Gecko [ 122.154.134.11 ]

Name	Size	Permission
AUTHORS	501 B	-rw-r--r--
COPYING	34.32 KB	-rw-r--r--
COPYING.ASL20	8.92 KB	-rw-r--r--
COPYING.LESSER	7.46 KB	-rw-r--r--
ChangeLog	339.47 KB	-rw-r--r--
NEWS	63 B	-rw-r--r--
README	249 B	-rw-r--r--
bugs.html	1.45 KB	-rw-r--r--
build_from_repo.html	4.35 KB	-rw-r--r--
contributors.html	2.44 KB	-rw-r--r--
debug.html	9.41 KB	-rw-r--r--
dev_queue.html	17.27 KB	-rw-r--r--
droppriv.html	2.9 KB	-rw-r--r--
expression.html	1.15 KB	-rw-r--r--
features.html	8.64 KB	-rw-r--r--
generic_design.html	8.8 KB	-rw-r--r--
gssapi.html	3.55 KB	-rw-r--r--
history.html	8.75 KB	-rw-r--r--
how2help.html	2.43 KB	-rw-r--r--
im3195.html	2.08 KB	-rw-r--r--
imfile.html	7.62 KB	-rw-r--r--
imgssapi.html	2.26 KB	-rw-r--r--
imklog.html	4.36 KB	-rw-r--r--
impstats.html	2.91 KB	-rw-r--r--
imptcp.html	4.14 KB	-rw-r--r--
imrelp.html	2.52 KB	-rw-r--r--
imsolaris.html	1.9 KB	-rw-r--r--
imtcp.html	6.15 KB	-rw-r--r--
imuxsock.html	9.45 KB	-rw-r--r--
index.html	1.62 KB	-rw-r--r--
install.html	10.97 KB	-rw-r--r--
ipv6.html	2.94 KB	-rw-r--r--
licensing.html	3.69 KB	-rw-r--r--
log_rotation_fix_size.html	2.74 KB	-rw-r--r--
manual.html	7.48 KB	-rw-r--r--
mmsnmptrapd.html	4.89 KB	-rw-r--r--
modules.html	5.98 KB	-rw-r--r--
multi_ruleset.html	13.65 KB	-rw-r--r--
netstream.html	1.36 KB	-rw-r--r--
ns_gtls.html	2.78 KB	-rw-r--r--
ns_ptcp.html	911 B	-rw-r--r--
omlibdbi.html	6.57 KB	-rw-r--r--
ommail.html	7.78 KB	-rw-r--r--
ommysql.html	3.95 KB	-rw-r--r--
omoracle.html	6.04 KB	-rw-r--r--
omrelp.html	2.37 KB	-rw-r--r--
omruleset.html	6.93 KB	-rw-r--r--
omsnmp.html	6.97 KB	-rw-r--r--
omstdout.html	1.9 KB	-rw-r--r--
omudpspoof.html	4.23 KB	-rw-r--r--
omuxsock.html	1.88 KB	-rw-r--r--
pmlastmsg.html	3.05 KB	-rw-r--r--
property_replacer.html	17.83 KB	-rw-r--r--
queues.html	27.85 KB	-rw-r--r--
queues_analogy.html	20.11 KB	-rw-r--r--
rainerscript.html	4.19 KB	-rw-r--r--
rsconf1_actionexeconlywhenprev...	2.54 KB	-rw-r--r--
rsconf1_actionresumeinterval.h...	1.47 KB	-rw-r--r--
rsconf1_allowedsender.html	3.6 KB	-rw-r--r--
rsconf1_controlcharacterescape...	1.37 KB	-rw-r--r--
rsconf1_debugprintcfsyslinehan...	989 B	-rw-r--r--
rsconf1_debugprintmodulelist.h...	950 B	-rw-r--r--
rsconf1_debugprinttemplatelist...	956 B	-rw-r--r--
rsconf1_dircreatemode.html	1.04 KB	-rw-r--r--
rsconf1_dirgroup.html	1.06 KB	-rw-r--r--
rsconf1_dirowner.html	1.05 KB	-rw-r--r--
rsconf1_dropmsgswithmaliciousd...	1.31 KB	-rw-r--r--
rsconf1_droptrailinglfonrecept...	1.24 KB	-rw-r--r--
rsconf1_dynafilecachesize.html	2.1 KB	-rw-r--r--
rsconf1_escape8bitcharsonrecei...	2.1 KB	-rw-r--r--
rsconf1_escapecontrolcharacter...	1.92 KB	-rw-r--r--
rsconf1_failonchownfailure.htm...	1.25 KB	-rw-r--r--
rsconf1_filecreatemode.html	2.03 KB	-rw-r--r--
rsconf1_filegroup.html	1.05 KB	-rw-r--r--
rsconf1_fileowner.html	1.05 KB	-rw-r--r--
rsconf1_generateconfiggraph.ht...	7.92 KB	-rw-r--r--
rsconf1_gssforwardservicename....	1.04 KB	-rw-r--r--
rsconf1_gsslistenservicename.h...	905 B	-rw-r--r--
rsconf1_gssmode.html	1.04 KB	-rw-r--r--
rsconf1_includeconfig.html	3.06 KB	-rw-r--r--
rsconf1_mainmsgqueuesize.html	2.15 KB	-rw-r--r--
rsconf1_markmessageperiod.html	1.33 KB	-rw-r--r--
rsconf1_moddir.html	1.2 KB	-rw-r--r--
rsconf1_modload.html	1.49 KB	-rw-r--r--
rsconf1_repeatedmsgreduction.h...	1.3 KB	-rw-r--r--
rsconf1_resetconfigvariables.h...	1.05 KB	-rw-r--r--
rsconf1_rulesetcreatemainqueue...	3.7 KB	-rw-r--r--
rsconf1_rulesetparser.html	5.77 KB	-rw-r--r--
rsconf1_umask.html	1.16 KB	-rw-r--r--
rscript_abnf.html	6.69 KB	-rw-r--r--
rsyslog_conf.html	4.19 KB	-rw-r--r--
rsyslog_conf_actions.html	18 KB	-rw-r--r--
rsyslog_conf_examples.html	7.7 KB	-rw-r--r--
rsyslog_conf_filter.html	14.08 KB	-rw-r--r--
rsyslog_conf_global.html	21.93 KB	-rw-r--r--
rsyslog_conf_modules.html	10.26 KB	-rw-r--r--
rsyslog_conf_nomatch.html	2.69 KB	-rw-r--r--
rsyslog_conf_output.html	4.06 KB	-rw-r--r--
rsyslog_conf_templates.html	10.99 KB	-rw-r--r--
rsyslog_high_database_rate.htm...	8.62 KB	-rw-r--r--
rsyslog_mysql.html	16.02 KB	-rw-r--r--
rsyslog_ng_comparison.html	16.53 KB	-rw-r--r--
rsyslog_packages.html	2.76 KB	-rw-r--r--
rsyslog_pgsql.html	19.75 KB	-rw-r--r--
rsyslog_php_syslog_ng.html	8.54 KB	-rw-r--r--
rsyslog_recording_pri.html	8.19 KB	-rw-r--r--
rsyslog_reliable_forwarding.ht...	8.46 KB	-rw-r--r--
rsyslog_secure_tls.html	7.33 KB	-rw-r--r--
rsyslog_stunnel.html	15.39 KB	-rw-r--r--
rsyslog_tls.html	15.52 KB	-rw-r--r--
syslog_parsing.html	14.03 KB	-rw-r--r--
syslog_protocol.html	12.64 KB	-rw-r--r--
tls_cert_ca.html	7.67 KB	-rw-r--r--
tls_cert_client.html	4.5 KB	-rw-r--r--
tls_cert_errmsgs.html	5.67 KB	-rw-r--r--
tls_cert_machine.html	8.61 KB	-rw-r--r--
tls_cert_scenario.html	3.03 KB	-rw-r--r--
tls_cert_server.html	6.61 KB	-rw-r--r--
tls_cert_summary.html	3.26 KB	-rw-r--r--
tls_cert_udp_relay.html	5.11 KB	-rw-r--r--
troubleshoot.html	11.08 KB	-rw-r--r--
v3compatibility.html	11.19 KB	-rw-r--r--
v4compatibility.html	6.2 KB	-rw-r--r--
v5compatibility.html	2.19 KB	-rw-r--r--
version_naming.html	8.71 KB	-rw-r--r--

