Wazuh Installtion

[Satwika sree]

Hi Team,

I have my own SSL certificate with Domaine name and would like to proceed with the all-in-one server installation. Could you please guide me on how to proceed with this setup?

[Md. Nazmur Sakib]

Hi Satwika,

I am sharing documents that include instructions for creating and configuring Let's Encrypt certificates. Let's Encrypt is a nonprofit Certificate Authority (CA) providing free SSL/TLS certificates to millions of websites.

You can install the SSL certificate directly on the Wazuh dashboard. Alternatively, you can install it using NGINX, a third-party open-source proxy software, to offload the SSL decryption processing from the Wazuh dashboard.

Choose a preferred method to start configuring the SSL/TLS certificate for the Wazuh dashboard:

• Configuring SSL certificates on the Wazuh dashboard using Let’s Encrypt

• Configuring SSL certificates on the Wazuh dashboard using NGINX

I hope you find this information useful.

[Satwika sree]

thank you for the suggestion. 

Just I want to the SSL certificate for all the Wazuh components not only the Dashboard.

suggest that what is 

[Satwika sree]

What is processer for that kind of sever installation.

[Md. Nazmur Sakib]

We do not have any official documents on this

If you want to be signed by their own Certification Authorities. You need to follow these steps:

1. Create a private key

2. Create a certificate request signed with that private key

3. Send the certificate request to the Enterprise CA to create the certificate

4. Obtain from the CA the public root CA certificate and the newly created certificate

5. Place them in the nodes and review the configurations.

The bellow is an example for indexer:

Create the Admin certificate request

In order to load/modify the configurations used by the security plugin, it's necessary to use the securityadmin.sh script. This script uses a pair of certificates to run.

Note: Take notes of the name of the files (admin.*) and the subject (-subj parameter) because you will need it to place it correctly on the Indexer's configuration.

Create a private key

openssl genrsa -out admin-key-temp.pem 2048

Convert private key to PKCS#8 format

openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem

Create a CSR that'll be signed by the CA

openssl req -new -key admin-key.pem -subj "/C=AR/ST=CBA/O=Wazuh/OU=Ops/CN=admin" -out admin.csr

Save the admin-key.pem file and send the admin.csr file to your CA to get it signed.

Create the nodes certificates request

It's the same process as for the admin pair. It'd be necessary to create one pair for each node.

Note: Take notes of the name of the files (node_name*.*) and the subject (-subj parameter) because you will need it to place it correctly on the Indexer's configuration.

Create a private key

NODE_NAME=<node_name>

openssl genrsa -out $NODE_NAME-key-temp.pem 2048

Convert private key to PKCS#8 format

openssl pkcs8 -inform PEM -outform PEM -in $NODE_NAME-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out $NODE_NAME-key.pem

Create a CSR that'll be signed by the CA

openssl req -new -key $NODE_NAME-key.pem -subj "/C=AR/ST=CBA/O=Wazuh/OU=Ops/CN=$NODE_NAME" -addext "subjectAltName = IP:<IP_ADDRESS>" -out $NODE_NAME.csr

Change the <IP_ADDRESS> for the IP address of the node.

Save the $NODE_NAME-key.pem file and send the $NODE_NAME.csr file to your CA to get it signed.

Sign the requests with your Enterprise CA

Please follow these requisites to sign the requests and obtain a certificate to be used on Wazuh Indexer:

Requisites to request the certificates:

• Standard: x509

• Hashing Algorithm: SHA256

💡You can make use of the AD CS lab created in this guide to sign the certificates, following steps 4-6 from the Create the certificate for Authentication section

Sign the certificates with OpenSSL

openssl x509 -req -in <REQUEST.CSR> -CA root-ca.pem -CAkey root-ca.key -CAcreateserial -sha256 -out <CERT.PEM> -days 3650

This will create the certificate with a ten years validity.

Configure Wazuh Indexer with the new certificates

Considerations when applying the configuration:

• Remove the demo certificates:

rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f

• You can use the same method to create the certificates requests for Dashboard certs. No need to add the subjectAltName.

• You can use the same method to create the certificates requests for Filebeat certs. No need to add the subjectAltName.
  
  

Always you have to include the root-ca.pem certificate (public key)