Views:
  1. Prepare certificates.
    1. Generate root CA certificate.
      1. Edit information for root CA and save content as file rootCA_openssl.cnf. 
        [ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
 
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = OR
organizationName = Organization Name (eg, company)
organizationName_default = TrendMicro
commonName = Common Name
commonName_default = ssl-ca-cert
 
[ v3_req ]
basicConstraints = CA:true
keyUsage = critical, keyCertSign

        Root CA private key is used to sign a root CA certificate.

      2. Enter a passphrase when prompted.

        openssl genrsa -aes256 -out rootCA.key 2048

      3. Create a CSR (Certificate Signing Request) file for root CA certificate.
      4. Enter the passphrase for rootCA.key you just specified.

        openssl req -new -key rootCA.key -out rootCA.csr -config rootCA_openssl.cnf

      5. Generate root CA certificate file rootCA.pem.

        openssl x509 -req -in rootCA.csr -sha512 -signkey rootCA.key -out rootCA.pem -days 1095 -extensions v3_req -extfile rootCA_openssl.cnf

    2. Generate certificate for Server.
      1. Edit information for root CA and save content as file server_openssl.cnf.
      2. Under section alt_names:
        • If you are signing a certificate for IP address only, remove the line "DNS.1".
        • If you are signing a certificate for domain only, remove the line "IP.1". For wildcard domain, use *.example.com as value.
        • You may keep both lines to sign certificate for both IP address and domain.
        [ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
 
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = OR
localityName = Locality Name (eg, city)
localityName_default = Portland
organizationName = Organization Name (eg, company)
organizationName_default = TrendMicro
commonName = Common Name
commonName_default = ssl-server-cert
commonName_max = 64
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
 
[ alt_names ]
IP.1 = 127.0.0.1
DNS.1 = localhost

        Server private key is used to sign a server certificate.

      3. Enter a passphrase when prompted.

        openssl genrsa -aes256 -out server.key 2048

      4. Create a CSR (Certificate Signing Request) file for server certificate.
      5. Enter the passphrase for server.key you just specified.

        openssl req -new -key server.key -out server.csr -config server_openssl.cnf

      6. Generate root CA certificate file server.pem.

        openssl x509 -req -in server.csr -sha256 -CA rootCA.pem -CAkey rootCA.key -out server.pem -days 1095 -extensions v3_req -extfile server_openssl.cnf

    3. Verify server certificate against root CA certificate.
      1. Refer to the command:

        openssl verify -verbose -CAfile rootCA.pem server.pem

      2. You should see this message if verification success.

        server.pem: OK

      3. If you see error message like shown below, check your certificates and make sure the Common Name value must be different in rootCA.pem and server.pem.

        error 20 at 0 depth lookup: unable to get local issuer certificate
        error server.pem: verification failed

    4. Client Certificate

      Usually, client certificate is unnecessary unless you enforce a mutual TLS verification for the traffic between Syslog server and Trend Vision One server. Signing a client certificate is similar to the previous section, "Generate Certificate for Server".
      To enable client certificate:

      1. Go to Third-Party Integration > Syslog Server Connection on the Trend Vision One console.
      2. Check "Server requires client authentication" option.
      3. Upload client certificate file.
      4. Input passphrase for client certificate.
  2. Configure certificates.
    1. Configure Server Certificate in Splunk.

      For more information, refer to the Splunk article, Securing Splunk Enterprise.

      1. Refer to the following command:

        cat server.pem server.key > server_bundle.pem

      2. Configure sslConfig section in Splunk. For example, /opt/splunk/etc/system/local/server.conf.

        [sslConfig]
        sslRootCAPath = $SPLUNK_HOME/cert/rootCA.pem
        sslPassword = 123456
        serverCert = $SPLUNK_HOME/cert/server_bundle.pem

    2. Upload Root CA Certificate.
      Navigate to Syslog Connector > Use CA certificate section, and upload rootCA.pem, so Trend Vision One will be able to verify SSL connection to your Syslog Server.