Renew wazuh certificates
292 views
Skip to first unread message
Gokul Suresh
Jan 28, 2025, 1:19:43 AM1/28/25
to Wazuh | Mailing List
Hi team,
I have a doubt regarding renewing wazuh certificates.
How should wazuh certificates like sslmanager.cert ,filebeat.cert, and server.cert, has to be renewed.
Which is the better method to use - open ssl tool or wazuh cert creation tool
Can I get the steps to renew these certificates.
How should wazuh certificates like sslmanager.cert ,filebeat.cert, and server.cert, has to be renewed.
Which is the better method to use - open ssl tool or wazuh cert creation tool
Can I get the steps to renew these certificates.
hasitha.u...@wazuh.com
Jan 28, 2025, 2:53:31 AM1/28/25
to Wazuh | Mailing List
Hi Gokul,
I have attached the relevant documents to generate the Wazuh manager certificates.
First, you need to select the Wazuh version you have by clicking Version 4.10(current) then select the exact version you have currently. (Attached screenshot).
https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster.html#generating-wazuh-server-certificates-using-the-pre-existing-root-ca
Make sure to backup the certificate file before generating to another location.
You can find your version by running this command.
/var/ossec/bin/wazuh-control info
Generate an SSL certificate on the Wazuh server signed by the certificate authority. The steps to generate an SSL certificate for the Wazuh manager are as follows:
Make sure that backup the file before generating certificates
https://documentation.wazuh.com/current/user-manual/agent/agent-enrollment/security-options/manager-identity-verification.html#wazuh-manager-identity-validation
Create a certificate request configuration file req.conf on the Wazuh server
Add this config to req.conf file and replace <WAZUH_MANAGER_IP_ADDRESS> with your Wazuh manager IP.
Create a certificate signing request (CSR) on the Wazuh server with the following command. The CSR will be used to request a digital certificate from a Certificate Authority (CA):
openssl req -new -nodes -newkey rsa:4096 -keyout sslmanager.key -out sslmanager.csr -config req.conf
Issue and sign the certificate for the Wazuh manager CSR with the following command:
openssl x509 -req -days 365 -in sslmanager.csr -CA rootCA.pem -CAkey rootCA.key -out sslmanager.cert -CAcreateserial -extfile req.conf -extensions req_ext
Copy the newly signed certificate and key files to /var/ossec/etc on the Wazuh manager:
cp sslmanager.cert sslmanager.key /var/ossec/etc
Restart the Wazuh manager to apply the changes made:
systemctl restart wazuh-manager
Let me know the update on this.
Regards,
Hasitha Upekshitha
I have attached the relevant documents to generate the Wazuh manager certificates.
First, you need to select the Wazuh version you have by clicking Version 4.10(current) then select the exact version you have currently. (Attached screenshot).
https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster.html#generating-wazuh-server-certificates-using-the-pre-existing-root-ca
Make sure to backup the certificate file before generating to another location.
You can find your version by running this command.
/var/ossec/bin/wazuh-control info
Generate an SSL certificate on the Wazuh server signed by the certificate authority. The steps to generate an SSL certificate for the Wazuh manager are as follows:
Make sure that backup the file before generating certificates
https://documentation.wazuh.com/current/user-manual/agent/agent-enrollment/security-options/manager-identity-verification.html#wazuh-manager-identity-validation
Create a certificate request configuration file req.conf on the Wazuh server
Add this config to req.conf file and replace <WAZUH_MANAGER_IP_ADDRESS> with your Wazuh manager IP.
- [req]
- distinguished_name = req_distinguished_name
- req_extensions = req_ext
- prompt = no
- [req_distinguished_name]
- C = US
- CN = <WAZUH_MANAGER_IP_ADDRESS>
- [req_ext]
- subjectAltName = @alt_names
- [alt_names]
- DNS.1 = wazuh
- DNS.2 = wazuh.com
Create a certificate signing request (CSR) on the Wazuh server with the following command. The CSR will be used to request a digital certificate from a Certificate Authority (CA):
openssl req -new -nodes -newkey rsa:4096 -keyout sslmanager.key -out sslmanager.csr -config req.conf
Issue and sign the certificate for the Wazuh manager CSR with the following command:
openssl x509 -req -days 365 -in sslmanager.csr -CA rootCA.pem -CAkey rootCA.key -out sslmanager.cert -CAcreateserial -extfile req.conf -extensions req_ext
Copy the newly signed certificate and key files to /var/ossec/etc on the Wazuh manager:
cp sslmanager.cert sslmanager.key /var/ossec/etc
Restart the Wazuh manager to apply the changes made:
systemctl restart wazuh-manager
Let me know the update on this.
