How to Generate a Custom TLS Certificate For Your Alert Source Configuration

Issue

We have configured our Alert Source in Red Canary and have decided on which ingest method we will use.  Our configuration requires a custom TLS server certificate in order to encrypt the Alert Source's connection.  

Environment

Red Canary Alerts

Resolution

Generate your own custom Server and Client certificates using OpenSSL. 

OpenSSL is an open-source command line tool that is commonly used to generate SSL/TLS certificates.  It is also a general-purpose cryptography library used by developers to secure applications. 

Before you can run the OpenSSL commands to generate your certificate, you first need to install the OpenSSL command line application.  The process of installing OpenSSL is beyond the scope of this article.  However, if you need to install OpenSSL please review the OpenSSL Quick Install Guide

Or, if you have a Mac, you already have OpenSSL installed. Specifically LibreSSL.  To See the version of OpenSSL you have installed, run the following from the macOS Terminal:

• openssl version

NOTE: When you generate your own TLS Certificates, you are playing the role of both the requestor and the Certificate Authority.  The steps are broken down as follows:

Generate the Certificate Authority (CA) Key (This will be used to sign your Server and Client Certificate Signing Requests).

• Run the following to generate a Certificate Authority (CA) Private Key (ca.key):
  openssl ecparam -name prime256v1 -genkey -noout -out ca.key
• Next, run this to generate the Certificate Authority Certificate (ca.crt):
  openssl req -new -x509 -sha256 -days 7300 -key ca.key -out ca.crt 
  • NOTE: the "-days 7300" option should match whatever your internal certificate expiration requirements are. 

Generate the Server Private Key, Server CSR, and Server Certificate

• Generate the Server Certificate Private Key (server.key):
  openssl ecparam -name prime256v1 -genkey -noout -out server.key
• Generate the Server Certificate Signing Request (server.csr):
  openssl req -new -sha256 -key server.key -out server.csr
• Generate the Server Certificate (server.crt):
  openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 7300 -sha256

Generate the Client Private Key, Client CSR, and Client Certificate

• Generate the Client Certificate Private Key (client1.key):
  openssl ecparam -name prime256v1 -genkey -noout -out client1.key
• Create the Client Certificate Signing Request (client1.csr):
  openssl req -new -sha256 -key client1.key -out client1.csr
• Generate the Client Certificate (client1.crt):
  openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client1.crt -days 7300 -sha256

Once the Certificate files have been generated, you will need to upload the Server certificate (chain) files to your Alert Source configuration. 

Specifically, you will need the Server.crt, Ca.crt, and Server.key files for your Alert Source TLS certificate configuration. 

Next, go to the Alert Source page in your Red Canary and open your Alert Source configuration. 

Check the box next to where it says "Use custom TLS server certificate for ingest over TLS?" 

• Upload the Server.crt file to the section that says "Upload a certificate file (PEM or DER)."
• Upload the Server.key file to the section that says "Upload the corresponding private key file." 
• Upload the Ca.crt file to the section that says "Upload the CA certificate corresponding to your certificate (PEM or DER)

The end result should look like this: 

Finally, you will need to upload the Client certificate files onto your Alert Source (i.e the device or application you have configured to ship logs to Red Canary).  

Once the certificate files have been uploaded and saved to your Alert Source and to the Alert Source configuration in Red Canary, you should start to see alerts come in within minutes. 

If you do not see alerts populating in your External Alerts page, there may still be some misconfiguration with your Alert Source or perhaps even with the certificate configuration. 

IMPORTANT: the specifics of the certificate configuration are dependent upon the Alert Source platform.  Be sure to consult the support documentation for your Alert Source before you configure the certificate settings.  For example, some devices may require the Server certificate files to be uploaded rather than the Client certificate files.