<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Setting up the CA — rsyslog 8.1911.0 documentation</title>
<link rel="stylesheet" href="../_static/classic.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../_static/rsyslog.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '8.1911.0',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true,
SOURCELINK_SUFFIX: '.txt'
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="next" title="Generating the machine certificate" href="tls_cert_machine.html" />
<link rel="prev" title="Sample Use Case: Single Central Log Server" href="tls_cert_scenario.html" />
</head>
<body>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="tls_cert_machine.html" title="Generating the machine certificate"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="tls_cert_scenario.html" title="Sample Use Case: Single Central Log Server"
accesskey="P">previous</a> |</li>
<li class="nav-item nav-item-0"><a href="../index.html">rsyslog 8.1911.0 documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="index.html" >Tutorials</a> »</li>
<li class="nav-item nav-item-2"><a href="tls_cert_summary.html" accesskey="U">Encrypting Syslog Traffic with TLS (SSL)</a> »</li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="setting-up-the-ca">
<h1>Setting up the CA<a class="headerlink" href="#setting-up-the-ca" title="Permalink to this headline">¶</a></h1>
<p>The first step is to set up a certificate authority (CA). It must be
maintained by a trustworthy person (or group) and approves the
identities of all machines. It does so by issuing their certificates.
In a small setup, the administrator can provide the CA function. What is
important is the CA’s private key is well-protected and machine
certificates are only issued if it is know they are valid (in a
single-admin case that means the admin should not issue certificates to
anyone else except himself).</p>
<p>The CA creates a so-called self-signed certificate. That is, it approves
its own authenticity. This sounds useless, but the key point to understand
is that every machine will be provided a copy of the CA’s certificate.
Accepting this certificate is a matter of trust. So by configuring the
CA certificate, the administrator tells
<a class="reference external" href="http://www.rsyslog.com">rsyslog</a> which certificates to trust. This is
the root of all trust under this model. That is why the CA’s private key
is so important - everyone getting hold of it is trusted by our rsyslog
instances.</p>
<div class="figure align-center">
<img alt="" src="../_images/tls_cert_ca.jpg" />
</div>
<p>To create a self-signed certificate, use the following commands with
GnuTLS (which is currently the only supported TLS library, what may
change in the future). Please note that GnuTLS’ tools are not installed
by default on many platforms. Also, the tools do not necessarily come
with the GnuTLS core package. If you do not have certtool on your
system, check if there is package for the GnuTLS tools available (under
Fedora, for example, this is named gnutls-utils-<version> and it is NOT
installed by default).</p>
<ol class="arabic">
<li><p class="first">generate the private key:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">certtool</span> <span class="o">--</span><span class="n">generate</span><span class="o">-</span><span class="n">privkey</span> <span class="o">--</span><span class="n">outfile</span> <span class="n">ca</span><span class="o">-</span><span class="n">key</span><span class="o">.</span><span class="n">pem</span>
</pre></div>
</div>
<p>This takes a short while. Be sure to do some work on your
workstation, it waits for random input. Switching between windows is
sufficient ;)</p>
</li>
<li><p class="first">now create the (self-signed) CA certificate itself:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">certtool</span> <span class="o">--</span><span class="n">generate</span><span class="o">-</span><span class="bp">self</span><span class="o">-</span><span class="n">signed</span> <span class="o">--</span><span class="n">load</span><span class="o">-</span><span class="n">privkey</span> <span class="n">ca</span><span class="o">-</span><span class="n">key</span><span class="o">.</span><span class="n">pem</span> <span class="o">--</span><span class="n">outfile</span> <span class="n">ca</span><span class="o">.</span><span class="n">pem</span>
</pre></div>
</div>
<p>This generates the CA certificate. This command queries you for a
number of things. Use appropriate responses. When it comes to
certificate validity, keep in mind that you need to recreate all
certificates when this one expires. So it may be a good idea to use a
long period, eg. 3650 days (roughly 10 years). You need to specify
that the certificates belongs to an authority. The certificate is
used to sign other certificates.</p>
</li>
</ol>
<div class="section" id="sample-screen-session">
<h2>Sample Screen Session<a class="headerlink" href="#sample-screen-session" title="Permalink to this headline">¶</a></h2>
<p>Text in red is user input. Please note that for some questions, there is
no user input given. This means the default was accepted by simply
pressing the enter key.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>[root@rgf9dev sample]# certtool --generate-privkey --outfile ca-key.pem --bits 2048
Generating a 2048 bit RSA private key...
[root@rgf9dev sample]# certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Country name (2 chars): US
Organization name: SomeOrg
Organizational unit name: SomeOU
Locality name: Somewhere
State or province name: CA
Common name: someName (not necessarily DNS!)
UID:
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number (decimal):
Activation/Expiration time.
The certificate will expire in (days): 3650
Extensions.
Does the certificate belong to an authority? (Y/N): y
Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (Y/N):
Is this also a TLS web server certificate? (Y/N):
Enter the e-mail of the subject of the certificate: someone@example.net
Will the certificate be used to sign other certificates? (Y/N): y
Will the certificate be used to sign CRLs? (Y/N):
Will the certificate be used to sign code? (Y/N):
Will the certificate be used to sign OCSP requests? (Y/N):
Will the certificate be used for time stamping? (Y/N):
Enter the URI of the CRL distribution point:
X.509 Certificate Information:
Version: 3
Serial Number (hex): 485a365e
Validity:
Not Before: Thu Jun 19 10:35:12 UTC 2008
Not After: Sun Jun 17 10:35:25 UTC 2018
Subject: C=US,O=SomeOrg,OU=SomeOU,L=Somewhere,ST=CA,CN=someName (not necessarily DNS!)
