19.17. Creating SSL Keys for Your Syslog-ng Server on Fedora

Problem

You want to set up a secure Syslog-ng server, and you know you need stunnel and OpenSSL to do this. OpenSSL on Fedora doesn't look like OpenSSL on any other Linux distribution—where is everything? No CA.sh or CA.pl, it uses the /etc/pki directory, and it just looks all weird. What do you do?

Solution

Calm down, because Fedora has a nice Makefile for creating your Public Key Infrastructure (PKI) for stunnel. In fact, it is very easy. Change to its directory, and run it with no options to see what it does:

	# cd /etc/pki/tls/certs
	# make
	This makefile allows you to create:
	 0 public/private key pairs
	 0 SSL certificate signing requests (CSRs)
	 0 Self-signed SSL test certificates
	[...]

Create the server and one client certificate like this:

	# make syslogserver-xena.pem
	# make uberpc.pem

Use the fully qualified domain name of your server for the common name, or clients will emit complaints.

Open uberpc.pem and copy the public certificate, which is the bit between:

	-----BEGIN CERTIFICATE----
	-----END CERTIFICATE----

into a new file. You need to do this for every client—copy all of their public certificates into a single file on the Syslog-ng server, which in this recipe I call /etc/syslog-ng/clientkeys.

Now, you can copy Uberpc's keyfile into its permanent home:

	# scp uberpc.pem root@uberpc:/etc/syslog-ng/keys/

If you have disabled root logins over SSH, I shall leave it to your own ingenuity to figure out how to copy this file.

And do the same for the server:

	root@xena:/etc/syslog-ng# scp syslogserver-xena.pem keys/

Finally, protect the private keys by changing them to mode 0400, or read-only by the owner:

	# chmod 0400 uberpc.pem
	# chmod 0400 syslogserver-xena.pem

For every new client, follow these steps:

• Create a new, unique keyfile

• Copy the keyfile to the new client

• Adjust the permissions

• Copy the client's public certificate to the server

And that's all there is to it.

Discussion

Of course, you have the option of not encrypting your Syslog-ng traffic; it will work fine without it. You know that it is trivially easy to sniff traffic on a network with commonly available tools, and any network with wireless access points is extravulnerable, so leaving it in the clear is risky.

Fedora's keyfiles are created by the Makefile in the exactly correct format for stunnel, so you don't have to muck around like you do on Debian.

See Also

• man req

• man ca

• man openssl

• Network Security with OpenSSL, by John Viega et al. (O'Reilly)