Code Editor : tls_cert_machine.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><title>TLS-protected syslog: generating the machine certificate</title>
</head>
<body>

<h1>Encrypting Syslog Traffic with TLS (SSL)</h1>
Written by <a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer
Gerhards</a> (2008-06-18)

<ul>
<li><a href="rsyslog_secure_tls.html">Overview</a>
<li><a href="tls_cert_scenario.html">Sample Scenario</a>
<li><a href="tls_cert_ca.html">Setting up the CA</a>
<li><a href="tls_cert_machine.html">Generating Machine Certificates</a>
<li><a href="tls_cert_server.html">Setting up the Central Server</a>
<li><a href="tls_cert_client.html">Setting up syslog Clients</a>
<li><a href="tls_cert_udp_relay.html">Setting up the UDP syslog relay</a>
<li><a href="tls_cert_summary.html">Wrapping it all up</a>
</ul>

<h3>generating the machine certificate</h3>
In this step, we generate certificates for each of the machines. Please note
that both clients and servers need certificates. The certificate identifies each
machine to the remote peer. The DNSName specified inside the certificate can

<script type="text/javascript">
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>

be specified inside the $&lt;object&gt;PermittedPeer config statements.
For now, we assume that a single person (or group) is responsible for the whole
rsyslog system and thus it is OK if that single person is in posession of all
machine's private keys. This simplification permits us to use a somewhat less
complicated way of generating the machine certificates. So, we generate both the private
and public key on the CA (which is NOT a server!) and then copy them over to the
respective machines.
If the roles of machine and CA administrators are split, the private key must
be generated by the machine administrator. This is done via a certificate request.
This request is then sent to the CA admin, which in turn generates the certificate
(containing the public key). The CA admin then sends back the certificate to the
machine admin, who installs it. That way, the CA admin never get's hold of the
machine's private key. Instructions for this mode will be given in a later revision
of this document.
In any case, it is vital that the machine's private key is protected. Anybody
able to obtain that private key can imporsonate as the machine to which it belongs, thus
breaching your security.
<h3>Sample Screen Session</h3>
Text in red is user input. Please note that for some questions, there is no
user input given. This means the default was accepted by simply pressing the 
enter key.
Please note: you need to substitute the names specified below with values
that match your environment. Most importantly, machine.example.net must be replaced
by the actual name of the machine that will be using this certificate. For example,
if you generate a certificate for a machine named "server.example.com", you need 
to use that name. If you generate a certificate for "client.example.com", you need
to use this name. Make sure that each machine certificate has a unique name. If not,
you can not apply proper access control.
<code><pre>
[root@rgf9dev sample]# certtool --generate-privkey --outfile key.pem --bits 2048
Generating a 2048 bit RSA private key...
[root@rgf9dev sample]# certtool --generate-request --load-privkey key.pem --outfile request.pem
Generating a PKCS #10 certificate request...
Country name (2 chars): US
Organization name: SomeOrg
Organizational unit name: SomeOU
Locality name: Somewhere
State or province name: CA
Common name: machine.example.net
UID: 
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Enter a challange password:
Does the certificate belong to an authority? (y/N): n
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): 
Will the certificate be used for encryption (RSA ciphersuites)? (y/N):
Is this a TLS web client certificate? (y/N): y
Is this also a TLS web server certificate? (y/N): y
[root@rgf9dev sample]# certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
Generating a signed certificate...
Enter the certificate's serial number (decimal):

