Chat now with support
Chat with Support

syslog-ng Store Box 6.3.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB

Uploading external certificates to SSB

Upload a certificate generated by an external PKI system to syslog-ng Store Box (SSB).

The certificate to upload. For the TSA and Server certificate, the private key of the certificate is needed as well. The certificates must meet the following requirements:


RSA-PSS certificates that use the RSASSA-PSS signature algorithm are currently not supported in SSB. Typically, the Active Directory - Certificate Services (AD CS) of Windows servers generate such certificates when using PKCS #1 v2.1 signatures. Do not upload such certificates. Uploading such certificates causes the SSB web interface to become inaccessible.

One Identity recommends to configure your PKI systems to use an alternate signature format, for example, use the SHA256RSA signature algorithm instead.

  • SSB accepts certificates in PEM format. The DER format is currently not supported.

  • SSB accepts private keys in PEM (RSA and DSA), PUTTY, and SSHCOM/Tectia format. Password-protected private keys are also supported.


    The syslog-ng Store Box (SSB) application accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>?@[]^-`{|}

    For the internal CA certificate of SSB, uploading the private key is not required.

  • One Identity recommends:

    • Using 2048-bit RSA keys (or stronger).

    • Using the SHA-256 hash algorithm (or stronger) when creating the public key fingerprint.

  • For the TSA certificate, the X509v3 Extended Key Usage attribute must be enabled and set to critical. Also, its default value must be set to Time Stamping.

  • For the Server certificate, the X509v3 Extended Key Usage attribute must be enabled and its default value set to TLS Web Server Authentication. Also, the Common Name of the certificate must contain the domain name or the IP address of the SSB host. If the web interface is accessible from multiple interfaces or IP addresses, list every IP address using the Subject Alt Name option.

One Identity recommends using 2048-bit RSA keys (or stronger).

To upload a certificate generated by an external PKI system to SSB

  1. Navigate to Basic Settings > Management > SSL certificate.

  2. To upload a new certificate, click next to the certificate you want to modify. A pop-up window is displayed.

    Figure 79: Basic Settings > Management > SSL certificate — Uploading certificates

    Select Browse, select the file containing the certificate, and click Upload. Alternatively, you can also copy-paste the certificate into the Certificate field and click Set.

    You can choose to upload a single certificate or a certificate chain (that is, intermediate certificates and the end-entity certificate).

    After uploading a certificate or certificate chain, you can review details by clicking the name of the certificate, and looking at the information displayed in the pop-up window that comes up.

    Figure 80: Log > Options > TLS settings — X.509 certificate details

    The pop-up window allows you to:

    • Download the certificate or certificate chain.


      Certificate chains can only be downloaded in PEM format.

    • View and copy the certificate or certificate chain.

    • Check the names and the hierarchy of certificates (if it is a certificate chain and there is more than one certificate present).

      On hovering over a certificate name, the subject of the certificate is displayed, describing the entity certified.

    • Check the validity dates of the certificate or certificates making up the chain.

      On hovering over a particular date, the exact time of validity is also displayed.

    After uploading the certificate or certificate chain, the presence or absence of the string (chain) displayed after the name of the certificate will indicate whether the certificate is a certificate chain or a single certificate.

  3. To upload the private key corresponding to the certificate, click icon. A pop-up window is displayed.

    Select Browse, select the file containing the private key, provide the Password if the key is password-protected, and click Upload. Alternatively, you can also copy-paste the private key into the Key field, provide the Password there, and click Set.

    Expected result:

    The new certificate is uploaded. If you receive the Certificate issuer mismatch error message after importing a certificate, you must import the CA certificate which signed the certificate as well (the private key of the CA certificate is not mandatory).


    To download previously uploaded certificates, click on the certificate and download the certificate in one single PEM or DER file.

    Note that certificate chains can only be downloaded in PEM format.

Related Documents