SSL certificate renewal


#1

I currently have SSL working between Winlogbeat 6.1.1 on a Windows 10 x64 computer and logstash 6.1.1 running on CentOS 7.

The way I set it up was to request a new certificate from the local computer certificate store and then export that to a pfx. I then used openssl to split the certificates out and copy them to the winlogbeat directory. For additional security I changed the permissions on the private key so that only SYSTEM can access it.

Both certificates are signed by our enterprise CA.

My question to those who have this setup - how do you handle renewal?

Renewing 1 or 2 manually would not be a big deal but we are discussing monitoring about 300-400 workstations. Obviously computer certificates can be easily auto-renewed via group policy. The problem is exporting them and changing permissions. In theory, a logon script could be written to check the certificate and when it is renewed, export it and run the appropriate openssl commands to split it out. This, however, would require openssl to be on every windows workstation and I have never had good luck running openssl under windows.

I just wondered how other people were handling this issue to see if there was a better way. Any tips would be appreciated.


(Andrew Kroh) #2

How did you deploy the Beat to each of the workstations? This sounds like a task where a CM tool such as Ansible would work well.


#3

We are still in the testing phase so they haven't been deployed yet. When we do that, we will use Desktop Central by ManageEngine. Deploying the beat is the easy part. Getting all the unique certificates in place is the tough part. Desktop central doesn't manage certificates.


(Steffen Siering) #4

When updating certificates, you have to restart the beat. So not to have to update all machines if a server certificate is updated, use a proper CA chain. Then beats don't need to restarted during an update, only the service beats publishes too (beats will automatically reconnect).

For client certificates, you will have to restart the beat. I have no idea about ManageEngine or Windows though. In case ManageEngine can not restart the beat on certificate update, I would try to bundle them into one update-package (which would give you one package per windows host, though). Whenever one is updated (filebeat binary, config, certificate), filebeat will be restarted. That is, I'd treat the certificate file the exact same way the config file is manged. If you add a timestamp to your certificate file, you will be forced to push an filebeat config update as well.


(system) #5

This topic was automatically closed after 21 days. New replies are no longer allowed.