SUMMARY
The Snare Central Server uses Ubuntu as a base operating system, and is compatible with instructions provided by most certificate issuing agencies for Ubuntu (or Debian), to generate your certificate signing request and install the resulting certificates.
...
The file /etc/apache2/sites-enabled/000-default-ssl, on the Snare Server, contains SSL/TLS related configuration items. Various options will need to be enabled and you will have to copy the updated certificates to the server after signing etc.
How To Create your own Certificate Signing Request (CSR) Certificate to get signed by an organisational, or 3rd party Certificate Authority
Code Block |
---|
/etc/init.d/apache2 restart |
Using putty or ssh, connect to your Snare Central Server as the 'snare' user, attain administrator-level privileges by running the command: "sudo -s" (and enter your snare user password), then enter following commands:
Code Block cd /etc/apache2/ssl openssl req -out snare.csr -new -newkey rsa:2048 -sha256 -nodes -keyout privkey.pem
It will then request C/CN details. The "C" field should be a two-letter country code. The CN should be the DNS name of the Snare Server; the same address that you will put into your web browser to connect to the server. Other fields, as appropriate based on your geographic location and organisational details.
Once the command completes, a snare.csr will be created. You will need to transfer it to your CA to sign (generally by copy/pasting the contents into a web form).
Please ensure that the certificate provided by your CA is exported in base64/PEM format.
The certificate you get back from your CA needs to replace the contents of the apache.pem file.Please transfer the certificate to the Snare Server, and copy it to
Code Block /etc/apache2/ssl/apache.pem
Note: you will need to transfer the files to either /tmp or /home/snare as you can only use SFTP/scp for non root accounts. Once you copy the files to the Snare Central server, log in to the CLI, sudo to root-level user access as highlighted above, then move the files to the correct locations.
To reload the web server with the new keys execute:
Code Block /etc/init.d/apache2 restart
Snare Central TLS Listener
TLS and strict validation are available from Snare Agents to Snare Central. Standard TLS is supported with a self-signed certificate. Strict validation of the client/server can be provided with a certificate signed by a trusted (internal or third party) CA.
...