Re: [rsyslog] Support for multiple certificate chains (TLS)

Tue, 01 Aug 2023 23:39:32 -0700 

Dear Roman,

technically the GnuTLS and OpenSSL API do support loading multiple CA
Certificates in one file. I have not tested this, but you can combine all 3
root CA certificates into one file, it should work.

For example:
        cat intermediateCA_1.crt intermediateCA_2.crt rootCA.crt >
rootCA_and_all_intermediateCA.pem

        $DefaultNetstreamDriver gtls
        $DefaultNetstreamDriverCAFile
/etc/pki/rsyslog/rootCA_and_all_intermediateCA.pem
        $DefaultNetstreamDriverCertFile /etc/pki/rsyslog/rsyslogServer.crt
        $DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/rsyslogServer.key

Best regards,
Andre Lorbach
--
Adiscon GmbH
Mozartstr. 21
97950 Großrinderfeld, Germany
Ph. +49-9349-9298530
Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB
560610
Ust.-IDNr.: DE 81 22 04 622
Web: www.adiscon.com - Mail: i...@adiscon.com

Informations regarding your data privacy policy can be found here:
https://www.adiscon.com/data-privacy-policy/

This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient or have received this e-mail in error please
notify the sender immediately and delete this e-mail. Any unauthorized
copying, disclosure or distribution of the material in this e-mail is
strictly forbidden.

> -----Original Message-----
> From: rsyslog <rsyslog-boun...@lists.adiscon.com> On Behalf Of Roman
> Möller via rsyslog
> Sent: Montag, 31. Juli 2023 18:18
> To: rsyslog@lists.adiscon.com
> Cc: Roman Möller <roman.moel...@eviden.com>
> Subject: [rsyslog] Support for multiple certificate chains (TLS)
>
> Hello subscribers,
> we are using rsyslog with TLS to collect logs transport encrypted from
> different
> logsources.
> The used certificates are generated by our company CA for the rsyslog
> server
> but also for the logsources.
>
> I have used these setting until now (filename gives hint about content):
> $DefaultNetstreamDriver gtls
> $DefaultNetstreamDriverCAFile
> /etc/pki/rsyslog/rootCA_and_intermediateCA-1.pem
> $DefaultNetstreamDriverCertFile /etc/pki/rsyslog/rsyslogServer_and_
> intermediateCA-1.crt $DefaultNetstreamDriverKeyFile
> /etc/pki/rsyslog/rsyslogServer.key
>
> And the reception of logs worked pretty well so far.
>
> Now we have a new intermediate CA and the certificate chains look like
> this:
>                                +------------+
>                                | Root-CA |
>                                +------------+
>                                          |
>             +--------------------+--------------------------+
>             |
> |
>             v
> v
>    +--------------------------+
> +--------------------------+
>    | Intermediate CA-1 |                   | Intermediate CA-2 |
>    +--------------------------+
> +--------------------------+
>              |
> |
>              v
> v
> +-----------------------------------+
> +-----------------------------------+ +---------------------------------
> +-----------------------------------+ +
> | Generated the certificate |           | Generated certificates   |
> | for the rsyslog Server        |           | for yet other logsources |
> | but also for other               |
> +---------------------------------+
> | logsources                           |
> +-----------------------------------+
>
> Our rsyslog Server is not able to accept syslog-TLS encrypted traffic from
> logsources which have a certificate from Intermediate CA-2.
> A test with openssl s_client -connect localhost:6514 shows that the system
> only accepts certificates which originate from Intermediate CA-1
>
> We are using rsyslogd  8.2102.0-10.el8 (aka 2021.02) at the moment.
>
> Is it somehow possible to configure the acceptance of certificates from
> both
> Intermediate CAs or is this simply not possible with one instance of
> rsyslog?
>
> Kind regards and thanks in advance,
> Roman Möller (He/His)
>
>
>
>
>
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
> beyond
> our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to