Creating a self-signed server certificate

After you create the repository and basic configuration, the next step is to create a self-signed certificate for the Logstash server.

About this task

As part of this procedure, you can choose whether you want to encrypt the passphrase in your certificate's private key or not. Encryption is the most secure approach. If encryption is enabled, the passphrase is required every time an SSL application requests the certificate.

However, this requirement can cause issues during automated starts and restart where the passphrase is required but it cannot be entered. To avoid this issue, you can decrypt the private key. If you do so, SSL applications are able to use the certificate without requesting the passphrase. This decision involves trade offs between security and complexity.

Procedure

  1. Create a file called logstash-server.cnf in the /etc/pki/tls/myCA/ directory.
  2. Edit the logstash-server.cnf file. Add the following text. Ensure that you add the correct variables for your environment. The commonName must match the host name of the server that you want to use the key for. If these names do not match, the errors are logged in the logs of the applications of clients that access the server. Save the file.
    
    ########################################
    #
    # logstash-server.cnf
    #
    ########################################
    [ req ]
    prompt                  = no
    distinguished_name      = server_distinguished_name
    req_extensions          = v3_req
    
    [ server_distinguished_name ]
    commonName              = <Server host name>
    stateOrProvinceName     = <State or province name>
    countryName             = <Country name>
    emailAddress            = <Email address>
    organizationName        = <Organization name>
    organizationalUnitName  = <Organizational unit name>
    
    [ v3_req ]
    basicConstraints        = CA:FALSE
    keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
    subjectAltName          = @alt_names
    
    [ alt_names ]
    DNS.0                   = nc012345
    DNS.1                   = nc12345.example.com
    
    ########################################
    
  3. To create the OpenSSL environmental variable, enter the following command:
    export OPENSSL_CONF=/etc/pki/tls/myCA/logstash-server.cnf
    This command ensures that OpenSSL tool looks for the configuration in another directory. In this case, the directory is /etc/pki/tls/myCA/.
  4. To generate the server certificate, enter the following command. Enter the passphrase when prompted.
    openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM
    The output of this command is as below:
    
    Generating a 1024 bit RSA private key
    ...++++++
    ...............++++++
    writing new private key to 'tempkey.pem'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    
  5. Decide whether you want the private key to be encrypted or not.
    To translate the temporary private key into an unencrypted key, enter the following command. Enter the passphrase when prompted.
    openssl rsa < tempkey.pem > server_key.pem
    The following output is displayed:
    
    Enter pass phrase:
    writing RSA key
    
    Alternatively, you can encrypt it by renaming the temporary key. To rename the key, enter the following command:
    mv tempkey.pem server_key.pem
    This encryption means that the passphrase is required every time that the server is accessed.
  6. To modify the OpenSSL environmental variable, enter the following command:
    export OPENSSL_CONF=/etc/pki/tls/myCA/caconfig.cnf
    This command ensures that the OpenSSL tool looks for the configuration file in a different directory. In this case, the directory is /etc/pki/tls/myCA/.
  7. To sign the certificate, enter the following command. Enter the passphrase and confirm the configuration details when prompted.
    openssl ca -in tempreq.pem -out server_crt.pem
    The output is as follows:
    
    ca -in tempreq.pem -out server_crt.pem
    Using configuration from /etc/pki/tls/myCA/caconfig.cnf
    Enter pass phrase for /etc/pki/tls/myCA/private/cakey.pem:
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    commonName            :PRINTABLE:'1.23.45.678'
    stateOrProvinceName   :PRINTABLE:'GA'
    countryName           :PRINTABLE:'US'
    emailAddress          :IA5STRING:'root@example.com'
    organizationName      :PRINTABLE:'Mine'
    organizationalUnitName:PRINTABLE:'Dev'
    Certificate is to be certified until Oct 13 17:10:54 2019 GMT (1825 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
  8. To remove the temporary directories and key files, enter the following command:
    rm -f tempkey.pem && rm -f tempreq.pem

Results

You created a self-signed server application certificate and key pair:
server_crt.pem
This file is the server application's certificate file.
server_key.pem
This file is the server application's key file.