To generate a TSA certificate with Windows Certificate Authority (CA) that works with syslog-ng Store Box (SSB), generate a CSR (certificate signing request) on a computer running OpenSSL and sign it with Windows CA, then import this certificate into SSB for timestamping.
A valid configuration file for OpenSSL with the following extensions:
[ tsa_cert ] extendedKeyUsage = critical,timeStamping
You can copy /etc/xcb/openssl-ca.cnf from SSB to the computer that will be used for signing. Rename the file to openssl-temp.cnf.
The TSA certificate is considered valid, in terms of compatibility with SSB, if the following conditions are met:
Must be a valid CA certificate (CA is true).
Key Usage: Time Stamping is required. No other key usage is permitted.
Extended Key Usage: Must be set to critical.
Optional Key Usage: If Key Usage is present, it must be digitalSignature and/or nonRepudiation. Other values are not permitted. Make sure that in Encryption, Allow key exchange without key encryption (key agreement) is selected.
|
Caution:
In Encryption, do NOT select Allow key exchange only with key encryption (key encipherment), because it will result in errors. |
The following X509v3 extensions are supported:
Hard requirement:
X509v3 Extended Key Usage must be critical, and must only contain Time Stamping.
Optional:
X509v3 Key Usage, if present, must be digitalSignature and/or nonRepudiation.
To generate TSA certificate with Windows Certificate Authority on Windows Server 2012
Create CSR using the new configuration file: openssl req -set_serial 0 -config openssl-temp.cnf -reqexts tsa_cert -new -newkey rsa:2048 -keyout timestamp.key -out timestamp.csr -nodes
Complete the required fields according to your environment:
Generating a 2048 bit RSA private key ........................+++ ......................................+++ writing new private key to 'timestamp.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:HU State or Province Name (full name) []:Budapest Locality Name (eg, city) []:Budapest Organization Name (eg, company) [Internet Widgits Pty Ltd]:BalaBit IT Security Organizational Unit Name (eg, section) []:Service Delivery Common Name (eg, YOUR name) []:scb35-1-i1.tohuvabohu.balabit Email Address []:vlad@balabit.com
Create and configure a time stamping web server template in the Certificate Authority, and use that to generate the TSA certificate.
Start the Certification Authority Microsoft Management Console, and select the CA server.
Right-click Certificate Templates, and choose Manage.
Figure 85: Managing certificate templates
The Certificate Templates Console opens.
Right-click the Web Server template, and choose Duplicate Template.
Figure 86: Duplicating a Template
The Properties of New Template window is displayed.
Make the following changes to the new template:
On the General tab, change the Template display name to TSA.
Figure 87: Creating the new template
On the Request Handling tab, enable the Allow private key to be exported option.
On the Extensions tab, make the following changes:
Select Application Policies and click Edit below the list of extensions.
Figure 88: Editing Application Policies
Select Server Authentication and click Remove.
Figure 89: Removing Server Authentication
Click Add, select Time Stamping and click OK.
Figure 90: Adding Time Stamping
Select Time Stamping and enable the Make this extension critical option, then click OK.
Figure 91: Making Time Stamping critical
Time Stamping and Critical extension are listed in the Description of Application Policies.
Figure 92: Description of Application Policies
Select Key usage, click Edit. Enable the Signature is proof of origin (nonrepudiation) option.
Select Allow key exchange without key encryption (key agreement).
Click OK.
Figure 93: Editing Key Usage
The following are listed in the Description of Key Usage.
Figure 94: Description of Key Usage
On the Security tab, select Authenticated Users, and set Enroll to Allowed.
Figure 95: Configuring permissions for the template
Click Apply. Click OK. The new TSA template is now displayed in the list of templates.
Figure 96: The new TSA template is now displayed in the list of templates
Close this window and return to the Certification Authority main screen, and select the Certificate Templates folder.
Figure 97: Certificate Templates
Right-click under the list, and choose New > Certificate Template to Issue.
Figure 98: Certificate Template to Issue
The Enable Certificate Templates window is displayed.
Figure 99: Enable the new template
Select the TSA certificate template, and choose OK. Close this window.
Open the command line, and issue the following command:
certreq -submit -attrib "CertificateTemplate:TSA" <CSR>
Replace <CSR> with the full path of the CSR created earlier (in the second step).
The Certification Authority List is displayed. Select the CA.
The Save Certificate window is displayed. Choose an output folder.
The certificate is generated to the specified folder.
In SSB, navigate to Basic Settings > Management > SSL certificate.
Click next to TSA X.509 certificate, browse for the previously generated certificate, and click Upload.
Click next to TSA private key, browse for the previously generated key, and click Upload.
If the root CA (the CA X.509 certificate field under Basic Settings > Management > SSL certificate) that is used for other certificates on SSB is different from the CA that was used to sign the TSA certificate, a warning is displayed. In this scenario, ignore this warning.
The syslog-ng Store Box (SSB) application can use a list of host and network addresses at a number of places, for example for limiting the client that can send log messages to a log source, or the hosts that can access shared logspaces.
For details on how to create a new hostlist, see Creating hostlists.
For details on how to import hostlists from a file, see Importing hostlists from files.
This section describes how to create a new hostlist.
To create a new hostlist
Navigate to Policies > Hostlists and select .
Enter a name for the hostlist (for example servers).
Figure 100: Policies > Hostlists — Creating hostlists
Enter the IP address of the permitted host into the Match > Address field. You can also enter a network address in the IP address/netmask format (for example 192.168.1.0/24). To add more addresses, click and repeat this step.
To add hosts that are excluded from the list, enter the IP address of the denied host into the Ignore > Address field.
To add every address except for a few specific hosts or networks to the list, add the 0.0.0.0/0 network to the Match list, and the denied hosts or networks to the Ignore list.
Click .
NOTE: If you modify a hostlist, you only need to restart syslog-ng if a host, which is already connected, needs to be ignored with a hostlist. Navigate to Basic Settings > System > Service control > Syslog traffic, indexing & search: and select Restart syslog-ng for the changes to take effect.
This section describes how to import hostlists from a text file.
To import hostlists from a text file
Create a plain text file containing the hostlist policies and IP addresses to import. Every line of the file will add an IP address or network to a policy. Use the following format:
name_of_the_policy;match
or
ignore;IP address
For example, a policy that ignores the 192.168.5.5 IP address and another one that matches on the 10.70.0.0/24 subnet, use:
policy1;ignore;192.168.5.5 policy2;match;10.70.0.0/24
To add multiple addresses or subnets to the same policy, list every address or subnet in a separate line, for example:
policy1;ignore;192.168.7.5 policy1;ignore;192.168.5.5 policy1;match;10.70.0.0/24
Navigate to Policies > Hostlists > Import from file > Browse and select the text file containing the hostlist policies to import.
Figure 101: Policies > Hostlists — Importing hostlists
If you are updating existing policies and want to add new addresses to them, select Append.
If you are updating existing policies and want to replace the existing addresses with the ones in the text file, select Replace.
Click Upload, then .
NOTE: If you modify a hostlist, you only need to restart syslog-ng if a host, which is already connected, needs to be ignored with a hostlist. Navigate to Basic Settings > System > Service control > Syslog traffic, indexing & search: and select Restart syslog-ng for the changes to take effect.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy