Last active
January 31, 2025 01:18
-
-
Save rishiloyola/79f869749bf54d135f7f6fe61e0e99a7 to your computer and use it in GitHub Desktop.
Revisions
-
rishiloyola revised this gist
Feb 27, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -45,7 +45,7 @@ $ openssl pkcs8 -topk8 -inform pem -in certs/devices/filebeat.key.pem -outform p * verify it ``` $ curl -v --key certs/devices/filebeat-pkcs8.pem --cert certs/devices/filebeat.crt.pem --cacert certs/ca/root-ca.crt.pem https://logstash-prod.xyz.com:5044 ``` -
Feb 27, 2019 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,52 @@ 1. Generate new domain name for logstash server. For this tutorial domain name = logstash-prod.xyz.com ip = 1.2.3.4 * Enter to following directory ``` $ sudo mkdir /etc/pki $ cd /etc/pki ``` * Generate CA and self-sign it. ``` $ mkdir -p certs/{devices,client,ca,tmp} $ openssl genrsa -out certs/ca/root-ca.key.pem 2048 $ openssl req -x509 -new -nodes -key certs/ca/root-ca.key.pem -days 9131 -out certs/ca/root-ca.crt.pem -subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=logstash-prod.xyz.com" ``` * Generate logstash certs ``` $ openssl genrsa -out certs/devices/logstash.key.pem 2048 $ openssl req -new -key certs/devices/logstash.key.pem -out certs/tmp/logstash.csr.pem -subj "/C=US/ST=Utah/L=Provo/O=ACME Service/CN=logstash-prod.xyz.com" $ openssl x509 -req -in certs/tmp/logstash.csr.pem -CA certs/ca/root-ca.crt.pem -CAkey certs/ca/root-ca.key.pem -CAcreateserial -out certs/devices/logstash.crt.pem -days 9131 ``` * Generate filebeat certs ``` $ openssl genrsa -out certs/devices/filebeat.key.pem 2048 $ openssl req -new -key certs/devices/filebeat.key.pem -out certs/tmp/filebeat.csr.pem -subj "/C=US/ST=Utah/L=Provo/O=ACME Service/CN=logstash-prod.xyz.com" $ openssl x509 -req -in certs/tmp/filebeat.csr.pem -CA certs/ca/root-ca.crt.pem -CAkey certs/ca/root-ca.key.pem -CAcreateserial -out certs/devices/filebeat.crt.pem -days 9131 ``` * convert private key to PKCS8 format ``` $ openssl pkcs8 -topk8 -inform pem -in certs/devices/logstash.key.pem -outform pem -nocrypt -out certs/devices/logstash-pkcs8.pem $ openssl pkcs8 -topk8 -inform pem -in certs/devices/filebeat.key.pem -outform pem -nocrypt -out certs/devices/filebeat-pkcs8.pem ``` * Give `777` file permission to all these certs * Restart logstash if you did it after starting logstash `$ cd /etc/deploy/docker-compose && sudo docker-compose down` * verify it ``` $ curl -v --key certs/devices/filebeat-pkcs8.pem --cert certs/devices/filebeat.crt.pem --cacert certs/ca/root-ca.crt.pem https://logstash-prod.ipbdev.com:5044 ```