Preparation

Edit online
  1. Create a CA private key and a certificate signing request (CSR).

    1. Prepare the ca.cnf configuration file:

      [ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn

[ dn ]
C = US
O = Logstash Test CA
CN = ca.example.org

      Make sure to update dn with your values. The actual values can be freely selected and they do not play a role for the subsequent processing.

    2. Create the key and certificate.
      # create private key
openssl genrsa -out ca-key.pem 4096
# create CSR
openssl req -config ca.cnf -key ca-key.pem -new -out ca-req.csr
# create self-signed CA
openssl x509 -signkey ca-key.pem -in ca-req.csr -req -days 365 -out ca.crt
  2. Create files used on the server side (the rsyslog server).
    1. Prepare the server.cnf configuration file. It’s important to set the default_md value to at least sha256. Make sure to fill in the correct information for the dn field. It’s preferred to use a domain name for CN but an IP address works too. For more information, see the OpenSSL documentation on Subject Alternative Name.
      • Example that uses a hostname:
        [ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn

[ server ]
subjectAltName = DNS:${HOSTNAME}
extendedKeyUsage = serverAuth

[ dn ]
C = US
O = Rsyslog Test Server
CN = ${HOSTNAME}
      • Example that uses an IP address:
        [ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn

[ server ]
subjectAltName = IP:${IP}
extendedKeyUsage = serverAuth

[ dn ]
C = US
O = Rsyslog Test Server
CN = ${IP_OR_HOSTNAME}
    2. Create the key and certificate. Make sure the server certificate server.crt contains a SAN for the IP or the hostname, depending on whether the server is accessed via IP or hostname.
      # create private key
openssl genrsa -out server-key.pem 4096
# create CSR for the server certificate
openssl req -config server.cnf -key server-key.pem -new -out server-req.csr
# have the CA created in (1) sign the certificate
openssl x509 -req -in server-req.csr -days 365 -CA ca.crt -CAkey ca-key.pem -CAcreateserial -extfile server.cnf -extensions server -out server.crt
  3. Create files used on the client side (the IBM Confidential Computing Containers instance).
    1. Prepare the client.cnf configuration file:
      [ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn

[ dn ]
C = US
O = Logstash Test Client
CN = client.example.org

      Make sure to update dn with your values. Whether the actual values play a role depends on the StreamDriver.Authmode setting (which appears in the following documentation). In this example, we use the setting StreamDriver.Authmode="x509/certvalid" and in this case, the value of dn does not play a role (since all valid client certificates are accepted). Adjust this according to your needs. For more information, see StreamDriver.Authmode.

    2. Create the key and certificate:
      # create private key
openssl genrsa -out client-key.pem 4096
# create CSR for client auh
openssl req -config client.cnf -key client-key.pem -new -out client-req.csr
# have the CA created in (2) sign the certificate
openssl x509 -req -in client-req.csr -days 365 -CA ca.crt -CAkey ca-key.pem -CAcreateserial -out client.crt
# export key to PKCS#8 format
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in client-key.pem -out client-key-pkcs8.pem