diff options
author | Rainer Gerhards <rgerhards@adiscon.com> | 2008-05-26 10:15:49 +0200 |
---|---|---|
committer | Rainer Gerhards <rgerhards@adiscon.com> | 2008-05-26 10:15:49 +0200 |
commit | f31a0537c649b0ecf40986e5dc8fea6386e6bcb0 (patch) | |
tree | 08b34086bd3b05df2da7f90ee6161d1a38ae9c69 /doc/rsyslog_tls.html | |
parent | 3b5c252784fcd73c1f7c75301c3ef058a9a15397 (diff) | |
download | rsyslog-f31a0537c649b0ecf40986e5dc8fea6386e6bcb0.tar.gz rsyslog-f31a0537c649b0ecf40986e5dc8fea6386e6bcb0.tar.xz rsyslog-f31a0537c649b0ecf40986e5dc8fea6386e6bcb0.zip |
improved gtls error reporting
Diffstat (limited to 'doc/rsyslog_tls.html')
-rw-r--r-- | doc/rsyslog_tls.html | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/doc/rsyslog_tls.html b/doc/rsyslog_tls.html index e1729feb..2d5fd8e9 100644 --- a/doc/rsyslog_tls.html +++ b/doc/rsyslog_tls.html @@ -159,7 +159,8 @@ syslog has sufficiently matured.</p> a short summary on how to generate the necessary certificates with GnuTLS' certtool. You can also generate certificates via other tools, but as we currently support GnuTLS as the only TLS library, we thought -it is a good idea to use their tools.<br></p> +it is a good idea to use their tools.<br> +</p> <p>Note that this section aims at people who are not involved with PKI at all. The main goal is to get them going in a reasonable secure way. </p> @@ -238,14 +239,22 @@ use default server authentication and you use selector lines with IP addresses (e.g. "*.* @@192.168.0.1") - in that case you need to select a dnsName of 192.168.0.1. But, of course, changing the server IP then requires generating a new certificate.</li> -</ol>After you have generated the certificate, you need to place it -onto the local machine running rsyslogd. Specify the certificate and -key via the $DefaultNetstreamDriverCertFile /path/to/cert.pem and +</ol> +After you have generated the certificate, you need to place it onto the +local machine running rsyslogd. Specify the certificate and key via the +$DefaultNetstreamDriverCertFile /path/to/cert.pem and $DefaultNetstreamDriverKeyFile /path/to/key.pem configuration directives. Make sure that nobody has access to key.pem, as that would breach security. And, once again: do NOT use these files on more than one instance. Doing so would prevent you from distinguising between the instances and thus would disable useful authentication. +<h3>Troubleshooting Certificates</h3> +<p>If you experience trouble with your certificate setup, it may +be +useful to get some information on what is contained in a specific +certificate (file). To obtain that information, do </p> +<pre>$ certtool --certificate-info --infile cert.pem</pre> +<p>where "cert.pem" can be replaced by the various certificate pem files (but it does not work with the key files).</p> <h2>Conclusion</h2> <p>With minumal effort, you can set up a secure logging infrastructure employing TLS encrypted syslog message transmission.</p> @@ -257,7 +266,8 @@ please <h2>Revision History</h2> <ul> <li>2008-05-06 * <a href="http://www.gerhards.net/rainer">Rainer -Gerhards</a> * Initial Version created</li> +Gerhards</a> * Initial Version created</li><li>2008-05-26 * <a href="http://www.gerhards.net/rainer">Rainer +Gerhards</a> * added information about certificates</li> </ul> <h2>Copyright</h2> <p>Copyright (c) 2008 <a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer |