<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Creating certificates with a script — rsyslog 8.1911.0 documentation</title>
<link rel="stylesheet" href="../_static/classic.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../_static/rsyslog.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '8.1911.0',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true,
SOURCELINK_SUFFIX: '.txt'
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="next" title="Encrypting Syslog Traffic with TLS (SSL) [short version]" href="tls.html" />
<link rel="prev" title="Error Messages" href="tls_cert_errmsgs.html" />
</head>
<body>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="tls.html" title="Encrypting Syslog Traffic with TLS (SSL) [short version]"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="tls_cert_errmsgs.html" title="Error Messages"
accesskey="P">previous</a> |</li>
<li class="nav-item nav-item-0"><a href="../index.html">rsyslog 8.1911.0 documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="index.html" >Tutorials</a> »</li>
<li class="nav-item nav-item-2"><a href="tls_cert_summary.html" accesskey="U">Encrypting Syslog Traffic with TLS (SSL)</a> »</li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="creating-certificates-with-a-script">
<h1>Creating certificates with a script<a class="headerlink" href="#creating-certificates-with-a-script" title="Permalink to this headline">¶</a></h1>
<p><em>Written by</em> <a class="reference external" href="https://www.adiscon.com">Florian Riedl</a>
<em>(2019-09-12)</em></p>
<div class="section" id="overview">
<h2>Overview<a class="headerlink" href="#overview" title="Permalink to this headline">¶</a></h2>
<p>This small article describes is a quick addon to the TLS guides. It describes
in short words, how you can create some quick and dirty certificates for
testing.</p>
<p><strong>Disclaimer</strong>: When creating certificates with the attached scripts and more or
less default configurations, you cannot create secure certificates. You need to
use more detailed configuration files to create secure certificates.</p>
</div>
<div class="section" id="description">
<h2>Description<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>
<p>We created a few simple scripts and added configuration files from the sample
configuration in the certtool man page. You can download them here:
<a class="reference download internal" href="../_downloads/cert-script.tar.gz" download=""><code class="xref download docutils literal"><span class="pre">Download</span> <span class="pre">Scripts</span></code></a>.</p>
<p>The tarball contains 6 files, 3 scripts and 3 configurations. To execute, you
must make the scripts executable and have certtool installed via libgnutls.</p>
<ul class="simple">
<li>Script 1 creates the CA key and certificate as outlined in <a class="reference external" href="tls_cert_ca.html">Setting up the CA</a></li>
<li>Script 2 creates the <a class="reference external" href="tls_cert_machine.html">machine key and certificate</a> for
a client.</li>
<li>Script 3 creates the machine key and certificate for a server.</li>
</ul>
<p>These scripts can easily be combined into one. But, we decided to go for
separate scripts so each step can be repeated separately if needed.</p>
<p>After the scripts are executed, you should have 2 new files per script.
Distribute the files to the machines as described before.</p>
</div>
<div class="section" id="example">
<h2>Example<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2>
<p>Apart from executing the scripts, no extra input is required. All input from
manual certificate creating can be done automatically via the configuration
template in the cfg files.</p>
<p>Sample output for the CA certificate generation.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>test@ubuntu:~/Documents$ ./1-generate-ca.sh
** Note: Please use the --sec-param instead of --bits
Generating a 2048 bit RSA private key...
Generating a self signed certificate...
