Upload a certificate generated by an external PKI system to syslog-ng Store Box (SSB).
The certificate to upload. For the TSA and Server certificate, the private key of the certificate is needed as well. The certificates must meet the following requirements:
-
SSB accepts certificates in PEM format. The DER format is currently not supported.
-
SSB accepts private keys in PEM (RSA and DSA), PUTTY, and SSHCOM/Tectia format. Password-protected private keys are also supported.
NOTE: The syslog-ng Store Box (SSB) appliance accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>?@[]^-`{|}
For the internal CA certificate of SSB, uploading the private key is not required.
-
One Identity recommends:
-
Using 2048-bit RSA keys (or stronger).
-
Using the SHA-256 hash algorithm (or stronger) when creating the public key fingerprint.
-
-
For the TSA certificate, the X509v3 Extended Key Usage attribute must be enabled and set to critical. Also, its default value must be set to Time Stamping.
-
For the Server certificate, the X509v3 Extended Key Usage attribute must be enabled and its default value set to TLS Web Server Authentication. Also, the Common Name of the certificate must contain the domain name or the IP address of the SSB host. If the web interface is accessible from multiple interfaces or IP addresses, list every IP address using the Subject Alt Name option.
One Identity recommends using 2048-bit RSA keys (or stronger).
To upload a certificate generated by an external PKI system to SSB
-
Navigate to Basic Settings > Management > SSL certificate.
-
To upload a new certificate, click
next to the certificate you want to modify. A pop-up window is displayed.
Figure 86: Basic Settings > Management > SSL certificate — Uploading certificates
Select Browse, select the file containing the certificate, and click Upload. Alternatively, you can also copy-paste the certificate into the Certificate field and click Set.
You can choose to upload a single certificate or a certificate chain (that is, intermediate certificates and the end-entity certificate).
After uploading a certificate or certificate chain, you can review details by clicking the name of the certificate, and looking at the information displayed in the pop-up window that comes up.
Figure 87: Log > Options > TLS settings — X.509 certificate details
The pop-up window allows you to:
-
Download the certificate or certificate chain.
NOTE: Certificate chains can only be downloaded in PEM format.
-
View and copy the certificate or certificate chain.
-
Check the names and the hierarchy of certificates (if it is a certificate chain and there is more than one certificate present).
On hovering over a certificate name, the subject of the certificate is displayed, describing the entity certified.
-
Check the validity dates of the certificate or certificates making up the chain.
On hovering over a particular date, the exact time of validity is also displayed.
After uploading the certificate or certificate chain, the presence or absence of the string (chain) displayed after the name of the certificate will indicate whether the certificate is a certificate chain or a single certificate.
-
-
To upload the private key corresponding to the certificate, click
Select Browse, select the file containing the private key, provide the Password if the key is password-protected, and click Upload. Alternatively, you can also copy-paste the private key into the Key field, provide the Password there, and click Set.
Expected result:
The new certificate is uploaded. If you receive the Certificate issuer mismatch error message after importing a certificate, you must import the CA certificate which signed the certificate as well (the private key of the CA certificate is not mandatory).
NOTE: To download previously uploaded certificates, click on the certificate and download the certificate in one single PEM or DER file.
Note that certificate chains can only be downloaded in PEM format.