Regards,
Hasitha Upekshitha
Gokul Suresh
Jan 28, 2025, 3:52:07 AM1/28/25
to Wazuh | Mailing List
Thank you hasitha for your reply,
I have one more doubt i.e, is it the same method mentioned above to renew filebeat.cert, and server.cert.
I have one more doubt i.e, is it the same method mentioned above to renew filebeat.cert, and server.cert.
hasitha.u...@wazuh.com
Jan 28, 2025, 11:36:52 PM1/28/25
to Wazuh | Mailing List
Hi Gokul,
I could not find any filebeat.cert and server.cert certificate files. I believe you are looking for these certificates it's belong to Wazuh server-side certificates.
wazuh-certificates/
├── admin-key.pem
├── admin.pem
├── root-ca.key
├── root-ca.pem
├── server-key.pem
└── server.pem
As I mentioned earlier navigate to your matching Wazuh version.
If you already have a root Certificate Authority (CA) and need to generate certificates for Wazuh server nodes using the existing root CA, you can follow these steps:
https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster.html#generating-wazuh-server-certificates-using-the-pre-existing-root-ca
First, you need to create a config.yml file and You must specify the details for only the Wazuh server node(s) if you want to create certificates
nodes:
Run the command below to create Wazuh server certificates from the config.yml file using the pre-existing root CA keys:
bash wazuh-certs-tool.sh -ws /path/to/root-ca.pem /path/to/root-ca.key
Once the certificates have been generated, you will need to rename and move the Wazuh server certificate to the corresponding Wazuh server nodes. By default, the certificates should be placed in the /etc/filebeat/certs/ directory, as specified in the Filebeat configuration file located at /etc/filebeat/filebeat.yml. If the directory does not already exist, you must create it before proceeding.
mv /path/to/server-key.pem /etc/filebeat/certs/filebeat-key.pem
mv /path/to/server.pem /etc/filebeat/certs/filebeat.pem
Let me know if you need further assistance.
Regards,
Hasitha Upekshitha
I could not find any filebeat.cert and server.cert certificate files. I believe you are looking for these certificates it's belong to Wazuh server-side certificates.
wazuh-certificates/
├── admin-key.pem
├── admin.pem
├── root-ca.key
├── root-ca.pem
├── server-key.pem
└── server.pem
As I mentioned earlier navigate to your matching Wazuh version.
If you already have a root Certificate Authority (CA) and need to generate certificates for Wazuh server nodes using the existing root CA, you can follow these steps:
https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster.html#generating-wazuh-server-certificates-using-the-pre-existing-root-ca
First, you need to create a config.yml file and You must specify the details for only the Wazuh server node(s) if you want to create certificates
nodes:
- # Wazuh server nodes
- # If there is more than one Wazuh server
- # node, each one must have a node_type
- server:
- - name: wazuh-1
- ip: "<WAZUH_MANAGER_IP_ADDRESS>"
- # node_type: master
- #- name: wazuh-2
- # ip: "<WAZUH_MANAGER_IP_ADDRESS>"
- # node_type: worker
- #- name: wazuh-3
- # ip: "<WAZUH_MANAGER_IP_ADDRESS>"
- # node_type: worker
Run the command below to create Wazuh server certificates from the config.yml file using the pre-existing root CA keys:
bash wazuh-certs-tool.sh -ws /path/to/root-ca.pem /path/to/root-ca.key
Once the certificates have been generated, you will need to rename and move the Wazuh server certificate to the corresponding Wazuh server nodes. By default, the certificates should be placed in the /etc/filebeat/certs/ directory, as specified in the Filebeat configuration file located at /etc/filebeat/filebeat.yml. If the directory does not already exist, you must create it before proceeding.
mv /path/to/server-key.pem /etc/filebeat/certs/filebeat-key.pem
mv /path/to/server.pem /etc/filebeat/certs/filebeat.pem
Let me know if you need further assistance.
Regards,
Hasitha Upekshitha
Message has been deleted
Gokul Suresh
Feb 5, 2025, 5:56:56 AM2/5/25
to Wazuh | Mailing List
Hi Hasitha,
Thank you for the update.
Reply all
Reply to author
Forward
0 new messages