RSyslog Documentation

Creating certificates with a script

Written by Florian Riedl (2019-09-12)

Overview

This small article describes is a quick addon to the TLS guides. It describes in short words, how you can create some quick and dirty certificates for testing.

Disclaimer: When creating certificates with the attached scripts and more or less default configurations, you cannot create secure certificates. You need to use more detailed configuration files to create secure certificates.

Description

We created a few simple scripts and added configuration files from the sample configuration in the certtool man page. You can download them here: Download Scripts.

The tarball contains 6 files, 3 scripts and 3 configurations. To execute, you must make the scripts executable and have certtool installed via libgnutls.

These scripts can easily be combined into one. But, we decided to go for separate scripts so each step can be repeated separately if needed.

After the scripts are executed, you should have 2 new files per script. Distribute the files to the machines as described before.

Example

Apart from executing the scripts, no extra input is required. All input from manual certificate creating can be done automatically via the configuration template in the cfg files.

Sample output for the CA certificate generation.

test@ubuntu:~/Documents$ ./1-generate-ca.sh
** Note: Please use the --sec-param instead of --bits
Generating a 2048 bit RSA private key...
Generating a self signed certificate...
X.509 Certificate Information:
    Version: 3
    Serial Number (hex): 5d7a6351
    Validity:
            Not Before: Thu Sep 12 15:25:05 UTC 2019
            Not After: Sun Sep 09 15:25:05 UTC 2029
    Subject: C=US,O=Example,OU=Example,CN=CA-Cert
    Subject Public Key Algorithm: RSA
    Certificate Security Level: Low
            Modulus (bits 2048):
                    00:95:28:40:b6:4d:60:7c:cf:72:1d:17:36:b5:f1:11
                    0d:42:05:e9:38:c7:6e:95:d9:42:02:c5:4b:f2:9d:e2
                    c8:31:ac:18:ae:55:f7:e0:4c:dd:6d:72:32:01:fa:1d
                    da:a1:3d:ad:c9:13:0a:68:3e:bc:40:6a:1e:f2:f7:65
                    f0:e9:64:fa:84:8b:96:15:b5:10:f3:99:29:14:ee:fc
                    88:8d:41:29:8e:c7:9b:23:df:8b:a3:79:28:56:ed:27
                    66:a4:9a:fa:75:47:67:0a:e2:f4:35:98:e8:9e:ad:35
                    c2:b2:17:8b:98:72:c4:30:58:fd:13:b6:f4:01:d0:66
                    56:be:61:85:55:dc:91:b6:4e:0a:3f:d4:3f:40:fa:a8
                    92:5e:c5:dd:75:da:c3:27:33:59:43:47:74:fe:d2:28
                    14:49:62:ee:39:22:34:6b:2f:e8:d1:ba:e9:95:6d:29
                    d2:6f:8a:a2:fc:c8:da:f0:47:78:3b:2c:03:dc:fb:43
                    31:9e:a1:cb:11:18:b9:0b:31:d3:86:43:68:f8:c4:bd
                    ab:90:13:33:75:e9:b5:ca:74:c3:83:98:e9:91:3d:39
                    fb:65:43:77:0b:b2:bc:3b:33:c2:91:7e:db:c3:a2:a1
                    80:0b:a0:ce:cb:34:29:8b:24:52:25:aa:eb:bd:40:34
                    cb
            Exponent (bits 24):
                    01:00:01
    Extensions:
            Basic Constraints (critical):
                    Certificate Authority (CA): TRUE
            Key Usage (critical):
                    Certificate signing.
            Subject Key Identifier (not critical):
                    6bbe9a650dbcaf5103c78daf8a2604d76a749f42
Other Information:
    Public Key Id:
            6bbe9a650dbcaf5103c78daf8a2604d76a749f42



Signing certificate...

Sample output for the machine certificate generation.

test@ubuntu:~/Documents$ ./2-generate-client.sh
** Note: Please use the --sec-param instead of --bits
Generating a 2048 bit RSA private key...
Generating a PKCS #10 certificate request...
Generating a signed certificate...
X.509 Certificate Information:
    Version: 3
    Serial Number (hex): 5d7a6402
    Validity:
            Not Before: Thu Sep 12 15:28:02 UTC 2019
            Not After: Sun Sep 09 15:28:02 UTC 2029
    Subject: C=US,O=Example,OU=Example,CN=Test Client
    Subject Public Key Algorithm: RSA
    Certificate Security Level: Low
            Modulus (bits 2048):
                    00:bd:7f:0b:20:2e:fe:f1:49:91:71:fa:f1:72:76:6b
                    c0:96:ce:e0:85:80:a3:6a:d2:9e:07:dd:02:94:4f:df
                    c8:34:13:7d:d1:8f:b8:1b:1f:cf:b8:b7:ae:2f:dd:9a
                    da:52:6e:a3:f4:73:20:63:32:46:c2:e1:94:73:6b:cd
                    b4:e4:82:46:25:b0:62:f9:12:28:4f:4f:76:23:5c:47
                    1b:f9:61:cd:68:c1:c1:17:93:90:3c:d2:2b:6e:82:c2
                    a3:ca:80:b7:89:6e:b6:16:ae:47:05:e5:b4:07:bf:75
                    d9:bd:aa:fe:79:77:72:6e:af:ed:5b:97:d1:e0:00:ba
                    ab:6f:9e:1f:a6:d4:95:d7:d3:39:88:9b:58:88:28:a0
                    7e:b6:fe:07:7e:68:ad:a1:d0:23:12:3d:96:b2:a8:8e
                    73:66:c0:4f:10:a0:e5:9e:ab:2a:37:1d:83:b1:c3:e5
                    7c:35:cc:20:05:7c:7e:41:89:f1:b3:6b:e4:00:f2:bc
                    0b:08:55:07:b3:67:e4:14:1c:3c:64:1b:92:2d:d7:f0
                    f7:d4:dc:d7:63:1e:fd:e4:98:bc:6b:f1:1a:a9:af:05
                    7a:94:52:f5:b5:36:f0:0c:c0:41:0a:39:b7:fb:b3:50
                    c1:ce:ee:24:56:61:77:9d:9e:e1:d0:e1:39:f0:cc:b6
                    29
            Exponent (bits 24):
                    01:00:01
    Extensions:
            Basic Constraints (critical):
                    Certificate Authority (CA): FALSE
            Key Purpose (not critical):
                    TLS WWW Client.
                    TLS WWW Server.
            Subject Key Identifier (not critical):
                    5a1a7316c4594cafafbeb45ddb49623af3a9f231
            Authority Key Identifier (not critical):
                    6bbe9a650dbcaf5103c78daf8a2604d76a749f42
Other Information:
    Public Key Id:
            5a1a7316c4594cafafbeb45ddb49623af3a9f231



Signing certificate...

Be sure to safeguard ca-key.pem! Nobody except the CA itself needs to have it. If some third party obtains it, you security is broken!

See also

Help with configuring/using Rsyslog:

  • Mailing list - best route for general questions
  • GitHub: rsyslog source project - detailed questions, reporting issues that are believed to be bugs with Rsyslog
  • Stack Exchange (View, Ask) - experimental support from rsyslog community

See also

Contributing to Rsyslog:

© 2008-2019, `Rainer Gerhards and Others. This site uses the “better” theme for Sphinx.
Scroll to top