Subject Public Key Algorithm: RSA
Modulus (bits 2048):
d9:9c:82:46:24:7f:34:8f:60:cf:05:77:71:82:61:66
05:13:28:06:7a:70:41:bf:32:85:12:5c:25:a7:1a:5a
28:11:02:1a:78:c1:da:34:ee:b4:7e:12:9b:81:24:70
ff:e4:89:88:ca:05:30:0a:3f:d7:58:0b:38:24:a9:b7
2e:a2:b6:8a:1d:60:53:2f:ec:e9:38:36:3b:9b:77:93
5d:64:76:31:07:30:a5:31:0c:e2:ec:e3:8d:5d:13:01
11:3d:0b:5e:3c:4a:32:d8:f3:b3:56:22:32:cb:de:7d
64:9a:2b:91:d9:f0:0b:82:c1:29:d4:15:2c:41:0b:97
Exponent:
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Subject Alternative Name (not critical):
RFC822name: someone@example.net
Key Usage (critical):
Certificate signing.
Subject Key Identifier (not critical):
fbfe968d10a73ae5b70d7b434886c8f872997b89
Other Information:
Public Key Id:
fbfe968d10a73ae5b70d7b434886c8f872997b89
Is the above information ok? (Y/N): y
Signing certificate...
[root@rgf9dev sample]# chmod 400 ca-key.pem
[root@rgf9dev sample]# ls -l
total 8
-r-------- 1 root root 887 2008-06-19 12:33 ca-key.pem
-rw-r--r-- 1 root root 1029 2008-06-19 12:36 ca.pem
[root@rgf9dev sample]#
</pre></div>
</div>
<p><strong>Be sure to safeguard ca-key.pem!</strong> Nobody except the CA itself needs
to have it. If some third party obtains it, you security is broken!</p>
<div class="admonition seealso">
<p class="first admonition-title">See also</p>
<p>Help with configuring/using <code class="docutils literal"><span class="pre">Rsyslog</span></code>:</p>
<ul class="last simple">
<li><a class="reference external" href="http://lists.adiscon.net/mailman/listinfo/rsyslog">Mailing list</a> - best route for general questions</li>
<li>GitHub: <a class="reference external" href="https://github.com/rsyslog/rsyslog/">rsyslog source project</a> - detailed questions, reporting issues
that are believed to be bugs with <code class="docutils literal"><span class="pre">Rsyslog</span></code></li>
<li>Stack Exchange (<a class="reference external" href="https://stackexchange.com/filters/327462/rsyslog">View</a>, <a class="reference external" href="https://serverfault.com/questions/ask?tags=rsyslog">Ask</a>)
- experimental support from rsyslog community</li>
</ul>
</div>
<div class="admonition seealso">
<p class="first admonition-title">See also</p>
<p>Contributing to <code class="docutils literal"><span class="pre">Rsyslog</span></code>:</p>
<ul class="last simple">
<li>Source project: <a class="reference external" href="https://github.com/rsyslog/rsyslog/blob/master/README.md">rsyslog project README</a>.</li>
<li>Documentation: <a class="reference external" href="https://github.com/rsyslog/rsyslog-doc/blob/master/README.md">rsyslog-doc project README</a></li>
</ul>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<h3><a href="../index.html">Table Of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">Setting up the CA</a><ul>
<li><a class="reference internal" href="#sample-screen-session">Sample Screen Session</a></li>
</ul>
</li>
</ul>
<h4>Previous topic</h4>
<p class="topless"><a href="tls_cert_scenario.html"
title="previous chapter">Sample Use Case: Single Central Log Server</a></p>
<h4>Next topic</h4>
<p class="topless"><a href="tls_cert_machine.html"
title="next chapter">Generating the machine certificate</a></p>
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../_sources/tutorials/tls_cert_ca.rst.txt"
rel="nofollow">Show Source</a></li>
<li><a href="https://github.com/rsyslog/rsyslog-doc/edit/master/source/tutorials/tls_cert_ca.rst"
rel="nofollow">Edit on GitHub</a></li>
</ul>
<div id="searchbox" style="display: none" role="search">
<h3>Quick search</h3>
<form class="search" action="../search.html" method="get">
<div><input type="text" name="q" /></div>
<div><input type="submit" value="Go" /></div>
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../genindex.html" title="General Index"
>index</a></li>
<li class="right" >
<a href="tls_cert_machine.html" title="Generating the machine certificate"
>next</a> |</li>
<li class="right" >
<a href="tls_cert_scenario.html" title="Sample Use Case: Single Central Log Server"
>previous</a> |</li>
<li class="nav-item nav-item-0"><a href="../index.html">rsyslog 8.1911.0 documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="index.html" >Tutorials</a> »</li>
<li class="nav-item nav-item-2"><a href="tls_cert_summary.html" >Encrypting Syslog Traffic with TLS (SSL)</a> »</li>
</ul>
</div>
<div class="footer" role="contentinfo">
© Copyright 2008-2019, `Rainer Gerhards and Others.
</div>
</body>
</html>