Require Valid Audit Log Server Certificates

The system supports validating audit log server certificates using imported CRLs in Distinguished Encoding Rules (DER) format.

Note

If you choose to verify certificates using CRLs, the system uses the same CRLs to validate both audit log server certificates and certificates used to secure the HTTP connection between an appliance and a web browser.

Before you begin

  • Understand the ramifications of requiring mutual authentication and of using certificate revocation lists (CRLs) to ensure that certificates are still valid. See Audit Log Certificate.

  • Obtain and import the client certificate following the steps in Securely Stream Audit Logs and the topics referenced in that procedure.

Procedure

Step 1

On the Firewall Management Center, choose System (system gear icon) > Configuration.

Step 2

Click Audit Log Certificate.

Step 3

To use Transport Layer Security to securely stream the audit log to an external server, select Enable TLS.

When TLS is enabled, the syslog client (Firewall Management Center) verifies the certificate received from the server. The connection between the client and the server succeeds only if server certificate verification is successful. For this verification process, the following conditions must be met:

  • Configure the syslog server to send the certificate to the client.

  • Add (import) a CA certificate to the client to verify the server certificate:

    • You must import the CA certificate during the import of the client certificate.

    • If the issuing CA is a subordinate CA, you have to add the issuing CA before adding the signing CA from the subordinate CA (Root CA), and so on.

Step 4

If you do not want the client to authenticate itself against the server, but accept the server certificate when the certificate is issued by the same CA (not recommended):

  1. Deselect Enable Mutual Authentication.

    Important

    Ensure that the server is configured to trust the client without verifying any client certificates.

  2. Click Save and skip the remainder of this procedure.

Step 5

(Optional) To enable client certificate verification by the audit log server, select Enable Mutual Authentication.

Important

The Enable Mutual Authentication option is applicable only when TLS is enabled.

When mutual authentication is enabled, the syslog client (Firewall Management Center) sends a client certificate to the syslog server for verification. The client uses the same CA certificate of the CA who signed the server certificate of the syslog server. The connection succeeds only if client certificate verification is successful. For this verification process, the following conditions must be met:

  • Configure the syslog server to verify the certificate received from the client.

  • Add a client certificate to be sent to the syslog server. This certificate must be signed by the same CA who signed the server certificate of the syslog server.

Note

To use mutual authentication for streaming Audit Log to the Syslog server, use PKCS#8 format for the private key instead of PKCS#1 format. Use the following command line to convert PKCS#1 keys to PKCS#8 format:

openssl pkcs8 -topk8 -inform PEM -outform PEM 
-nocrypt -in PKCS1 key file name -out PKCS8 key filename

Step 6

(Optional) To automatically recognize server certificates that are no longer valid:

  1. Select Enable Fetching of CRL.

    Important
    This option is displayed only when you select the Enable Mutual Authentication check box. However, the Enable Fetching of CRL option is applicable only when the TLS option is enabled. The use of CRL is for server certification verification, and it is not dependent on the use of Mutual Authentication which is for enabling client certificate verification.

    Enabling fetching of the CRL creates a scheduled task for the client to regularly update (download) the CRL or CRLs. The CRL(s) are used for server certificate verification, where, the verification fails if there is a CRL from the CA specifying that the server certificate being verified has been revoked by the CA.

  2. Enter a valid URL to an existing CRL file and click Add CRL.

    Repeat to add up to 25 CRLs.

  3. Click Refresh CRL to load the current CRL or CRLs from the specified URL or URLs.

Step 7

Verify that you have a valid server certificate generated by the same certificate authority that created the client certificate.

Step 8

Click Save.

What to do next

(Optional) Set the frequency of CRL updates. .