X.509 Certificate Information:
Version: 3
Serial Number (hex): 5d7a6351
Validity:
Not Before: Thu Sep 12 15:25:05 UTC 2019
Not After: Sun Sep 09 15:25:05 UTC 2029
Subject: C=US,O=Example,OU=Example,CN=CA-Cert
Subject Public Key Algorithm: RSA
Certificate Security Level: Low
Modulus (bits 2048):
00:95:28:40:b6:4d:60:7c:cf:72:1d:17:36:b5:f1:11
0d:42:05:e9:38:c7:6e:95:d9:42:02:c5:4b:f2:9d:e2
c8:31:ac:18:ae:55:f7:e0:4c:dd:6d:72:32:01:fa:1d
da:a1:3d:ad:c9:13:0a:68:3e:bc:40:6a:1e:f2:f7:65
f0:e9:64:fa:84:8b:96:15:b5:10:f3:99:29:14:ee:fc
88:8d:41:29:8e:c7:9b:23:df:8b:a3:79:28:56:ed:27
66:a4:9a:fa:75:47:67:0a:e2:f4:35:98:e8:9e:ad:35
c2:b2:17:8b:98:72:c4:30:58:fd:13:b6:f4:01:d0:66
56:be:61:85:55:dc:91:b6:4e:0a:3f:d4:3f:40:fa:a8
92:5e:c5:dd:75:da:c3:27:33:59:43:47:74:fe:d2:28
14:49:62:ee:39:22:34:6b:2f:e8:d1:ba:e9:95:6d:29
d2:6f:8a:a2:fc:c8:da:f0:47:78:3b:2c:03:dc:fb:43
31:9e:a1:cb:11:18:b9:0b:31:d3:86:43:68:f8:c4:bd
ab:90:13:33:75:e9:b5:ca:74:c3:83:98:e9:91:3d:39
fb:65:43:77:0b:b2:bc:3b:33:c2:91:7e:db:c3:a2:a1
80:0b:a0:ce:cb:34:29:8b:24:52:25:aa:eb:bd:40:34
cb
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Key Usage (critical):
Certificate signing.
Subject Key Identifier (not critical):
6bbe9a650dbcaf5103c78daf8a2604d76a749f42
Other Information:
Public Key Id:
6bbe9a650dbcaf5103c78daf8a2604d76a749f42
Signing certificate...
</pre></div>
</div>
<p>Sample output for the machine certificate generation.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>test@ubuntu:~/Documents$ ./2-generate-client.sh
** Note: Please use the --sec-param instead of --bits
Generating a 2048 bit RSA private key...
Generating a PKCS #10 certificate request...
Generating a signed certificate...
X.509 Certificate Information:
Version: 3
Serial Number (hex): 5d7a6402
Validity:
Not Before: Thu Sep 12 15:28:02 UTC 2019
Not After: Sun Sep 09 15:28:02 UTC 2029
Subject: C=US,O=Example,OU=Example,CN=Test Client
Subject Public Key Algorithm: RSA
Certificate Security Level: Low
Modulus (bits 2048):
00:bd:7f:0b:20:2e:fe:f1:49:91:71:fa:f1:72:76:6b
c0:96:ce:e0:85:80:a3:6a:d2:9e:07:dd:02:94:4f:df
c8:34:13:7d:d1:8f:b8:1b:1f:cf:b8:b7:ae:2f:dd:9a
da:52:6e:a3:f4:73:20:63:32:46:c2:e1:94:73:6b:cd
b4:e4:82:46:25:b0:62:f9:12:28:4f:4f:76:23:5c:47
1b:f9:61:cd:68:c1:c1:17:93:90:3c:d2:2b:6e:82:c2
a3:ca:80:b7:89:6e:b6:16:ae:47:05:e5:b4:07:bf:75
d9:bd:aa:fe:79:77:72:6e:af:ed:5b:97:d1:e0:00:ba
ab:6f:9e:1f:a6:d4:95:d7:d3:39:88:9b:58:88:28:a0
7e:b6:fe:07:7e:68:ad:a1:d0:23:12:3d:96:b2:a8:8e
73:66:c0:4f:10:a0:e5:9e:ab:2a:37:1d:83:b1:c3:e5
7c:35:cc:20:05:7c:7e:41:89:f1:b3:6b:e4:00:f2:bc
0b:08:55:07:b3:67:e4:14:1c:3c:64:1b:92:2d:d7:f0
f7:d4:dc:d7:63:1e:fd:e4:98:bc:6b:f1:1a:a9:af:05
7a:94:52:f5:b5:36:f0:0c:c0:41:0a:39:b7:fb:b3:50
c1:ce:ee:24:56:61:77:9d:9e:e1:d0:e1:39:f0:cc:b6
29
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Purpose (not critical):
TLS WWW Client.
