Commit d80acf04 authored by Botond Botyanszki's avatar Botond Botyanszki

Cert generation scripts for im_wseventing.

parents
Unfortunately Windows Event Forwarding is a little tricky to set up with NXLog's im_wseventing module.
These scripts are to help with certificate generation using the openssl tool.
The `gencert.cnf` configuration file contains the needed X509 extensions so that the certificates will be generated properly.
* `genca.sh` - generate the CA certificate and private key.
* `gencert-client.sh` - generate the client certificate signed by the CA cert to be imported into the Windows' certificate store. This generates a `client.pfx` that can can be used for the import.
* gencert-server.sh - generate the server certificate and private key to be used by the im_wseventing module.
For more details on the actual WEF setup see the [im_wseventing documentation](https://nxlog.co/documentation/nxlog-user-guide/#im_wseventing).
Use at your own risk.
#!/bin/sh
SUBJ="/CN=NXLog-WEF-CA/O=nxlog.org/C=HU/ST=state/L=location"
openssl req -x509 -nodes -newkey rsa:2048 -keyout ca-key.pem -out ca-cert.pem -batch -subj "$SUBJ" -config gencert.cnf
openssl x509 -outform der -in ca-cert.pem -out ca-cert.crt
#!/bin/sh
CLIENTSUBJ="/CN=client.example.com/O=nxlog.org/C=HU/ST=state/L=location"
CERTDIR=.
openssl req -new -newkey rsa:2048 -nodes -keyout client-key.pem -out req.pem -batch -subj "$CLIENTSUBJ" -config gencert.cnf
openssl x509 -req -days 1024 -in req.pem -CA ca-cert.pem -CAkey ca-key.pem -out client-cert.pem -set_serial 01 -extensions client_cert -extfile gencert.cnf
rm -f req.pem
openssl pkcs12 -export -out client.pfx -inkey client-key.pem -in client-cert.pem -certfile ca-cert.pem
#!/bin/sh
if test x$1 != x; then
SERVERNAME = $1;
else
SERVERNAME="server.example.com"
fi
SERVERSUBJ="/CN=/O=nxlog.org/C=HU/ST=state/L=location"
CERTDIR=.
openssl req -new -newkey rsa:2048 -nodes -keyout server-key.pem -out req.pem -batch -subj "$SERVERSUBJ" -config gencert.cnf
openssl x509 -req -days 1024 -in req.pem -CA ca-cert.pem -CAkey ca-key.pem -out server-cert.pem -set_serial 01 -extensions server_cert -extfile gencert.cnf
rm -f req.pem
openssl x509 -outform der -in server-cert.pem -out server-cert.crt
\ No newline at end of file
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 1 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # which md to use.
preserve = no # keep passed DN ordering
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr
req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = HU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType = client, server
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
[ server_cert ]
basicConstraints=CA:FALSE
nsCertType = server
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
#crlDistributionPoints=URI:http://127.0.0.1/crl.pem
[ client_cert ]
basicConstraints=CA:FALSE
nsCertType = client
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
nsCertType = server, client
[ v3_ca ]
# Extensions for a typical CA
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment