Creating Security Certificates for TLS Mutual Authentication

This section explains how to create self-signed security certificates for mutual authentication.

Notes:

  • Make sure to run the openssl commands on a 3rd party CA server (not on the log exporter device). The log exporter device must have a connectivity to the CA server.

  • The commands are not supported on a Check Point Security Management Server or a Multi-Domain Server.

  1. Create a CA certificate.
    1. Generate the self-signed root CA key.
      openssl genrsa -out ca.key 2048
    2. Generate the root CA certificate file in the PEM format.
      openssl req -x509 -new -nodes -key ca.key -days 2048 -out ca.pem

      Enter the information regarding the certificate.

      This information is known as a Distinguished Name (DN).

      An important field in the DN is the Common Name(CN), which should be the exact Fully Qualified Domain Name (FQDN) of the host, with which you intend to use the certificate.

      Apart from the Common Name, all other fields are optional and you can skip it.

      If you purchase an SSL certificate from a certificate authority, it is often required that these additional fields, such as "Organization", accurately reflect your organization's details.

      Best Practice - We recommend to use the device IP address as the Common Name.

  2. Create a client certificate.
    1. Generate a client key.
      openssl genrsa -out cp_client.key 2048
    2. Generate a client certificate sign request.
      openssl req -new -key cp_client.key -out cp_client.csr
    3. Sign the certificate using the CA certificate files.
      openssl x509 -req -in cp_client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out cp_client.crt -days 2048 -sha256
    4. Convert the certificate to the P12 format.
      openssl pkcs12 -inkey cp_client.key -in cp_client.crt -export -out cp_client.p12
      Note:

      The challenge phrase used in this conversion is required in the cp_client TLS configuration.

  3. Create a server (target) certificate.
    1. Generate a server key.
      openssl genrsa -out server.key 2048
    2. Generate a server certificate sign request.
      openssl req -new -key server.key -out server.csr
    3. Sign the certificate using the CA certificate files.
      openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.crt -days 2048 -sha256
    Note:

    Some SIEM applications require the server certification to be in a specific format. For more information, refer to SIEM Specific Instructions section (sk122323).