1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><title>TLS-protected syslog: generating the machine certificate</title>
</head>
<body>
<h1>Encrypting Syslog Traffic with TLS (SSL)</h1>
<p><small><i>Written by <a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer
Gerhards</a> (2008-06-18)</i></small></p>
<ul>
<li><a href="rsyslog_secure_tls.html">Overview</a>
<li><a href="tls_cert_scenario.html">Sample Scenario</a>
<li><a href="tls_cert_ca.html">Setting up the CA</a>
<li><a href="tls_cert_machine.html">Generating Machine Certificates</a>
<li><a href="tls_cert_server.html">Setting up the Central Server</a>
<li><a href="tls_cert_client.html">Setting up syslog Clients</a>
<li><a href="tls_cert_udp_relay.html">Setting up the UDP syslog relay</a>
<li><a href="tls_cert_summary.html">Wrapping it all up</a>
</ul>
<h3>generating the machine certificate</h3>
<p>In this step, we generate certificates for each of the machines. Please note
that both clients and servers need certificates. The certificate identifies each
machine to the remote peer. The DNSName specified inside the certificate can
<span style="float: left">
<script type="text/javascript"><!--
google_ad_client = "pub-3204610807458280";
/* rsyslog doc inline */
google_ad_slot = "5958614527";
google_ad_width = 125;
google_ad_height = 125;
//-->
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
</span>
be specified inside the $<object>PermittedPeer config statements.
<p>For now, we assume that a single person (or group) is responsible for the whole
rsyslog system and thus it is OK if that single person is in posession of all
machine's private keys. This simplification permits us to use a somewhat less
complicated way of generating the machine certificates. So, we generate both the private
and public key on the CA (which is NOT a server!) and then copy them over to the
respective machines.
<p>If the roles of machine and CA administrators are split, the private key must
be generated by the machine administrator. This is done via a certificate request.
This request is then sent to the CA admin, which in turn generates the certificate
(containing the public key). The CA admin then sends back the certificate to the
machine admin, who installs it. That way, the CA admin never get's hold of the
machine's private key. Instructions for this mode will be given in a later revision
of this document.
<p><b>In any case, it is vital that the machine's private key is protected. Anybody
able to obtain that private key can imporsonate as the machine to which it belongs, thus
breaching your security.</b>
<h3>Sample Screen Session</h3>
<p>Text in red is user input. Please note that for some questions, there is no
user input given. This means the default was accepted by simply pressing the
enter key.
<p><b>Please note:</b> you need to substitute the names specified below with values
that match your environment. Most importantly, machine.example.net must be replaced
by the actual name of the machine that will be using this certificate. For example,
if you generate a certificate for a machine named "server.example.com", you need
to use that name. If you generate a certificate for "client.example.com", you need
to use this name. Make sure that each machine certificate has a unique name. If not,
you can not apply proper access control.
<code><pre>
[root@rgf9dev sample]# <font color="red">certtool --generate-privkey --outfile key.pem --bits 2048</font>
Generating a 2048 bit RSA private key...
[root@rgf9dev sample]# <font color="red">certtool --generate-request --load-privkey key.pem --outfile request.pem</font>
Generating a PKCS #10 certificate request...
Country name (2 chars): <font color="red">US</font>
Organization name: <font color="red">SomeOrg</font>
Organizational unit name: <font color="red">SomeOU</font>
Locality name: <font color="red">Somewhere</font>
State or province name: <font color="red">CA</font>
Common name: <font color="red">machine.example.net</font>
UID:
Enter a challenge password:
[root@rgf9dev sample]# <font color="red">certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem</font>
|
