Creating the local repository and basic configuration for the Logstash server

Before you can configure the Secure Socket Layer (SSL) connection between the LFA and your Logstash servers, you need to create a local repository and a basic configuration.

Before you begin

To complete this task, you need the OpenSSL tool. Download it if you have not done so already. For more information, see https://www.openssl.org/.

Procedure

  1. Log in to the server where you installed Logstash.
  2. Create a local repository to store the certificates and keys.
    Enter the following command:
    mkdir -p /etc/pki/tls/myCA/signedcerts && mkdir /etc/pki/tls/myCA/private
    This command creates a directory that is called myCA with two sub directories that are called signedcerts and private. You use these directories as follows:
    /etc/pki/tls/myCA
    Use this directory to store the certificate authority (CA) certificate, certificates database, generated certificates, keys, and requests.
    /etc/pki/tls/myCA/signedcerts
    Use this directory to store copies of the certificates.
    /etc/pki/tls/myCA/private
    Use this directory to store the private key.
  3. To create an initial certificate database in the myCA directory, enter the following command:
    
    cd /etc/pki/tls/myCA
    echo '01' > serial && touch index.txt
  4. Create a text file that is called caconfig.cnf that you use as the initial configuration file. Save the file to the /etc/pki/tls/myCA/ directory.
  5. To add the initial configuration, edit the /etc/pki/tls/myCA/caconfig.cnf. Copy the sample configuration and add the specific details for your environment. Save the file.
    For more information about the sample configuration, see Sample configuration for LFA and Logstash SSL.
  6. To create the OPENSSL_CONF environmental variable, enter the following command:
    export OPENSSL_CONF=/etc/pki/tls/myCA/caconfig.cnf
    This command creates an environmental variable that is called OPENSSL_CONF that forces the OpenSSL tool to look for the configuration file in the specified directory. In this case, the directory is /etc/pki/tls/myCA/caconfig.cnf.
  7. To generate the CA root certificate and key, enter the following command:
    openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1825
    Enter the pass phrase when prompted. The output is similar to this one:
    
    Generating a 2048 bit RSA private key
    .................................+++
    .................................+++
    writing new private key to '/etc/pki/tls/myCA/private/cakey.pem'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    
    passphrase - logstash
    Note the passphrase. You need it when you want to generate another client certificate or add another server to the configuration.

Results

You create a self-signed certificate that uses the PEM format and RSA encryption for the public and private keys. It is valid for 1825 days. The following files are created:
/etc/pki/tls/myCA/cacert.pem
This file is the CA public certificate.
/etc/pki/tls/myCA/private/cakey.pem
This file is the CA private key.

What to do next

You can also create a certificate from the CA private key file that contains only the certificate and removes other text. This step is optional. To create a certificate and remove the extra text, enter the following command:
openssl x509 -in cacert.pem -out cacert.crt