diff options
Diffstat (limited to 'doc/tls_cert_machine.html')
| -rw-r--r-- | doc/tls_cert_machine.html | 182 |
1 files changed, 0 insertions, 182 deletions
diff --git a/doc/tls_cert_machine.html b/doc/tls_cert_machine.html deleted file mode 100644 index 095e15c..0000000 --- a/doc/tls_cert_machine.html +++ /dev/null @@ -1,182 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<html><head><title>TLS-protected syslog: generating the machine certificate</title> -</head> -<body> - -<h1>Encrypting Syslog Traffic with TLS (SSL)</h1> -<p><small><i>Written by <a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer -Gerhards</a> (2008-06-18)</i></small></p> - -<ul> -<li><a href="rsyslog_secure_tls.html">Overview</a> -<li><a href="tls_cert_scenario.html">Sample Scenario</a> -<li><a href="tls_cert_ca.html">Setting up the CA</a> -<li><a href="tls_cert_machine.html">Generating Machine Certificates</a> -<li><a href="tls_cert_server.html">Setting up the Central Server</a> -<li><a href="tls_cert_client.html">Setting up syslog Clients</a> -<li><a href="tls_cert_udp_relay.html">Setting up the UDP syslog relay</a> -<li><a href="tls_cert_summary.html">Wrapping it all up</a> -</ul> - -<h3>generating the machine certificate</h3> -<p>In this step, we generate certificates for each of the machines. Please note -that both clients and servers need certificates. The certificate identifies each -machine to the remote peer. The DNSName specified inside the certificate can -<span style="float: left"> -<script type="text/javascript"><!-- -google_ad_client = "pub-3204610807458280"; -/* rsyslog doc inline */ -google_ad_slot = "5958614527"; -google_ad_width = 125; -google_ad_height = 125; -//--> -</script> -<script type="text/javascript" -src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> -</script> -</span> -be specified inside the $<object>PermittedPeer config statements. -<p>For now, we assume that a single person (or group) is responsible for the whole -rsyslog system and thus it is OK if that single person is in posession of all -machine's private keys. This simplification permits us to use a somewhat less -complicated way of generating the machine certificates. So, we generate both the private -and public key on the CA (which is NOT a server!) and then copy them over to the -respective machines. -<p>If the roles of machine and CA administrators are split, the private key must -be generated by the machine administrator. This is done via a certificate request. -This request is then sent to the CA admin, which in turn generates the certificate -(containing the public key). The CA admin then sends back the certificate to the -machine admin, who installs it. That way, the CA admin never get's hold of the -machine's private key. Instructions for this mode will be given in a later revision -of this document. -<p><b>In any case, it is vital that the machine's private key is protected. Anybody -able to obtain that private key can imporsonate as the machine to which it belongs, thus -breaching your security.</b> -<h3>Sample Screen Session</h3> -<p>Text in red is user input. Please note that for some questions, there is no -user input given. This means the default was accepted by simply pressing the -enter key. -<p><b>Please note:</b> you need to substitute the names specified below with values -that match your environment. Most importantly, machine.example.net must be replaced -by the actual name of the machine that will be using this certificate. For example, -if you generate a certificate for a machine named "server.example.com", you need -to use that name. If you generate a certificate for "client.example.com", you need -to use this name. Make sure that each machine certificate has a unique name. If not, -you can not apply proper access control. -<code><pre> -[root@rgf9dev sample]# <font color="red">certtool --generate-privkey --outfile key.pem --bits 2048</font> -Generating a 2048 bit RSA private key... -[root@rgf9dev sample]# <font color="red">certtool --generate-request --load-privkey key.pem --outfile request.pem</font> -Generating a PKCS #10 certificate request... -Country name (2 chars): <font color="red">US</font> -Organization name: <font color="red">SomeOrg</font> -Organizational unit name: <font color="red">SomeOU</font> -Locality name: <font color="red">Somewhere</font> -State or province name: <font color="red">CA</font> -Common name: <font color="red">machine.example.net</font> -UID: -Enter a dnsName of the subject of the certificate: -Enter the IP address of the subject of the