Before you can configure the Secure Socket Layer (SSL) connection between the LFA and
your Logstash servers,
you need to create a local repository and a basic configuration.
Before you begin
To complete this task, you need the OpenSSL tool. Download it if you have not done so already.
For more information, see https://www.openssl.org/.
Procedure
-
Log in to the server where you installed Logstash.
-
Create a local repository to store the certificates and keys.
Enter the following
command:
mkdir -p /etc/pki/tls/myCA/signedcerts && mkdir /etc/pki/tls/myCA/private
This
command creates a directory that is called
myCA
with two sub directories that are
called
signedcerts
and
private
. You use these directories as follows:
/etc/pki/tls/myCA
- Use this directory to store the certificate authority (CA) certificate, certificates database,
generated certificates, keys, and requests.
/etc/pki/tls/myCA/signedcerts
- Use this directory to store copies of the certificates.
/etc/pki/tls/myCA/private
- Use this directory to store the private key.
-
To create an initial certificate database in the myCA directory, enter the
following command:
cd /etc/pki/tls/myCA
echo '01' > serial && touch index.txt
-
Create a text file that is called caconfig.cnf that you use as the initial
configuration file. Save the file to the /etc/pki/tls/myCA/ directory.
-
To add the initial configuration, edit the /etc/pki/tls/myCA/caconfig.cnf.
Copy the sample configuration and add the specific details for your environment. Save the
file.
-
To create the OPENSSL_CONF environmental variable, enter the following
command:
export OPENSSL_CONF=/etc/pki/tls/myCA/caconfig.cnf
This command creates
an environmental variable that is called
OPENSSL_CONF
that forces the OpenSSL tool
to look for the configuration file in the specified directory. In this case, the directory is
/etc/pki/tls/myCA/caconfig.cnf
.
-
To generate the CA root certificate and key, enter the following command:
openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1825
Enter
the pass phrase when prompted. The output is similar to this
one:
Generating a 2048 bit RSA private key
.................................+++
.................................+++
writing new private key to '/etc/pki/tls/myCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
passphrase - logstash
Note
the passphrase. You need it when you want to generate another client certificate or add another
server to the configuration.
Results
You create a self-signed certificate that uses the PEM format and RSA encryption for the public
and private keys. It is valid for 1825 days. The following files are created:
- /etc/pki/tls/myCA/cacert.pem
- This file is the CA public certificate.
- /etc/pki/tls/myCA/private/cakey.pem
- This file is the CA private key.
What to do next
You can also create a certificate from the CA private key file that contains only the certificate
and removes other text. This step is optional. To create a certificate and remove the extra text,
enter the following command:
openssl x509 -in cacert.pem -out cacert.crt