Question & Answer
How do you create a 2048-bit self-signed certification on the Security Network IPS (GX) sensor?
Important: When performing administration tasks via ssh or local console, configuration changes made to your IBM appliance by any user other than admin could degrade appliance performance. Installing or activating other services or applications may also impact appliance performance or security. IBM Infrastructure Security Support will not support configuration changes made using the root user account unless specifically directed by a support engineer or IBM documentation. The following DCF Technote content is supported. Any further changes made that are not included in this document will place your product into an unsupported state and IBM product support may require you to reimage your appliance to restore it to a supported state.
A vulnerability scan of the IBM Security Network Intrusion Prevention System reports a security warning that the self-signed certificate is less than 2048 (the default self-signed certificate for this device is 1024-bit).
Reference: Nessus Plug In ID 69551 - SSL Certificate Chain Contains RSA Keys Less Than 2048 bits
To alleviate this security warning, a new certificate can be created manually. Follow the instructions below to do this:
- SSH into the device as root.
- Make a backup of the current certificate and key:
cp /etc/apache2/ssl.crt/server_lmi.crt /etc/apache2/ssl.crt/server_lmi.crt.old
cp /etc/apache2/ssl.key/server_lmi.key /etc/apache2/ssl.key/server_lmi.key.old
- Make a temporary directory:
mkdir keys && cd keys
- Run the following command to generate the 2048-bit key:
openssl genrsa -out domain.key 2048
- Once that command is complete, run the following command to generate the certificate signing request (CSR) and certificate key:
openssl req -new -nodes -key domain.key -out domain.csr
Note: The common name of the form above is the important part. You need to enter the device's hostname in this field. The other fields are optional and can be left blank.
- Once complete, create the self-signed certificate from the certificate-signing request (.csr file):
openssl x509 -req -days 3650 -in domain.csr -signkey domain.key -out domain.crt
- Delete the certificate-signing request:
rm -rf domain.csr
- Rename and copy the key:
mv domain.key /etc/apache2/ssl.key/server_lmi.key
- Then, enter y to overwrite.
- Copy the certificate:
mv domain.crt /etc/apache2/ssl.crt/server_lmi.crt
- Enter y to overwrite.
- Restart the apache service:
service apache2-lmi restart
16 June 2018