This repository was archived by the owner on Oct 27, 2021. It is now read-only.
Created sec_adcs_certificates.rst #583
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Jan requested that I describe my process of using ADCS to generate keys and certificates for the Graylog stack. This document is the first iteration of said documentation.
|
|
tsluyter
commented
Feb 21, 2019
ChristopherKB
approved these changes
Feb 21, 2019
| Generating the keypair and certificates - preparation | ||
| =============== | ||
|
|
||
| The following instructions assume that you generate all the keypairs on a Windows administrative workstation, or on the issuing CA itself (meaning, you'll need that extra "*Allow the private key to be exported*" flag). You can of course generate all keys on the Graylog stack servers and then simply submit the CSR (certificate signing request) to the CA. |
There was a problem hiding this comment.
Change "You can of course generate..." to "You can, of course, generate..."
There was a problem hiding this comment.
Suggested change
| The following instructions assume that you generate all the keypairs on a Windows administrative workstation, or on the issuing CA itself (meaning, you'll need that extra "*Allow the private key to be exported*" flag). You can of course generate all keys on the Graylog stack servers and then simply submit the CSR (certificate signing request) to the CA. | |
| The following instructions assume that you generate all the keypairs on a Windows administrative workstation, or on the issuing CA itself (meaning, you'll need that extra "*Allow the private key to be exported*" flag). You can, of course, generate all keys on the Graylog stack servers and then simply submit the CSR (certificate signing request) to the CA. |
|
|
||
| For some reason IExplore ignores the *ipaddress* field of the SAN (subject alternative name). | ||
|
|
||
| The above is only one of the needed .INF files; you will need one for each keypair being generated! So adjust all relevant fields and save each .INF file separately. |
There was a problem hiding this comment.
Please bold and italicize the sentence "you will need one for each keypair being generated!"
There was a problem hiding this comment.
Suggested change
| The above is only one of the needed .INF files; you will need one for each keypair being generated! So adjust all relevant fields and save each .INF file separately. | |
| The above is only one of the needed .INF files; **you will need one for each key pair being generated**! So adjust all relevant fields and save each .INF file separately. |
| Generating the keypair and certificates - execution | ||
| =============== | ||
|
|
||
| As said, we're assuming that you're generating the keypairs on your Windows administration station. If you're generating the keypairs on the Graylog Linux hosts, then you will need to use different instructions. |
There was a problem hiding this comment.
This sentence is unclear. If you need to use different instructions, where can those instructions be found?
There was a problem hiding this comment.
Suggested change
| As said, we're assuming that you're generating the keypairs on your Windows administration station. If you're generating the keypairs on the Graylog Linux hosts, then you will need to use different instructions. | |
| As said, we're assuming that you're generating the keypairs on your Windows administration station. If you're generating the key pairs on the Graylog Linux hosts, then you will need to use OpenSSL instructions (`For example <https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs>`_). |
| type D:\secrets\graylog\rootca.pem > D:\secrets\graylog\cachain.pem | ||
| type D:\secrets\graylog\rootca.pem >> D:\secrets\graylog\cachain.pem | ||
|
|
||
| The resulting cachain.pem file can be used in all Graylog stack applications for inclusion in the trust store. You will probably need to run the file through **dos2unix** first though, to fix line endings. |
There was a problem hiding this comment.
Might want to expand this. If you will probably need to do it, the guide should cover how.
There was a problem hiding this comment.
Suggested change
| The resulting cachain.pem file can be used in all Graylog stack applications for inclusion in the trust store. You will probably need to run the file through **dos2unix** first though, to fix line endings. | |
| The resulting cachain.pem file can be used in all Graylog stack applications for inclusion in the trust store. After uploading the file to Linux, you will need to run the file through **dos2unix** first, to fix line endings. |
|
You've made some great comments Christopher! I'll try and pick all of those up RSN(tm). |
|
Hey @ChristopherKB I've added suggestions for each of your comments. Thanks for your time and help. |
|
Wait, I just realized something important. Ben on the forums pointed out that the PKCS#8 keys are not usable for inputs on Graylog 3.0. Apparently they work differently. So these instructions are 100% guaranteed for <= v2.5. Inputs of 3.0 apparently need additional work. EDIT: |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Jan requested that I describe my process of using ADCS to generate keys and certificates for the Graylog stack. This document is the first iteration of said documentation.