Skip to content

Latest commit

 

History

History
118 lines (91 loc) · 4.21 KB

SSLCertificateUtility.md

File metadata and controls

118 lines (91 loc) · 4.21 KB

SSL Certificate Utility

Overview

Log Courier provides a utility to help generate SSL certificates that can be used for basic TLS encryption between Log Courier and the target server (e.g. Logstash). This utility is lc-tlscert.

The utility is bundled with the packaged versions of Log Courier, and should be immediately available at the command-line. When building from source, the utility will be automatically built alongside the log-courier binary.

Usage

To generate a private key and certificate pair, run the lc-tlscert utility. You will receive a prompt like below.

Specify the Common Name for the certificate. The common name
can be anything, but is usually set to the server's primary
DNS name. Even if you plan to connect via IP address you
should specify the DNS name here.

Common name:

This should contain the fully-qualified DNS (FQDNS) of the server that will be receiving events. For example, logstash.corp.example.com.

The next step will be to enter the DNS names and IP addresses your Log Courier clients will use to connect to the server.

The next step is to add any additional DNS names and IP
addresses that clients may use to connect to the server. If
you plan to connect to the server via IP address and not DNS
then you must specify those IP addresses here.
When you are finished, just press enter.

DNS or IP address 1:

You must enter all possible IP addresses and DNS names that Log Courier may use. These are called Subject Alternate Names (SANs).

When Log Courier connects to the server using TLS it will look in the server's certificate to check it contains the IP address or DNS name it connected with. For example, if Log Courier was connecting to 192.168.0.1 it will expect the certificate to contain 192.168.0.1 in its IP SANs list. This is the same as how HTTPS works in your web browser. If you connect to www.google.co.uk your browser will expect the certificate coming from the server to contain www.google.co.uk in its DNS SANs list.

When you've finished, leaving the prompt empty and pressing enter will complete the process and you will be presented with a final question.

How long should the certificate be valid for? A year (365
days) is usual but requires the certificate to be regenerated
within a year or the certificate will cease working.

Number of days:

Here you should enter the number of days this certificate will be valid for. It is good practice to replace the certificate with a new one every year or so. By setting this value to a year it will ensure that any old certificate stops working shortly after the new one is applied. It also means if an intruder obtains the private key and certificate they can only make use of it until it expires.

Although not recommended, some opt for a 10 year certificate (3650 days) as it reduces the burden of replacing the certificate files on many many servers.

Once the number of days is provided, a summary will appear before the key and certificate pair is generated.

Common name: logstash.corp.example.com
DNS SANs:
    logstash.ext.example.com
    logstash.remote.example.com
IP SANs:
    192.168.0.1
    10.10.10.1
    200.201.202.203

The certificate can now be generated
Press any key to begin generating the self-signed certificate.

Press any key to generate the certificate. The process may take a few seconds to complete. When completed you will be presented with the following.

Successfully generated certificate
    Certificate: selfsigned.crt
    Private Key: selfsigned.key

Copy and paste the following into your Log Courier
configuration, adjusting paths as necessary:
    "transport": "tls",
    "ssl ca":    "path/to/selfsigned.crt",

Copy and paste the following into your LogStash configuration,
adjusting paths as necessary:
    ssl_certificate => "path/to/selfsigned.crt",
    ssl_key         => "path/to/selfsigned.key",

You will find the files selfsigned.crt and selfsigned.key in your current directory. selfsigned just means the certificate was generated by yourself, and not by a public certificate authority, which can be costly and is not at all required to setup Log Courier.