I’ve grabbed my own documentation and here’s what we do to make things work:
We generate the keypair and certificate on our CA. Input to this is a certificate request file that includes all wanted aliases and which has the flag to mark the key as exportable. The template in question “ClientServerExportablePrivate” ensures that the keypair can be used for both ServerAuth and ClientAuth and that the private key is exportable.
[Version]
signature="$Windows NT$"
[NewRequest]
Subject="CN=server314.corp.broehaha.nl,O=Broehaha"
HashAlgorithm=SHA256
KeyAlgorithm=RSA
KeyLength=2048
Exportable=True
MachineKeySet=True
[RequestAttributes]
CertificateTemplate="ClientServerExportablePrivate"
[Extensions]
2.5.29.17="{text}"
_continue_="dns=graylog.corp.broehaha.nl&"
_continue_="dns=graylog&"
_continue_="dns=server314.corp.broehaha.nl&"
_continue_="dns=server314&"
_continue_="dns=192.168.3.14&"
_continue_="ipaddress=192.168.3.14&"
This request is used to generate a keypair, after which the CSR is handled and the cert is signed. Now, with ADCS (the PKI I’m using) it’s a bit messy, but in the end I end up with two files: server314.cer and server314.pfx. The latter is a PFX exported package of certificate+keys (the Powershell command to get this is Export-PfxCertificate).
Converting the PFX and cert is then a matter of three OpenSSL commands:
openssl x509 -in .\server314-elastic.cer -outform pem -out .\server314-elastic.crt
openssl pkcs12 -in .\server314-elastic.pfx -nocerts -out .\server314-elastic.key
openssl pkcs8 -in .\server314-elastic.key -topk8 -out .\server314-elastic.pem
The resulting .PEM file needs to be edited with something like Notepad to take off any extraneous bits. There’s a bunch of metadata that gets added on, which must NOT be in the file. You must only have the BEGINKEY and ENDKEY and everything in-between.
The .PEM and .CRT files are then uploaded to the Linux box that runs Graylog. Over there, we do one more trick, which is dos2unix server314.crt; dos2unix server314.pem to make sure all the line endings are fine.
One last important step: we need to make sure that the Linux box trusts our CA’s certificate! Actually, you’ll need the whole chain, so both the root and any intermediaries… The process of making these trusted differs per distribution, on RHEL-derivatives it’s along these lines:
sudo cp /tmp/issuing-ca.crt /etc/pki/ca-trust/source/anchors/
sudo cp /tmp/root-ca.crt /etc/pki/ca-trust/source/anchors/
sudo cp /tmp/chain-ca.pem /etc/pki/ca-trust
cd /etc/pki/ca-trust
sudo chmod 644 /etc/pki/ca-trust/chain-ca.pem
sudo restorecon ./*
sudo update-ca-trust extract
The two individual certs are snagged by update-ca-trust to fix the system-wide trust. The “chain-ca.pem” file is a certificate chain of the two individual .CRTs, which can be used by Graylog as the trust store.