What is this previously copied java keystore they speak of Graylog docs?

gsmith · February 2, 2023, 11:01pm

Here are my note on using HTTPS.

mkdir /etc/ssl/certs/graylog/ && cd /etc/ssl/certs/graylog/
openssl req -x509 -days 1095 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out cert.pem
openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem
openssl pkcs8 -in pkcs5-plain.pem -topk8 -out pkcs8-encrypted.pem -passout pass:secret
openssl req -config openssl-graylog.cnf -out graylog.csr -new -newkey rsa:2048 -nodes -keyout graylog.key
openssl req -x509 -sha512 -nodes -days 1095 -newkey rsa:2048 -config openssl-graylog.cnf -keyout graylog.key -out graylog.crt
openssl req -config openssl-graylog.cnf -out graylog.csr -key graylog.key -new
openssl x509 -x509toreq -in graylog.crt -out graylog.csr -signkey graylog.key
openssl pkcs12 -export -in graylog.crt -inkey graylog.key -out keystore.pfx
openssl pkcs12 -in keystore.pfx -nokeys -out graylog-certificate.pem
openssl pkcs12 -in keystore.pfx -nocerts -out graylog-pkcs5.pem
openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem

keytool -import -trustcacerts -file graylog.crt -alias graylog.domain.com -keystore graylog_keystore.jks -storepass secret

Check Certificates

keytool -list -v -keystore graylog_keystore.jks -alias graylog.domain.com

keytool -importkeystore -srckeystore graylog_keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12
openssl pkcs12 -in keystore.p12 -nokeys -out graylog-certificate.pem
openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem

cp -a “/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/security/cacerts” /etc/graylog/graylog-key.jks
keytool -importcert -keystore graylog.jks -storepass changeit (secret) -alias graylog.domain.com  -file cert.pem

Graylog configuration file

http_bind_address = graylog.domain.com:9000
http_publish_uri = https://graylog.domain.com:9000/
http_enable_cors = true
http_enable_tls = true
http_tls_cert_file = /etc/graylog/graylog-certificate.pem
http_tls_key_file = /etc/graylog/graylog-key.pem
http_tls_key_password = secret

Here was a good post to get started with, this help me understand what I needed to do.

Topic		Replies	Views
Issues with a new certificate Graylog Central (peer support)	12	4465	July 16, 2018
Need help - Adding a self-signed certificate to the JVM trust store Graylog Central (peer support)	4	2093	April 5, 2017
Need a little help with the documentation Graylog Central (peer support)	7	781	October 5, 2018
Certs error after upgrading to 5.0.2 Graylog Central (peer support)	4	899	February 7, 2023
Struggling with HTTPS & SSL Graylog Central (peer support)	32	3251	October 10, 2022

What is this previously copied java keystore they speak of Graylog docs?

Related Topics