[root@rgf9dev sample]# <font color="red">certtool --generate-privkey --outfile ca-key.pem --bits 2048</font> +Generating a 2048 bit RSA private key... +[root@rgf9dev sample]# <font color="red">certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem</font> Generating a self signed certificate... Please enter the details of the certificate's distinguished name. Just press enter to ignore a field. -Country name (2 chars): US -Organization name: SomeOrg -Organizational unit name: SomeOU -Locality name: Somewhere -State or province name: CA -Common name: someName (not necessarily DNS!) +Country name (2 chars): <font color="red">US</font> +Organization name: <font color="red">SomeOrg</font> +Organizational unit name: <font color="red">SomeOU</font> +Locality name: <font color="red">Somewhere</font> +State or province name: <font color="red">CA</font> +Common name: <font color="red">someName (not necessarily DNS!)</font> UID: This field should not be used in new certificates. E-mail: @@ -88,16 +90,16 @@ Enter the certificate's serial number (decimal): Activation/Expiration time. -The certificate will expire in (days): 3650 +The certificate will expire in (days): <font color="red">3650</font> Extensions. -Does the certificate belong to an authority? (Y/N): y +Does the certificate belong to an authority? (Y/N): <font color="red">y</font> Path length constraint (decimal, -1 for no constraint): Is this a TLS web client certificate? (Y/N): Is this also a TLS web server certificate? (Y/N): -Enter the e-mail of the subject of the certificate: someone@example.net -Will the certificate be used to sign other certificates? (Y/N): y +Enter the e-mail of the subject of the certificate: <font color="red">someone@example.net</font> +Will the certificate be used to sign other certificates? (Y/N): <font color="red">y</font> Will the certificate be used to sign CRLs? (Y/N): Will the certificate be used to sign code? (Y/N): Will the certificate be used to sign OCSP requests? (Y/N): @@ -111,7 +113,7 @@ X.509 Certificate Information: Not After: Sun Jun 17 10:35:25 UTC 2018 Subject: C=US,O=SomeOrg,OU=SomeOU,L=Somewhere,ST=CA,CN=someName (not necessarily DNS!) Subject Public Key Algorithm: RSA - Modulus (bits 1024): + Modulus (bits 2048): d9:9c:82:46:24:7f:34:8f:60:cf:05:77:71:82:61:66 05:13:28:06:7a:70:41:bf:32:85:12:5c:25:a7:1a:5a 28:11:02:1a:78:c1:da:34:ee:b4:7e:12:9b:81:24:70 @@ -135,12 +137,12 @@ Other Information: Public Key Id: fbfe968d10a73ae5b70d7b434886c8f872997b89 -Is the above information ok? (Y/N): y +Is the above information ok? (Y/N): <font color="red">y</font> Signing certificate... -[root@rgf9dev sample]# chmod 400 ca-key.pem -[root@rgf9dev sample]# ls -l +[root@rgf9dev sample]# <font color="red">chmod 400 ca-key.pem</font> +[root@rgf9dev sample]# <font color="red">ls -l</font> total 8 -r-------- 1 root root 887 2008-06-19 12:33 ca-key.pem -rw-r--r-- 1 root root 1029 2008-06-19 12:36 ca.pem diff --git a/doc/tls_cert_machine.html b/doc/tls_cert_machine.html index f7868caa..0d2955f7 100644 --- a/doc/tls_cert_machine.html +++ b/doc/tls_cert_machine.html @@ -53,20 +53,23 @@ of this document. able to obtain that private key can imporsonate as the machine to which it belongs, thus breaching your security.</b> <h3>Sample Screen Session</h3> +<p>Text in red is user input. Please note that for some questions, there is no +user input given. This means the default was accepted by simply pressing the +enter key. <code><pre> -[root@rgf9dev sample]# <b>certtool --generate-privkey --outfile key.pem</b> -Generating a 1024 bit RSA private key... -[root@rgf9dev sample]# <b>certtool --generate-request --load-privkey key.pem --outfile request.pem</b> +[root@rgf9dev sample]# <font color="red">certtool --generate-privkey --outfile key.pem --bits 2048</font> +Generating a 2048 bit RSA private key... +[root@rgf9dev sample]# <font color="red">certtool --generate-request --load-privkey key.pem --outfile request.pem</font> Generating