[syslog-ng] Syslog-ng mutual self cert authentication

Ivan Adji - Krstev akivanradix at gmail.com
Fri Jan 15 13:09:46 CET 2016


Hi Gyu,
So as i get this all right, i have to do the following on the server:
generate the certificate for the CA:
*openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days
365 -config openssl.cnf
*Create the server certificate and sign a certificate for the server:
*openssl req -nodes -new -x509 -keyout serverkey.pem -out serverreq.pem
-days 365 -config openssl.cnf
openssl x509 -x509toreq -in serverreq.pem -signkey serverkey.pem -out
tmp.pem
openssl ca -config openssl.cnf -policy policy_anything -out
servercert.pem -infiles tmp.pem
*
On the Client:
Copy *cacert.pem* from the server to the client
Create a client certificate:
*openssl req -nodes -new -x509 -keyout clientkey.pem -out clientreq.pem
-days 365 -config openssl.cnf
openssl x509 -x509toreq -in clientreq.pem -signkey clientkey.pem -out
tmp.pem
openssl ca -config openssl.cnf -policy policy_anything -out
clientcert.pem -infiles tmp.pem
*And than just link the cacert.pem and in the ca.d put the
servercert.pem file ?


And on the Server site copy the clientcert.pem file to ca.d ?

Kind regards
Ivan

On 01/15/2016 11:42 AM, PÁSZTOR György wrote:
> Hi,
>
> "Ivan Adji - Krstev" <akivanradix at gmail.com> írta 2016-01-15 11:18-kor:
>> You mean the cacert.pem or the servercert.pem ? and vice versa ?
> The servercert.pem is the cert pair for the key what the server has.
> The (server)cert is the "public" part of the key, and the key file is the
> private part.
> The servercert is signed with the cacert. As far as I saw your example, you
> defined different CA for signing the servercert, and do that separately to
> sign the client's cert.
> So the ca, what you have created to sign the server's csr (so, after the
> signing it become a cert), is the one which should be published to the
> client side ca dir.
> So when the tls handshake happens, the client sees that whups, here is a
> server cert. Cheks in the cert the issuer's fingerprint.
> Based on the fingerprint it will find the CA's cert in it's local ca dir.
> Check if that signature is valid, and client is happy.
> The same will happen on the server side simmetrically:
> The client will show up its own cert.
> The server sees, it is signed with the other ca. (The one, which you used
> to sign the client cert.)
> Based on the fingerprint, it start to check if it is available in its ca
> dir.
> If you install that there, and the appropriate symlink is also available,
> then it will also find that ca cert. It will check if the client
> certificate is valid.
> It will be.
> Both side will be happy, and communicate gladly inside an encrypted
> channel.
>
> Was this description clear?
>
> Kind regards,
> Gyu
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160115/d55e838a/attachment.htm 


More information about the syslog-ng mailing list