mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
49 lines
1.3 KiB
Text
49 lines
1.3 KiB
Text
|
|
How to create certificates to authorize Bro's SSL connections
|
|
=============================================================
|
|
|
|
- Create a global CA key/certificate once:
|
|
|
|
* Create some directory to store the CA stuff, and create
|
|
a few things there:
|
|
|
|
mkdir <ca-dir>
|
|
cd <ca-dir>
|
|
mkdir private newcerts cert crl
|
|
chmod 700 private
|
|
touch index.txt
|
|
echo 01 >serial
|
|
cp bro/openssl.conf .
|
|
|
|
* Create a private CA key:
|
|
openssl genrsa -des3 -out private/ca_key.pem
|
|
|
|
* Self-sign it:
|
|
openssl req -new -x509 -key private/ca_key.pem -out ca_cert.pem -days 1095
|
|
|
|
- For each Bro:
|
|
|
|
* Create a private key (w/o password):
|
|
openssl genrsa -out bro_key.pem
|
|
|
|
* Create a certification request:
|
|
openssl req -new -key bro_key.pem -out bro.csr
|
|
|
|
* Create a certificate using the CA key:
|
|
openssl ca -config openssl.cnf -in bro.csr -out bro_cert.pem
|
|
|
|
* Verify that the certicate is ok:
|
|
openssl verify -CAfile ca_cert.pem bro_cert.pem
|
|
|
|
* Concat Bro key and certificate:
|
|
cat bro_key.pem bro_cert.pem >bro.pem
|
|
|
|
* Copy this and the CA certificate to the IDS machine:
|
|
scp bro.pem ca_cert.pem ids:...
|
|
|
|
* Redef Bro's variables to point to the files:
|
|
redef ssl_ca_certificate = "...../ca_cert.pem";
|
|
redef ssl_private_key = "...../bro.pem";
|
|
|
|
* Remove the unnecessary stuff:
|
|
rm bro_key.pem bro.csr bro_cert.pem bro.pem
|