Activation/Expiration time.
The certificate will expire in (days): 1000

Extensions.
Do you want to honour the extensions from the request? (y/N):
Does the certificate belong to an authority? (Y/N): n
Is this a TLS web client certificate? (Y/N): y
Is this also a TLS web server certificate? (Y/N): y
Enter the dnsName of the subject of the certificate: machine.example.net {This is the name of the machine that will use the certificate}
Enter the IP address of the subject of certificate:
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/N): 
Will the certificate be used for encryption (RSA ciphersuites)? (Y/N): 
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 485a3819
	Validity:
		Not Before: Thu Jun 19 10:42:54 UTC 2008
		Not After: Wed Mar 16 10:42:57 UTC 2011
	Subject: C=US,O=SomeOrg,OU=SomeOU,L=Somewhere,ST=CA,CN=machine.example.net
	Subject Public Key Algorithm: RSA
		Modulus (bits 2048):
			b2:4e:5b:a9:48:1e:ff:2e:73:a1:33:ee:d8:a2:af:ae
			2f:23:76:91:b8:39:94:00:23:f2:6f:25:ad:c9:6a:ab
			2d:e6:f3:62:d8:3e:6e:8a:d6:1e:3f:72:e5:d8:b9:e0
			d0:79:c2:94:21:65:0b:10:53:66:b0:36:a6:a7:cd:46
			1e:2c:6a:9b:79:c6:ee:c6:e2:ed:b0:a9:59:e2:49:da
			c7:e3:f0:1c:e0:53:98:87:0d:d5:28:db:a4:82:36:ed
			3a:1e:d1:5c:07:13:95:5d:b3:28:05:17:2a:2b:b6:8e
			8e:78:d2:cf:ac:87:13:15:fc:17:43:6b:15:c3:7d:b9
		Exponent:
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Key Purpose (not critical):
			TLS WWW Client.
			TLS WWW Server.
		Subject Alternative Name (not critical):
			DNSname: machine.example.net
		Subject Key Identifier (not critical):
			0ce1c3dbd19d31fa035b07afe2e0ef22d90b28ac
		Authority Key Identifier (not critical):
			fbfe968d10a73ae5b70d7b434886c8f872997b89
Other Information:
	Public Key Id:
		0ce1c3dbd19d31fa035b07afe2e0ef22d90b28ac

Is the above information ok? (Y/N): y

Signing certificate...
[root@rgf9dev sample]# rm -f request.pem
[root@rgf9dev sample]# ls -l
total 16
-r-------- 1 root root 887 2008-06-19 12:33 ca-key.pem
-rw-r--r-- 1 root root 1029 2008-06-19 12:36 ca.pem
-rw-r--r-- 1 root root 1074 2008-06-19 12:43 cert.pem
-rw-r--r-- 1 root root 887 2008-06-19 12:40 key.pem
[root@rgf9dev sample]# # it may be a good idea to rename the files to indicate where they belong to
[root@rgf9dev sample]# mv cert.pem machine-cert.pem
[root@rgf9dev sample]# mv key.pem machine-key.pem
[root@rgf9dev sample]# 
</pre></code>
<h3>Distributing Files</h3>
Provide the machine with:
<ul>
<li>a copy of ca.pem
<li>cert.pem
<li>key.pem
</ul>
This is how the relevant part of rsyslog.conf looks on the target machine:

<code><pre>
$DefaultNetstreamDriverCAFile /home/rger/proj/rsyslog/sample/ca.pem
$DefaultNetstreamDriverCertFile /home/rger/proj/rsyslog/sample/machine-cert.pem
$DefaultNetstreamDriverKeyFile /home/rger/proj/rsyslog/sample/machine-key.pem
</pre></code>
Never provide anyone with ca-key.pem! Also, make sure
nobody but the machine in question gets hold of key.pem.
<h2>Copyright</h2>
Copyright (c) 2008 <a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer
Gerhards</a> and
<a href="http://www.adiscon.com/en/">Adiscon</a>.
 Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
Texts. A copy of the license can be viewed at
<a href="http://www.gnu.org/copyleft/fdl.html">http://www.gnu.org/copyleft/fdl.html</a>.
</body></html>

${this.title}

Code Editor : tls_cert_machine.html