a PKCS #10 certificate request... -Country name (2 chars): US -Organization name: SomeOrg -Organizational unit name: SomeOU -Locality name: Somewhere -State or province name: CA -Common name: machine.example.net +Country name (2 chars): <font color="red">US</font> +Organization name: <font color="red">SomeOrg</font> +Organizational unit name: <font color="red">SomeOU</font> +Locality name: <font color="red">Somewhere</font> +State or province name: <font color="red">CA</font> +Common name: <font color="red">machine.example.net</font> UID: Enter a challenge password: -[root@rgf9dev sample]# <b>certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem</b> +[root@rgf9dev sample]# <font color="red">certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem</font> Generating a signed certificate... Enter the certificate's serial number (decimal): @@ -76,10 +79,10 @@ The certificate will expire in (days): 1000 Extensions. -Does the certificate belong to an authority? (Y/N): n -Is this a TLS web client certificate? (Y/N): y -Is this also a TLS web server certificate? (Y/N): y -Enter the dnsName of the subject of the certificate: machine.example.net +Does the certificate belong to an authority? (Y/N): <font color="red">n</font> +Is this a TLS web client certificate? (Y/N): <font color="red">y</font> +Is this also a TLS web server certificate? (Y/N): <font color="red">y</font> +Enter the dnsName of the subject of the certificate: <font color="red">machine.example.net</font> Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/N): Will the certificate be used for encryption (RSA ciphersuites)? (Y/N): X.509 Certificate Information: @@ -90,7 +93,7 @@ X.509 Certificate Information: Not After: Wed Mar 16 10:42:57 UTC 2011 Subject: C=US,O=SomeOrg,OU=SomeOU,L=Somewhere,ST=CA,CN=machine.example.net Subject Public Key Algorithm: RSA - Modulus (bits 1024): + Modulus (bits 2048): b2:4e:5b:a9:48:1e:ff:2e:73:a1:33:ee:d8:a2:af:ae 2f:23:76:91:b8:39:94:00:23:f2:6f:25:ad:c9:6a:ab 2d:e6:f3:62:d8:3e:6e:8a:d6:1e:3f:72:e5:d8:b9:e0 @@ -117,20 +120,20 @@ Other Information: Public Key Id: 0ce1c3dbd19d31fa035b07afe2e0ef22d90b28ac -Is the above information ok? (Y/N): y +Is the above information ok? (Y/N): <font color="red">y</font> Signing certificate... -[root@rgf9dev sample]# <b>rm -f request.pem</b> -[root@rgf9dev sample]# <b>ls -l</b> +[root@rgf9dev sample]# <font color="red">rm -f request.pem</font> +[root@rgf9dev sample]# <font color="red">ls -l</font> total 16 -r-------- 1 root root 887 2008-06-19 12:33 ca-key.pem -rw-r--r-- 1 root root 1029 2008-06-19 12:36 ca.pem -rw-r--r-- 1 root root 1074 2008-06-19 12:43 cert.pem -rw-r--r-- 1 root root 887 2008-06-19 12:40 key.pem [root@rgf9dev sample]# # it may be a good idea to rename the files to indicate where they belong to -[root@rgf9dev sample]# <b>mv cert.pem machine-cert.pem</b> -[root@rgf9dev sample]# <b>mv key.pem machine-key.pem</b> +[root@rgf9dev sample]# <font color="red">mv cert.pem machine-cert.pem</font> +[root@rgf9dev sample]# <font color="red">mv key.pem machine-key.pem</font> [root@rgf9dev sample]# </pre></code> <h3>Distributing Files</h3> diff --git a/doc/tls_cert_scenario.html b/doc/tls_cert_scenario.html index dced5393..7973532b 100644 --- a/doc/tls_cert_scenario.html +++ b/doc/tls_cert_scenario.html @@ -42,8 +42,7 @@ hav decided to use ada.example.net because it is in the same local network segment as the router and so we enjoy TLS' security benefits for forwarding the router messages inside the corporate network. All systems (except the router) use <a href="http://www.rsyslog.com/">rsyslog</a> as the syslog software.</p> -<p> -<center><img src="tls_cert_100.jpg"></center> +<p><center><img src="tls_cert_100.jpg"></center> <p>Please note that the CA must not necessarily be connected to the rest of the network. Actually, it may be considered a security plus if it is not. If the CA is reachable via the regular network, it should be sufficiently secured (firewal |