TLS WWW Server.
Subject Key Identifier (not critical):
5a1a7316c4594cafafbeb45ddb49623af3a9f231
Authority Key Identifier (not critical):
6bbe9a650dbcaf5103c78daf8a2604d76a749f42
Other Information:
Public Key Id:
5a1a7316c4594cafafbeb45ddb49623af3a9f231
Signing certificate...
</pre></div>
</div>
<p><strong>Be sure to safeguard ca-key.pem!</strong> Nobody except the CA itself needs
to have it. If some third party obtains it, you security is broken!</p>
<div class="admonition seealso">
<p class="first admonition-title">See also</p>
<p>Help with configuring/using <code class="docutils literal"><span class="pre">Rsyslog</span></code>:</p>
<ul class="last simple">
<li><a class="reference external" href="http://lists.adiscon.net/mailman/listinfo/rsyslog">Mailing list</a> - best route for general questions</li>
<li>GitHub: <a class="reference external" href="https://github.com/rsyslog/rsyslog/">rsyslog source project</a> - detailed questions, reporting issues
that are believed to be bugs with <code class="docutils literal"><span class="pre">Rsyslog</span></code></li>
<li>Stack Exchange (<a class="reference external" href="https://stackexchange.com/filters/327462/rsyslog">View</a>, <a class="reference external" href="https://serverfault.com/questions/ask?tags=rsyslog">Ask</a>)
- experimental support from rsyslog community</li>
</ul>
</div>
<div class="admonition seealso">
<p class="first admonition-title">See also</p>
<p>Contributing to <code class="docutils literal"><span class="pre">Rsyslog</span></code>:</p>
<ul class="last simple">
<li>Source project: <a class="reference external" href="https://github.com/rsyslog/rsyslog/blob/master/README.md">rsyslog project README</a>.</li>
<li>Documentation: <a class="reference external" href="https://github.com/rsyslog/rsyslog-doc/blob/master/README.md">rsyslog-doc project README</a></li>
</ul>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<h3><a href="../index.html">Table Of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">Creating certificates with a script</a><ul>
<li><a class="reference internal" href="#overview">Overview</a></li>
<li><a class="reference internal" href="#description">Description</a></li>
<li><a class="reference internal" href="#example">Example</a></li>
</ul>
</li>
</ul>
<h4>Previous topic</h4>
<p class="topless"><a href="tls_cert_errmsgs.html"
title="previous chapter">Error Messages</a></p>
<h4>Next topic</h4>
<p class="topless"><a href="tls.html"
title="next chapter">Encrypting Syslog Traffic with TLS (SSL) [short version]</a></p>
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../_sources/tutorials/tls_cert_script.rst.txt"
rel="nofollow">Show Source</a></li>
<li><a href="https://github.com/rsyslog/rsyslog-doc/edit/master/source/tutorials/tls_cert_script.rst"
rel="nofollow">Edit on GitHub</a></li>
</ul>
<div id="searchbox" style="display: none" role="search">
<h3>Quick search</h3>
<form class="search" action="../search.html" method="get">
<div><input type="text" name="q" /></div>
<div><input type="submit" value="Go" /></div>
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../genindex.html" title="General Index"
>index</a></li>
<li class="right" >
<a href="tls.html" title="Encrypting Syslog Traffic with TLS (SSL) [short version]"
>next</a> |</li>
<li class="right" >
<a href="tls_cert_errmsgs.html" title="Error Messages"
>previous</a> |</li>
<li class="nav-item nav-item-0"><a href="../index.html">rsyslog 8.1911.0 documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="index.html" >Tutorials</a> »</li>
<li class="nav-item nav-item-2"><a href="tls_cert_summary.html" >Encrypting Syslog Traffic with TLS (SSL)</a> »</li>
</ul>
</div>
<div class="footer" role="contentinfo">
© Copyright 2008-2019, `Rainer Gerhards and Others.
</div>
</body>
</html>