Basics
You need to create a common root CA certificate, which you then you to both sign the certificates for logstash and filebeats (or any other beat). With this logstash can verify if the connection comes from some known client.
Generate CA cert
openssl genrsa -out ca.key 2048
openssl req \
-x509 \
-new -nodes -key ca.key \
-subj "/C=US/ST=Colorado/L=Denver/O=t3st/CN=www.t3st.org" \
-sha256 -days 3650 \
-out ca.crt
Generate logstash cert
Create a file with the following content and save it as logstash.conf:
Instead of DOMAIN_1 you need to add your actual fdqn where the logstash will be reachable later on. If you want to use this cert on multiple machines, add these domains to, otherwise just delete the DNS.x entries you don’t need.
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = US
stateOrProvinceName = Colorado
localityName = Denver
postalCode = 8888
organizationName = t3st
organizationalUnitName = web
commonName = elk.t3st.org
emailAddress = [email protected]
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = DOMAIN_1
DNS.2 = DOMAIN_2
DNS.3 = DOMAIN_3
DNS.4 = DOMAIN_4
Now run
openssl genrsa -out logstash.key 2048
openssl req -sha512 -new -key logstash.key -out logstash.csr -config logstash.conf
Now get the serial of the CA and save it in a file. With
openssl x509 -in ca.crt -text -noout -serial
you will see something like serial=B2BF03CC37F5C4F4 in the last line. Put the id into a file with
echo "B2BF03CC37F5C4F4" > serial
Now you can use that to create and sign your logstash cert with it
openssl x509 \
-days 3650 \
-req -sha512 \
-in logstash.csr \
-CAserial serial \
-CA ca.crt \
-CAkey ca.key \
-out logstash.crt \
-extensions v3_req \
-extfile logstash.conf
Generate beats cert
Now that we are done with the logstash side, we need to create another certificate, which can be used by beats, for example filebeats.
Create another file called beat.conf with the following content:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = US
stateOrProvinceName = Colorado
localityName = Denver
postalCode = 8888
organizationName = t3st
organizationalUnitName = web
commonName = elk.t3st.org
emailAddress = [email protected]
[ usr_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, server
nsComment = "OpenSSL FileBeat Server / Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
Move certs to ELK server and beats client
# scp cert and key to elk server
scp logstash.crt logstash.key [email protected]:/etc/logstash/ssl
scp ca.crt [email protected]:/etc/logstash/ssl
# scp cert and key to client server
scp beat.crt beat.key [email protected]:/etc/filebeat/
cp ca.crt [email protected]:/etc/filebeat