WebsiteBlogLogin

Self-Signed SSL/TLS Certificates Creation

Overview

The following instructions outline recommended steps for creating self-signed certificates for use in securing the sending of data to Onum (for example, via curl or via Falcon LogScale Collector).

In some cases, they may be helpful for secure sending to Onum, specifically in those cases where the Onum Team has not created mutual authentication certs and customer still needs to encrypt the connections from external sources to Onum (on-premise) or from on-premise sources to Onum (SaaS / Cloud).

Create the TLS Certificates

Requirements

  • To create your own SSL/TLS certificates, you will first need to have OpenSSL installed.

    • Visit the official site and check the most suitable installation procedure for your operating system. Click Open SSL Library > Downloads.

  • The procedure shown in this guide used OpenSSL version OpenSSL 3.4.0 22 Oct 2024 (Library: OpenSSL 3.4.0 22 Oct 2024).

  • Please make sure that your OpenSSL version is compatible with the commands and tools used here.

Create the Certification Authority (CA)

Subject Alternative Names (SANs) are generally not needed for a root CA certificate itself, as its primary role is to issue and sign other certificates, not to be validated by web browsers or other applications for its own identity. While SANs are crucial for end-entity certificates to list multiple domain names or IP addresses, applications that validate root and intermediate CA certificates typically ignore the SAN extension.

1

Log on to the system from which the connection will be made to Onum.

2

You will need to create the private key of the CA – it will use RSA and 4096 bits. This private key will be stored in a file named as rootCA.key. To create this key, run the command below:

openssl genrsa -out onum_rootCA.key 4096
3

Then, this key will be used to sign the CA, whose certificate will be stored in the file rootCA.crt:

openssl req -x509 -new -nodes -key onum_rootCA.key -sha256 -days 1024 -subj "/C=US/ST=MA/L=Boston/O=Onum/OU=Sales/CN=Onum Root CA" -out onum_rootCA.crt

where:

  • -key is the name of the file that contains the private key previously generated.

  • -days determines the expiration date of the CA certificate, set by its duration in days.

  • -out is the output file that will contain the certificate.

The command above will automatically fill in details for the onum_rootCA.crt file:

  • Country Name (2 letter code) (for example: US)

  • State or Province Name (full name) (for example: MA)

  • Locality Name (eg. city) (for example: Boston)

  • Organization Name (for example: Onum)

  • Organizational Unit Name (eg. section) (for example: Sales)

  • Common Name (eg server FQDN or YOUR name) (for example: Onum Root CA)

4

Save these files as they will be used to emit SSL/TLS certificates in the future:

  • onum_rootCA.crt

  • onum_rootCA.key

Create the SSL/TLS certificate (server.key, server.csr, server.crt)

Create Server Key

A "server key" primarily refers to the private key used by a server in an SSL/TLS connection. This private key is a crucial component for establishing secure communication and authenticating the server's identity.

To create it, type the following command:

openssl genrsa -out onum_server.key 4096

Create Server CSR

A "Server CSR, or Certificate Signing Request", is a file generated on your server containing your public key and information about your server's identity, like the domain name and organization.

To create it, type the following command:

openssl req -new -key onum_server.key -subj "/CN=<Onum DNS>" -out onum_server.csr

Create File to Append Needed Info (like subjectAltName value) to server.crt file

The Subject Alternative Name (SAN) is an extension in X.509 certificates that allows a single SSL/TLS certificate to secure multiple hostnames, IP addresses, or other identifiers. This means one certificate can be used for example.com, www.example.com, mail.example.com, and even IP addresses, eliminating the need for separate certificates for each.

This is the most secure, long-term solution, as the Common Name (CN) field is deprecated. Modern security standards, like those used in Go, no longer rely on the CN for matching and require SANs for proper validation.

To create it, type the following command:

cat > server.ext <<-EOF
 
subjectAltName=DNS:<Onum DNS>,DNS:alias.prod.onum.com,IP:<Onum DNS IP>
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth
 
EOF

Command variables

Replace the following variables and include your real values:

  • <Onum DNS> - DNS where you're sending your data.

  • <Onum DNS IP> - IP of the Onum distributor where you're sending your data.

For users using a cloud-based Onum instance, they can check these details in the Listener details. In case of on-premises instances, users should contact their Onum contact to receive them.

  • This will create a new file called server.ext

  • It will include the 3 lines of additional needed cert info. Replace <Onum DNS> with your Onum DNS or IP values.

  • Typing EOF at the end will save the file.

  • When complete, type cat server.ext and verify file created with contents as listed.

Create Server Crt

A server.crt file contains a server's public SSL/TLS certificate, which is a digitally signed document from a trusted Certificate Authority (CA) that authenticates the server's identity to clients (like web browsers) and enables secure, encrypted connections. It includes the server's public key and identifies the organization or hostname it represents, allowing clients to verify the server's authenticity and establish a secure communication channel.

To create it, type the following command:

openssl x509 -req -in onum_server.csr -CA onum_rootCA.crt -CAkey onum_rootCA.key -CAcreateserial -out onum_server.crt -days 500 -sha256 -extfile server.ext

Verify the subjectAltName was added to the server.crt file

To do it, type the following command:

openssl x509 -in onum_server.crt -text -noout

Details from the server.crt should include an X509v3 extensions section with the Subject Alternative Name.

You have now the files needed to set up SSL/TLS on your services:

  • onum_rootCA.crt – CA certificate (aka "CA chain")

  • onum_server.key – private key of the server

  • onum_server.crt - server certificate

Last updated

Was this helpful?