syslog-ng Premium Edition 7.0.14 - Mutual authentication using TLS

Creating a client certificate

The following describes how to create a client certificate.

To create a client certificate

  1. The steps for the client(s) are very similar, only the file names and the embedded common name (host identifier: FQDN or IP address) are different. If you have multiple clients, make sure that each has the right host identifier.

    openssl req -nodes -new -x509 -keyout clientkey.pem -out clientreq.pem -days 365 -config openssl.cnf

  2. The following will be displayed. Answer the questions as in the example:

    Generating a 1024 bit RSA private key
    .................................................................................++++++
    ...............................++++++
    writing new private key to 'clientkey.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:HU
    State or Province Name (full name) [Some-State]:Budapest
    Locality Name (eg, city) []:Budapest
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mycompany
    Organizational Unit Name (eg, section) []:.
    Common Name (e.g. server FQDN or YOUR name) []:172.16.177.129
    Email Address []:
    
    example@linux-modi:~/CA> openssl x509 -x509toreq -in clientreq.pem -signkey clientkey.pem -out tmp.pem
    Getting request Private Key
    Generating certificate request
    example@linux-modi:~/CA> openssl ca -config openssl.cnf -policy policy_anything -out clientcert.pem -infiles tmp.pem
    Using configuration from openssl.cnf
    Enter pass phrase for ./private/cakey.pem:
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 2 (0x2)
            Validity
                Not Before: Jun 25 10:28:49 2014 GMT
                Not After : Jun 25 10:28:49 2015 GMT
            Subject:
                countryName               = HU
                stateOrProvinceName       = Budapest
                localityName              = Budapest
                organizationName          = Mycompany
                commonName                = 172.16.177.129
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                Netscape Comment:
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier:
                    91:D9:99:95:F2:0D:22:BF:72:95:56:9A:C0:DF:A3:07:5C:E2:3F:63
                X509v3 Authority Key Identifier:
                    keyid:D1:FF:ED:B4:0B:66:E6:45:EE:70:4F:DC:6C:C5:34:48:42:38:E9:38
    
    Certificate is to be certified until Jun 25 10:28:49 2015 GMT (365 days)
    Sign the certificate? [y/n]:y
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
  3. Enter the following:

    rm tmp.pem

Configuring syslog-ng PE

Once you are ready with generating CA, server and client certificates, copy them to the respective machines and configure syslog-ng PE to use them. In theory, the CA and other certificates could be placed anywhere in the file system. In practice, server applications, such as syslog-ng PE are often protected by AppArmor, SELinux or other mechanisms, therefore it is recommended to create sub-directories where the syslog-ng.conf resides. This way syslog-ng PE can read them without modifying the related access rules.

Configuring the syslog-ng PE server

In the following example syslog-ng.conf is under /usr/local/etc/syslog-ng, but it could be /opt/syslog-ng/etc/, /etc/syslog-ng/ or any other directory in your system, so adopt the configuration example accordingly.

To configure the syslog-ng PE server

  1. As a first step, create two new directories under the syslog-ng PE configuration directory:

    mkdir cert.d ca.d

  2. Copy serverkey.pem and servercert.pem to cert.d. Copy cacert.pem to ca.d and issue the following command on the certificate:

    openssl x509 -noout -hash -in cacert.pem

    The result is a hash (for example 6d2962a8), a series of alphanumeric characters based on the Distinguished Name of the certificate.

  3. Issue the following command to create a symbolic link to the certificate that uses the hash returned by the previous command and the .0 suffix.

    ln -s cacert.pem 6d2962a8.0

  4. Adopt the following configuration example to your syslog-ng.conf by changing the IP and port parameters and directories to your local environment. In the log statement replace “d_local” with an actual log destination name in your configuration (for example the one that refers to /var/log/messages).

    source demo_tls_source {
        network(
            ip(0.0.0.0)
            port(6514)
            transport("tls")
            tls(
                key_file("/usr/local/etc/syslog-ng/cert.d/serverkey.pem")
                cert_file("/usr/local/etc/syslog-ng/cert.d/servercert.pem")
                ca_dir("/usr/local/etc/syslog-ng/ca.d")
            )
        );
    };
    
    log {
        source(demo_tls_source);
        destination(d_local);
    };
  5. Finally, restart syslog-ng PE for the configuration changes to take effect.

Configuring syslog-ng PE clients

Configuring the client side is similar to the server, the difference is in the configuration part. In the following example syslog-ng.conf is under /etc/syslog-ng, but it could be /opt/syslog-ng/etc/, /usr/local/etc/syslog-ng/ or any other directory on your system, so adopt the configuration example accordingly.

To configure syslog-ng PE clients

  1. As a first step, create two new directories under the syslog-ng PE configuration directory:

    mkdir cert.d ca.d

  2. Copy clientkey.pem and clientcert.pem to cert.d. Copy cacert.pem to ca.d and issue the following command on the certificate:

    openssl x509 -noout -hash -in cacert.pem

    The result is a hash (for example 6d2962a8), a series of alphanumeric characters based on the Distinguished Name of the certificate.

  3. Issue the following command to create a symbolic link to the certificate that uses the hash returned by the previous command and the .0 suffix.

    ln -s cacert.pem 6d2962a8.0

  4. Adopt the following configuration example to your syslog-ng.conf by changing the IP and port parameters and directories to your local environment. In the log statement replace “src” with an actual log source name in your configuration.

    destination demo_tls_destination {
        network("172.16.177.147"
            port(6514)
            transport("tls")
            tls(
                ca_dir("/etc/syslog-ng/ca.d")
                key_file("/etc/syslog-ng/cert.d/clientkey.pem")
                cert_file("/etc/syslog-ng/cert.d/clientcert.pem")
            )
        );
    };
    
    log { source(src); destination(demo_tls_destination); };
  5. Finally, restart syslog-ng PE for the configuration changes to take effect.

Related Documents