[syslog-ng] Syslog-ng mutual self cert authentication

Ivan Adji - Krstev akivanradix at gmail.com
Fri Jan 15 15:06:27 CET 2016 

Can someone give me the right way to do this as i following this
tuttorial and still have errors:
https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-tutorial-mutual-auth-tls/html/create-ca.html

Kind regards
Ivan

On 01/15/2016 11:42 AM, PÁSZTOR György wrote:
> Hi,
>
> "Ivan Adji - Krstev" <akivanradix at gmail.com> írta 2016-01-15 11:18-kor:
>> You mean the cacert.pem or the servercert.pem ? and vice versa ?
> The servercert.pem is the cert pair for the key what the server has.
> The (server)cert is the "public" part of the key, and the key file is the
> private part.
> The servercert is signed with the cacert. As far as I saw your example, you
> defined different CA for signing the servercert, and do that separately to
> sign the client's cert.
> So the ca, what you have created to sign the server's csr (so, after the
> signing it become a cert), is the one which should be published to the
> client side ca dir.
> So when the tls handshake happens, the client sees that whups, here is a
> server cert. Cheks in the cert the issuer's fingerprint.
> Based on the fingerprint it will find the CA's cert in it's local ca dir.
> Check if that signature is valid, and client is happy.
> The same will happen on the server side simmetrically:
> The client will show up its own cert.
> The server sees, it is signed with the other ca. (The one, which you used
> to sign the client cert.)
> Based on the fingerprint, it start to check if it is available in its ca
> dir.
> If you install that there, and the appropriate symlink is also available,
> then it will also find that ca cert. It will check if the client
> certificate is valid.
> It will be.
> Both side will be happy, and communicate gladly inside an encrypted
> channel.
>
> Was this description clear?
>
> Kind regards,
> Gyu
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>

More information about the syslog-ng mailing list