diff --git a/doc/_admin-guide/100_TLS-encrypted_message_transfer/002_Mutual_authentication_using_TLS/000_Configuring_mutual_TLS_client.md b/doc/_admin-guide/100_TLS-encrypted_message_transfer/002_Mutual_authentication_using_TLS/000_Configuring_mutual_TLS_client.md index a25b6015..7efe7e4d 100644 --- a/doc/_admin-guide/100_TLS-encrypted_message_transfer/002_Mutual_authentication_using_TLS/000_Configuring_mutual_TLS_client.md +++ b/doc/_admin-guide/100_TLS-encrypted_message_transfer/002_Mutual_authentication_using_TLS/000_Configuring_mutual_TLS_client.md @@ -17,28 +17,28 @@ syslog() driver): 1. Create an X.509 certificate for the {{ site.product.short_name }} client. 2. Copy the certificate (for example, client_cert.pem) and the - matching private key (for example, client.key) to the syslog-ng + matching private key (for example, client.key) to the {{ site.product.short_name }} client host, for example, into the /opt/syslog-ng/etc/syslog-ng/cert.d directory. The certificate must - be a valid X.509 certificate in PEM format. If you want to use a - password-protected key, see - Password-protected keys. + be a valid X.509 certificate in PEM format. The key must be in PEM format. + If you want to use a password-protected key, see Password-protected keys. -3. Copy the CA certificate of the Certificate Authority (for example, - cacert.pem) that issued the certificate of the {{ site.product.short_name }} server (or - the self-signed certificate of the {{ site.product.short_name }} server) to the - {{ site.product.short_name }} client hosts, for example, into the +3. Copy the CA certificate (for example, cacert.pem) of the Certificate + Authority that issued the certificate of the {{ site.product.short_name }} server + (or the self-signed certificate of the {{ site.product.short_name }} server) to the + {{ site.product.short_name }} client host, for example, into the /opt/syslog-ng/etc/syslog-ng/ca.d directory. - Issue the following command on the certificate: **openssl x509 - -noout -hash -in cacert.pem** The result is a hash (for example, + If you wish to use the ca-dir() option, instead of the ca-file(), in the + {{ site.product.short_name }} configuration file (step 4.) then + - issue the following command on the certificate:\ + `openssl x509 -noout -hash -in cacert.pem`\ + The result is a hash (for example, 6d2962a8), a series of alphanumeric characters based on the Distinguished Name of the certificate. - - Issue the following command to create a symbolic link to the + - issue the following command to create a symbolic link to the certificate that uses the hash returned by the previous command and - the **.0** suffix. - + the **.0** suffix:\ `ln -s cacert.pem 6d2962a8.0` 4. Add a destination statement to the {{ site.product.short_name }} configuration file that @@ -49,6 +49,9 @@ syslog() driver): Include the client\'s certificate and private key in the tls() options. + For the details of the available tls() options, see + TLS options. + Example: A destination statement using mutual authentication The following destination encrypts the log messages using TLS and diff --git a/doc/_admin-guide/100_TLS-encrypted_message_transfer/002_Mutual_authentication_using_TLS/001_Configuring_mutual_TLS_server.md b/doc/_admin-guide/100_TLS-encrypted_message_transfer/002_Mutual_authentication_using_TLS/001_Configuring_mutual_TLS_server.md index 876fe1f0..df88030f 100644 --- a/doc/_admin-guide/100_TLS-encrypted_message_transfer/002_Mutual_authentication_using_TLS/001_Configuring_mutual_TLS_server.md +++ b/doc/_admin-guide/100_TLS-encrypted_message_transfer/002_Mutual_authentication_using_TLS/001_Configuring_mutual_TLS_server.md @@ -11,38 +11,37 @@ Complete the following steps on the {{ site.product.short_name }} server: ## Steps -1. Copy the certificate (for example, syslog-ng.cert) of the syslog-ng - server to the {{ site.product.short_name }} server host, for example, into the +1. Create an X.509 certificate for the {{ site.product.short_name }} server. + +2. Copy the certificate (for example, syslog-ng.cert) and the + matching private key (for example, syslog-ng.key) to the {{ site.product.short_name }} + server host, for example, into the /opt/syslog-ng/etc/syslog-ng/cert.d directory. The certificate must - be a valid X.509 certificate in PEM format. + be a valid X.509 certificate in PEM format. The key must be in PEM format. + If you want to use a password-protected key, see Password-protected keys. -2. Copy the CA certificate (for example, cacert.pem) of the Certificate +3. Copy the CA certificate (for example, cacert.pem) of the Certificate Authority that issued the certificate of the {{ site.product.short_name }} clients to - the {{ site.product.short_name }} server, for example, into the + the {{ site.product.short_name }} server host, for example, into the /opt/syslog-ng/etc/syslog-ng/ca.d directory. - Issue the following command on the certificate: **openssl x509 - -noout -hash -in cacert.pem** The result is a hash (for example, + If you wish to use the ca-dir() option, instead of the ca-file(), in the + {{ site.product.short_name }} configuration file (step 4.) then + - issue the following command on the certificate:\ + `openssl x509 -noout -hash -in cacert.pem`\ + The result is a hash (for example, 6d2962a8), a series of alphanumeric characters based on the Distinguished Name of the certificate. - - Issue the following command to create a symbolic link to the + - issue the following command to create a symbolic link to the certificate that uses the hash returned by the previous command and - the **.0** suffix. - + the **.0** suffix:\ `ln -s cacert.pem 6d2962a8.0` -3. Copy the private key (for example, syslog-ng.key) matching the - certificate of the {{ site.product.short_name }} server to the {{ site.product.short_name }} server host, - for example, into the /opt/syslog-ng/etc/syslog-ng/key.d directory. - The key must be in PEM format. If you want to use a - password-protected key, see Password-protected keys. - 4. Add a source statement to the {{ site.product.short_name }} configuration file that uses the tls( key-file(key_file_fullpathname) cert-file(cert_file_fullpathname) ) option and specify the key and certificate files. The source must use the source driver (network() - or syslog()) matching the destination driver used by the syslog-ng + or syslog()) matching the destination driver used by the {{ site.product.short_name }} client. Also specify the directory storing the certificate of the CA that issued the client's certificate. @@ -52,7 +51,7 @@ Complete the following steps on the {{ site.product.short_name }} server: Example: A source statement using TLS The following source receives log messages encrypted using TLS, - arriving to the 1999/TCP port of any interface of the syslog-ng + arriving to the 1999/TCP port of any interface of the {{ site.product.short_name }} server. ```config