certificate: -Enter the e-mail of the subject of the certificate: -Enter a challange password: -Does the certificate belong to an authority? (y/N): <font color="red">n</font> -Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): -Will the certificate be used for encryption (RSA ciphersuites)? (y/N): -Is this a TLS web client certificate? (y/N): <font color="red">y</font> -Is this also a TLS web server certificate? (y/N): <font color="red">y</font> -[root@rgf9dev sample]# <font color="red">certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem</font> -Generating a signed certificate... -Enter the certificate's serial number (decimal): - - -Activation/Expiration time. -The certificate will expire in (days): 1000 - - -Extensions. -Do you want to honour the extensions from the request? (y/N): -Does the certificate belong to an authority? (Y/N): <font color="red">n</font> -Is this a TLS web client certificate? (Y/N): <font color="red">y</font> -Is this also a TLS web server certificate? (Y/N): <font color="red">y</font> -Enter the dnsName of the subject of the certificate: <font color="red">machine.example.net</font> <i>{This is the name of the machine that will use the certificate}</i> -Enter the IP address of the subject of certificate: -Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/N): -Will the certificate be used for encryption (RSA ciphersuites)? (Y/N): -X.509 Certificate Information: - Version: 3 - Serial Number (hex): 485a3819 - Validity: - Not Before: Thu Jun 19 10:42:54 UTC 2008 - Not After: Wed Mar 16 10:42:57 UTC 2011 - Subject: C=US,O=SomeOrg,OU=SomeOU,L=Somewhere,ST=CA,CN=machine.example.net - Subject Public Key Algorithm: RSA - Modulus (bits 2048): - b2:4e:5b:a9:48:1e:ff:2e:73:a1:33:ee:d8:a2:af:ae - 2f:23:76:91:b8:39:94:00:23:f2:6f:25:ad:c9:6a:ab - 2d:e6:f3:62:d8:3e:6e:8a:d6:1e:3f:72:e5:d8:b9:e0 - d0:79:c2:94:21:65:0b:10:53:66:b0:36:a6:a7:cd:46 - 1e:2c:6a:9b:79:c6:ee:c6:e2:ed:b0:a9:59:e2:49:da - c7:e3:f0:1c:e0:53:98:87:0d:d5:28:db:a4:82:36:ed - 3a:1e:d1:5c:07:13:95:5d:b3:28:05:17:2a:2b:b6:8e - 8e:78:d2:cf:ac:87:13:15:fc:17:43:6b:15:c3:7d:b9 - Exponent: - 01:00:01 - Extensions: - Basic Constraints (critical): - Certificate Authority (CA): FALSE - Key Purpose (not critical): - TLS WWW Client. - TLS WWW Server. - Subject Alternative Name (not critical): - DNSname: machine.example.net - Subject Key Identifier (not critical): - 0ce1c3dbd19d31fa035b07afe2e0ef22d90b28ac - Authority Key Identifier (not critical): - fbfe968d10a73ae5b70d7b434886c8f872997b89 -Other Information: - Public Key Id: - 0ce1c3dbd19d31fa035b07afe2e0ef22d90b28ac - -Is the above information ok? (Y/N): <font color="red">y</font> - - -Signing certificate... -[root@rgf9dev sample]# <font color="red">rm -f request.pem</font> -[root@rgf9dev sample]# <font color="red">ls -l</font> -total 16 --r-------- 1 root root 887 2008-06-19 12:33 ca-key.pem --rw-r--r-- 1 root root 1029 2008-06-19 12:36 ca.pem --rw-r--r-- 1 root root 1074 2008-06-19 12:43 cert.pem --rw-r--r-- 1 root root 887 2008-06-19 12:40 key.pem -[root@rgf9dev sample]# # it may be a good idea to rename the files to indicate where they belong to -[root@rgf9dev sample]# <font color="red">mv cert.pem machine-cert.pem</font> -[root@rgf9dev sample]# <font color="red">mv key.pem machine-key.pem</font> -[root@rgf9dev sample]# -</pre></code> -<h3>Distributing Files</h3> -<p>Provide the machine with: -<ul> -<li>a copy of ca.pem -<li>cert.pem -<li>key.pem -</ul> -<p>This is how the relevant part of rsyslog.conf looks on the target machine: -<p> -<code><pre> -$DefaultNetstreamDriverCAFile /home/rger/proj/rsyslog/sample/ca.pem -$DefaultNetstreamDriverCertFile /home/rger/proj/rsyslog/sample/machine-cert.pem -$DefaultNetstreamDriverKeyFile /home/rger/proj/rsyslog/sample/machine-key.pem -</pre></code> -<p><b><font color="red">Never</font> provide anyone with ca-key.pem!</b> Also, make sure -nobody but the machine in question gets hold of key.pem. -<h2>Copyright</h2> -<p>Copyright (c) 2008 <a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer -Gerhards</a> and -<a href="http://www.adiscon.com/en/">Adiscon</a>.</p> -<p> Permission is granted to copy, distribute and/or modify this -document under the terms of the GNU Free Documentation License, Version -1.2 or any later version published by the Free Software Foundation; -with no Invariant Sections, no Front-Cover Texts, and no Back-Cover -Texts. A copy of the license can be viewed at -<a href="http://www.gnu.org/copyleft/fdl.html">http://www.gnu.org/copyleft/fdl.html</a>.</p> -</body></html> |