Logger GUI Certificate with SHA256withRSA as Signing Algorithm

Document created by jcruz on Feb 5, 2015
Version 1Show Document
  • View in full screen mode

If you are familiar with this you know that SHA-1 will be a deprecated hash algorithm by 2016 by most of recent web browsers. Unfortunately, the Logger GUI certificate that comes by default have SHAwithRSA as signing algorithm, as well as any other certificate you generate in the System Admin tab of this device. It would be nice if you could choose the signing algorithm, but unfortunately, you can't.


So I decided to dig a little bit on this (btw, as I did for ArcSight Express: Manager certificates without MD5withRSA as signing algorithm ). Here is the procedure you need to follow if you want to generate a certificate with a decent signing algorithm (SHA256withRSA).


First of all, I must say that although I was able to do this without problems and nothing wrong happened to the Logger, or event receiving stuff, you should follow this at your own risk! Anyway, if you follow this strictly, some steps will be to backup the original key and certificate, so if anything goes wrong it should be easy to replace the original files.


This was tested in a L7500s with version


1. Login via SSH to your Logger as "root" user (You can do this without requesting a challenge to the support team since version 6 or so)



2. Jump to user "arcsight":



[root@*******]# su - arcsight



3. Execute the following command. It will create two files: A Certificate Signing Request (request.csr) and a private key (server.pem).



[arcsight@******* ~]$ openssl req -out request.csr -newkey rsa:2048 -nodes -keyout server.pem -sha256



4. Send the .csr to your internal CA to sign your public key certificate. The will return to you your certificate signed by them. Rename the file they return to you to "server.crt". Now you have your private key in a file called "server.pem" and your public key certificate, signed by your internal CA, in a file called "server.crt". Now you have everything to import to Logger's apache web server!



(if you don't want your certificate to be signed by a CA, you can generate a self-signed one by executing the following command: openssl x509 -req -days 365 -in request.csr -signkey server.pem -out server.crt -sha256)



5. cd to the folder where you need to replace the current private key and certificate:



[arcsight@******* ~]$ cd /opt/arcsight/userdata/platform/ssl.crt



6. Backup the current files (so if anything goes wrong you can replace them and return back to normal operation):



[arcsight@******** ssl.crt]$ cp server.crt server.crt.bak

[arcsight@******** ssl.crt]$ cp server.pem server.pem.bak



7. Copy the private key you've created in step 3 to the location where apache is expecting it:



[arcsight@******** ssl.crt]$ cp /path/to/created/server.pem server.pem



8. Do the same for the certificate signed by your internal CA (or self-signed certificate) received/created in step 4:



[arcsight@******** ssl.crt]$ cp /path/to/received/server.crt server.crt



9. Jump back again to "root" user:



[arcsight@******** ssl.crt]$ exit



10. Restart apache



[root@******* ~] /opt/local/apache/bin/httpd -k restart



11. Just to make sure everything went fine, check the apache "error_log". The final lines should be similar to the following:



[Thu Feb 05 16:31:56 2015] [notice] SIGHUP received.  Attempting to restart

httpd: Could not reliably determine the server's fully qualified domain name, using for ServerName

[Thu Feb 05 16:31:57 2015] [notice] SSL FIPS mode disabled

[Thu Feb 05 16:31:57 2015] [notice] Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8zc-fips configured -- resuming normal operations



12. Double check in your browser by accessing the Logger GUI and see if the certificate presented to you it's the same you've created in this procedure.



Now you have your certificate with a decent signing algorithm!



João Cruz

1 person found this helpful