- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CA Signed Certificate process
Hello Experts,
I hope all is well.
Kindly, we did the below to issue a CA Signed certificate for Supervisor:
1- Generate Key
openssl genrsa -out /tmp/fsm.key 2048
2- Generate CSR
openssl req -new -key /tmp/fsm.key -config /opt/san.cnf -out /tmp/fsm.csr
3- Issued CSR to get the CA Signed Certificate
4- Obtain the RootCA Certificate from the Root Server AD CS
5- change SSL.conf file and pointing to our files
Q1:- what is the right order to point to key, ca signed . rootca
SSLCertificateFile
SSLCertificateKeyFile
SSLCertificateChainFile
SSLCACertificateFile
Q2:- Should i do the above to the worker?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ali,
Most typically, this process is for the Supervisor appliance, which hosts the apache web server, so visitors to the FortiSIEM page see a Public CA signed tls certificate.
If you generate a cert signing request for the supervisor appliance, when you run step #2 above, you enter the FQDN of the Supervisor e.g. siem.example.com and upload the cert to the public CA e.g. GoDaddy, and they provide you an SSL cert. You can alternatively purchase a wildcard cert (e.g. *.example.com which can be used on all nodes you'd like).
The private key generated in step #2 never leaves your server, you should move that to
/etc/pki/tls/private which appropriate permissions.
The certificates generated by your CA (the cert file, optional chain file, and optional CA cert file) goes to /etc/pki/tls/certs
#Apache config file: /etc/httpd/conf.d/ssl.conf
In the apache config file, the following items are
#Required items
SSLCertificateFile /etc/pki/tls/certs/localhost.crt -> copy your downloaded certificate from CA provider to this folder, see notes on file permissions
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key -> copy your private key fsm.key to this folder, see notes on file permissions
#Optional items
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt -- Most CA providers will include the chain of SSL certificates in the certificate file itself, but if in a separate file you can include here. If chain is already in your SSL cert you dont need this.
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt - This is only needed if you want clients to be mutually authenticated. For example collectors would also need a public CA signed SSL certificate as well if this is enabled (uncommented with # sign).
#Note on permissions, when copying files to the certs dir, set these permissions
chown root:root /etc/pki/tls/certs/mycertfile.pem
chmod 644 /etc/pki/tls/certs/mycertfile.pem
#The private key is more restricted
chown root:admin /etc/pki/tls/private/mykey.pem
chmod 640 /etc/pki/tls/private/mykey.pem
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Rob_SIEM,
Just one additional question: We experienced that certificate files are overwritten when doing an upgrade (and you have to look carefully for the correct permissions to avoid crashing the upgrade process).
So: Will the change in the apache config file be persistent or will we need to do that again after an upgrade?
Btw, our solution for the web access is having a firewall (FortiGate) in front of the supervisor that proxys the traffic and therefore shows its own certificate. This avoids making changes on the FSM itself and let's us use Let's Encrypt here (which would require to update the certificate on the supervisor every three months).
Note that proxing the workers, on the other hand, can result in a lot of load for the firewall, so be careful here.
Best,
Christian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Christian,
Under no circumstance should an upgrade remove SSL certificates on the Supervisor, workers, or collectors. Those should be preserved and config restored on upgrade. If it is not, it would be a bug. I'll ask the team if this is a known issue. If you have seen this can you file a TAC case with the details?
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Rob,
The last time I was involved in this issue, we changed the localhost-files, instead of changing the apache config. Overwriting the apache file was in version 6.something, so we switched over to replacing the localhost-files after every update, as we also need to overwrite some other files in the html-structure (login screen, css, etc.) after updates as well, so it's an easier workflow than looking for some lines in a config file.
Obviously, the localhost.crt and localhost.key get overwritten, since they are not meant to be changed by users.
We saw overwriting settings when doing an upgrade also with some custom scripts in cronjob and custom daemons, so we always check all our backend-modifications after every upgrade ;)
Anyways, we will configure the apache file in our testing instance the next time doing an upgrade there and check for the consequences. Good to know, that this file should be kept after an upgrade.
Best,
Christian