Skip to main content
Skip table of contents

Create Client and Server Certificates

This topic provides information about creating client and server certificates. Please note the following:

  • For SQL Server server certificates, the Subject name must be the FQDN of the host machine — IP addresses are not allowed.
  • For LogRhythm client and server certificates, the Subject name can be the FQDN of the host machine or its IP address.
  • Be sure to put a ‘CN=’ before the FQDN or IP address of the Subject for all certificates (SQL Server and LogRhythm client/server).
  • Ensure there are no spaces surrounding or in between the ‘CN’ and ‘=’ and the Subject (FQDN/IP).
  • Ensure that the client and server certificates have their signing certificate — the Root CA of the certificate — in the Trusted Root Certification Authorities store. Only the public key of the certificate authority needs to be in the Trusted Root Certification Authorities store. Do not include the private key in the Trusted Root Certification Authorities store.

  • If you require your web console URL to not prompt "Accept Risk and Continue" or to be a secure connection, then an IP address and DNS Subject Alternative Name (SAN) for an IP, hostname, or FQDN you may access via the URL will be required; subject alone will not be sufficient.

If the LogRhythm TrueIdentity Sync Client is on a remote host, you must generate and trust custom or self-signed certificates on the PM before continuing with configuration.

If you are using the self-signed certificates located in C:\Program Files\LogRhythm\LogRhythm Common\LogRhythm API Gateway\tls, follow instructions to trust the certificates. Note that it is recommended you create custom certificates.

The instructions below are examples using openSSL to create certifications in a Windows command prompt. 

  1. Log onto the machine where your LogRhythm Platform Manager is installed.
  2. Go to C:\Program Files\LogRhythm\LogRhythm Infrastructure Installer\ssl, and copy the openssl.cfg to this directory.

    The openssl.cfg can be found here openssl.cfg.

  3. Open a command prompt from this location and complete the following:
    1. To create CSR, run

      CODE
      openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -sha256 -keyout privateKey.key -config openssl.cfg
    2. To create a public certificate from CSR and a private certificate, run 

      CODE
      openssl x509 -req -days 365 -in CSR.csr -signkey privateKey.key -out LogRhythmSSL.crt -extensions extended -extfile openssl.cfg
    3. To create PFX from the public and private certificates, run 

      CODE
      openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in LogRhythmSSL.crt
    4. To export the two certificates from PFX, run 

      CODE
      openssl pkcs12 -in <certname>.pfx -nocerts -out privateKey.key -nodes
      openssl pkcs12 -in <certname>.pfx -nokeys -out LogRhythmSSL.crt
    5. To remove the passphrase from the private key, run 

      CODE
      openssl rsa -in privateKey.key -out LogRhythmSSL.pem
    6. To convert p7b format to the certificate, run 

      CODE
      openssl pkcs7 -inform (DER|PEM) -print_certs –in <pkcs7_certname>.p7b -out LogRhythmSSL.crt
    7. Run the following to ensure all MD5 checksums match 

      CODE
      openssl rsa -noout -modulus -in privateKey.key | openssl md5
      openssl x509 -noout -modulus -in LogRhythmSSL.crt | openssl md5

  4. The new certificates are generated.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.