After you create the repository and basic configuration, the next step is to create a
self-signed certificate for the Logstash server.
About this task
As part of this procedure, you can choose whether you want to encrypt the passphrase in your
certificate's private key or not. Encryption is the most secure approach. If encryption is enabled,
the passphrase is required every time an SSL application requests the certificate.
However, this requirement can cause issues during automated starts and restart where the
passphrase is required but it cannot be entered. To avoid this issue, you can decrypt the private
key. If you do so, SSL applications are able to use the certificate without requesting the
passphrase. This decision involves trade offs between security and complexity.
Procedure
-
Create a file called logstash-server.cnf in the
/etc/pki/tls/myCA/ directory.
-
Edit the logstash-server.cnf file. Add the following text. Ensure that you
add the correct variables for your environment. The
commonName
must match the host
name of the server that you want to use the key for. If these names do not match, the errors are
logged in the logs of the applications of clients that access the server. Save the file.
########################################
#
# logstash-server.cnf
#
########################################
[ req ]
prompt = no
distinguished_name = server_distinguished_name
req_extensions = v3_req
[ server_distinguished_name ]
commonName = <Server host name>
stateOrProvinceName = <State or province name>
countryName = <Country name>
emailAddress = <Email address>
organizationName = <Organization name>
organizationalUnitName = <Organizational unit name>
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.0 = nc012345
DNS.1 = nc12345.example.com
########################################
-
To create the
OpenSSL
environmental variable, enter the following
command:
export OPENSSL_CONF=/etc/pki/tls/myCA/logstash-server.cnf
This command
ensures that OpenSSL tool looks for the configuration in another directory. In this case, the
directory is
/etc/pki/tls/myCA/.
-
To generate the server certificate, enter the following command. Enter the passphrase when
prompted.
openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM
The
output of this command is as
below:
Generating a 1024 bit RSA private key
...++++++
...............++++++
writing new private key to 'tempkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
-
Decide whether you want the private key to be encrypted or not.
To translate the temporary private key into an unencrypted key, enter the following command.
Enter the passphrase when
prompted.
openssl rsa < tempkey.pem > server_key.pem
The
following output is displayed:
Enter pass phrase:
writing RSA key
Alternatively, you can encrypt it by renaming the temporary key. To rename the key, enter the
following command:
mv tempkey.pem server_key.pem
This encryption means that the
passphrase is required every time that the server is accessed.
-
To modify the
OpenSSL
environmental variable, enter the following
command:
export OPENSSL_CONF=/etc/pki/tls/myCA/caconfig.cnf
This command ensures
that the OpenSSL tool looks for the configuration file in a different directory. In this case, the
directory is
/etc/pki/tls/myCA/.
-
To sign the certificate, enter the following command. Enter the passphrase and confirm the
configuration details when prompted.
openssl ca -in tempreq.pem -out server_crt.pem
The output is as
follows:
ca -in tempreq.pem -out server_crt.pem
Using configuration from /etc/pki/tls/myCA/caconfig.cnf
Enter pass phrase for /etc/pki/tls/myCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'1.23.45.678'
stateOrProvinceName :PRINTABLE:'GA'
countryName :PRINTABLE:'US'
emailAddress :IA5STRING:'root@example.com'
organizationName :PRINTABLE:'Mine'
organizationalUnitName:PRINTABLE:'Dev'
Certificate is to be certified until Oct 13 17:10:54 2019 GMT (1825 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
-
To remove the temporary directories and key files, enter the following command:
rm -f tempkey.pem && rm -f tempreq.pem
Results
You created a self-signed server application certificate and key pair:
- server_crt.pem
- This file is the server application's certificate file.
- server_key.pem
- This file is the server application's key file.