The certificate key pair used by the Secure Logging Server is the logging system's Certificate Authority (CA); that is, it is the trusted root certificate that is used to validate all other Identity Audit logging application certificates. By default, this certificate is self-signed. However, you can use a certificate signed by a third-party CA.
The following sections review the process required to generate a self-signed root certificate and how to use a third-party root certificate for the Secure Logging Server.
To generate a self-signed root certificate for the Secure Logging Server by using the internal Identity Audit CA, use the following AudCGen command:
audcgen ss [-cacert:filename] [-capkey:filename] [-bits:number] [-f]
For example:
audcgen ss -cacert:slscert.pem -capkey:slspkey.pem -bits:512 -f
The -ss parameter creates a self-signed root certificate that can then be used to generate the certificate key pair for each logging application. For more information on generating the key pair, see Creating Logging Application Certificates.
To use a certificate signed by a third-party CA, you must do the following:
Use AudCGen to generate a CSR that can be signed by a third-party CA:
The command syntax is as follows:
audcgen csr [-csrfile:filename] [-csrpkey:filename] [-bits:RSA_key_size]
For example:
audcgen csr -bits:512 -csrfile:slscsr.pem -csrpkey:slspkey.pem
For more information, see Section 6.2, The Identity Audit AudCGen Utility.
Take the slscsr.pem file and submit it to a third-party CA for signature, or sign it by using your internal certificate server.
IMPORTANT:The Identity Audit Secure Logging Server requires two Base64-encoded .pem files: one for the public certificate and one for the private key. Some CAs might generate files that require additional conversion steps.
Configure the Secure Logging Certificate File and Secure PrivateKey File attributes on the Logging Server object to enable the Secure Logging Server to use the third-party certificate and private key.
For more information, see Logging Server Object Attributes in the Novell Audit 2.0 Administration Guide.
Use the Secure Logging Server’s third-party certificate to generate the certificate key pair for each logging application.
For more information on this procedure, see Creating Logging Application Certificates.
IMPORTANT:If you use a third-party certificate, your logging applications can no longer communicate with the Secure Logging Server by using their default certificates. You must create a new certificate key pair for each logging application by using AudCGen and the new root certificate key pair.