Creating a Self-Signed Certificate for RPZ Logs
- Shirly Tsang
- Gary Leicht
- Sri Raghu
To create a self-signed certificate, do the following:
Step 1: Create a CA certificate:
openssl req -nodes -new -newkey rsa:2048 -x509 -keyout CA.key -out CA.cert -subj "/C=IN/ST=KA/L=Bglr/O=Infoblox/OU=Cloud/CN=*"
By default, the certificate will remain valid for one month. To modify this period, add the -days flag. In the example below, the flag specifies the period as one year:
openssl req -nodes -new -days 365 -newkey rsa:2048 -x509 -keyout CA.key -out CA.cert -subj "/C=IN/ST=KA/L=Bglr/O=Infoblox/OU=Cloud/CN=*"
Step 2: Create a key and CSR:
openssl req -batch -new -newkey rsa:2048 -nodes -keyout server.key -out rpz.csr -subj "/C=IN/ST=KA/L=Bglr/O=Infoblox/OU=SAAS/CN=*"
Step 3: Create a server certificate, and sign it with the CA certificate you created in step 1:
openssl x509 -in rpz.csr -out server.cert -CAkey CA.key -CA CA.cert -req -CAcreateserial
By default, the server certificate is good for one month. To modify this period, add the -days flag. In the example below, the flag specifies the period as one year:
openssl x509 -in rpz.csr -out server.cert -CAkey CA.key -CA CA.cert -req -CAcreateserial -days 365
Step 4: Combine the server certificate and the key into a single .pem file to be uploaded in the UI:
cat server.cert server.key > server.pem
Step 5: Use CA.cert in the NIOS appliance to configure the secure TCP.
- For information on configuring RPZ logs in NIOS, see Managing RPZs.
- For information on SCP credentials for transferring DNS query logs, see Capturing DNS Queries and Responses.