FortiSIEM Discussions
Ali_Maher
New Contributor III

CA Signed Certificate process

Hello Experts,

I hope all is well.

 

Kindly, we did the below to issue a CA Signed certificate for Supervisor:

1- Generate Key

openssl genrsa -out /tmp/fsm.key 2048

2- Generate CSR

openssl req -new -key /tmp/fsm.key -config /opt/san.cnf -out /tmp/fsm.csr

3- Issued CSR to get the CA Signed Certificate

4- Obtain the RootCA Certificate from the Root Server AD CS

5- change SSL.conf file and pointing to our files

 

Q1:- what is the right order to point to key, ca signed . rootca
SSLCertificateFile

SSLCertificateKeyFile

SSLCertificateChainFile 

SSLCACertificateFile 

 

Q2:- Should i do the above to the worker?

 

BR, Ali Maher
BR, Ali Maher
4 REPLIES 4
Rob_SIEM
Staff
Staff

Hi Ali,

Most typically, this process is for the Supervisor appliance, which hosts the apache web server, so visitors to the FortiSIEM page see a Public CA signed tls certificate. 

 

If you generate a cert signing request for the supervisor appliance, when you run step #2 above, you enter the FQDN of the Supervisor e.g. siem.example.com and upload the cert to the public CA e.g. GoDaddy, and they provide you an SSL cert. You can alternatively purchase a wildcard cert (e.g. *.example.com which can be used on all nodes you'd like).

 

The private key generated in step #2 never leaves your server, you should move that to 

/etc/pki/tls/private which appropriate permissions.

The certificates generated by your CA (the cert file, optional chain file, and optional CA cert file) goes to /etc/pki/tls/certs

 

#Apache config file: /etc/httpd/conf.d/ssl.conf

In the apache config file, the following items are 

#Required items

SSLCertificateFile /etc/pki/tls/certs/localhost.crt  -> copy your downloaded certificate from CA provider to this folder, see notes on file permissions
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key  -> copy your private key fsm.key to this folder, see notes on file permissions

 

#Optional items

SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt  -- Most CA providers will include the chain of SSL certificates in the certificate file itself, but if in a separate file you can include here. If chain is already in your SSL cert you dont need this.

#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt - This is only needed if you want clients to be mutually authenticated. For example collectors would also need a public CA signed SSL certificate as well if this is enabled (uncommented with # sign). 

 

#Note on permissions, when copying files to the certs dir, set these permissions

chown root:root /etc/pki/tls/certs/mycertfile.pem

chmod 644 /etc/pki/tls/certs/mycertfile.pem

 

#The private key is more restricted

chown root:admin /etc/pki/tls/private/mykey.pem

chmod 640 /etc/pki/tls/private/mykey.pem

 

Secusaurus

Hi @Rob_SIEM,

Just one additional question: We experienced that certificate files are overwritten when doing an upgrade (and you have to look carefully for the correct permissions to avoid crashing the upgrade process).

So: Will the change in the apache config file be persistent or will we need to do that again after an upgrade?

 

 

Btw, our solution for the web access is having a firewall (FortiGate) in front of the supervisor that proxys the traffic and therefore shows its own certificate. This avoids making changes on the FSM itself and let's us use Let's Encrypt here (which would require to update the certificate on the supervisor every three months).

Note that proxing the workers, on the other hand, can result in a lot of load for the firewall, so be careful here.

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
Rob_SIEM

Hi Christian,

 

Under no circumstance should an upgrade remove SSL certificates on the Supervisor, workers, or collectors. Those should be preserved and config restored on upgrade. If it is not, it would be a bug. I'll ask the team if this is a known issue. If you have seen this can you file a TAC case with the details? 

 

Thanks,

Secusaurus

Hi Rob,

 

The last time I was involved in this issue, we changed the localhost-files, instead of changing the apache config. Overwriting the apache file was in version 6.something, so we switched over to replacing the localhost-files after every update, as we also need to overwrite some other files in the html-structure (login screen, css, etc.) after updates as well, so it's an easier workflow than looking for some lines in a config file.

Obviously, the localhost.crt and localhost.key get overwritten, since they are not meant to be changed by users.

We saw overwriting settings when doing an upgrade also with some custom scripts in cronjob and custom daemons, so we always check all our backend-modifications after every upgrade ;)

 

Anyways, we will configure the apache file in our testing instance the next time doing an upgrade there and check for the consequences. Good to know, that this file should be kept after an upgrade.

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"