Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 7.2.3 External Systems Configuration Guide
    7.2.3
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    How to Generate a Public SSL/TLS Certificate and Configure FortiSIEM Collector

    How to Set Up a FortiSIEM Collector with a Public SSL/TLS Certificate

    To set up a FortiSIEM Collector with a Public SSL/TLS Certificate, you will need to generate a certificate signing request (CSR), use the CSR to generate a certificate, then configure your FortiSIEM Collector with the certificate.

    Step 1 - Generate CSR

    To generate a public SSL/TSL certificate, take the following steps:

    1. Run the following commands on your collector to generate a CSR (Certificate Signing Request)

      cd /tmp

      openssl req -new -newkey rsa:4096 -nodes -keyout /etc/pki/tls/private/tls-collector1.key -out tls-collector1.csr

    2. Take the following actions when prompted.

      1. When Prompted for Country Name, enter your Country Abbreviation. For example, the United States is "US".

      2. Enter your State or Province. For example, California would be "CA".

      3. Enter your Locality. For example, a city would be "Sunnyvale".

      4. Enter your desired org name. For example, "Fortinet".

      5. Enter Unit Name, which is optional. For example, "IT".

      6. Enter Common Name. It must match the FQDN of Collector. For example, "collector1.myorg.fortinet.com".

      7. Email Address. This can be left blank. Press "Enter" to continue.

      8. If prompted for a challenge password, press "Enter" to leave blank and continue.

      9. Press Enter again to confirm.

    A Certificate Signing Request is created in /tmp/tls-collector1.csr.

    Step 2 - Generate Certificate

    Take the following steps to generate a certificate.

    1. Using WinSCP or another SCP utility, download the CSR file to your desktop.

    2. Go to your preferred public Certificate Authority (CA), e.g. GoDaddy, Comodo, SSL.com, Symantec, and upload this CSR when prompted to generate a new SSL certificate file.

    When you have your new certificate zip file, it will normally contain 2-3 files.

    Configure Collector

    Take the following steps to configure your FortiSIEM Collector with the generated certificate.

    1. Use WinSCP to copy the certificate zip file to /tmp on your Collector.

    2. Unzip the file if needed, by using the following command.

      unzip <filename>.zip

      The .crt file is your certificate, and is usually a concatenation of all chain certificates.

    3. Rename the cert files if needed using similar commands here.

      cd /tmp

      mv 11111111.crt tls-collector1.crt

    4. Copy the cert to the correct folder using the following command.

      cp tls-collector1.crt /etc/pki/tls/certs/tls-collector1.crt

      Note:

      If the TLS certificate provided has the entire certificate chain in the certificate, a certificate chain file is not needed.

      If the public CA provided in the download is an intermediate cert chain file, you can copy that to the same directory using similar commands here.

      cp vendorchain_cert.crt /etc/pki/tls/certs/tls-chain-certs.crt

      chmod 644 /etc/pki/tls/certs/tls-chain-certs.crt

    5. Set permissions using the following commands.

      chmod 644 /etc/pki/tls/certs/tls-collector1.crt

      chmod 640 /etc/pki/tls/private/tls-collector1.key

      chown root:admin /etc/pki/tls/private/tls-collector1.key

      The new public CA signed TLS/SSL certificate, associated private key, and any certificate chain certificates must be referenced in the following two Collector files:

      /etc/httpd/conf.d/ssl.conf

      /opt/phoenix/config/phoenix_config.txt

    6. Use vi or another text editor to open the ssl.conf file.

      vi /etc/httpd/conf.d/ssl.conf

    7. Find the following 3 directives and overwrite the existing values, or use "#" to change the lines to comments.

      Note: The last directive is optional. If the TLS cert was directly signed by a root CA, it is not needed. Also, if the cert chain is already chained inside the SSL certificate itself, the intermediate chain file is not needed separately.

      SSLCertificateFile /etc/pki/tls/certs/tls-collector1.crt

      SSLCertificateKeyFile /etc/pki/tls/private/tls-collector1.key

      SSLCertificateChainFile /etc/pki/tls/certs/tls-chain-certs.crt

    8. Save the file and restart Apache by running the following command.

      systemctl restart httpd

    9. Next, update the /opt/phoenix/config/phoenix_config.txt file to reference the new TLS certificate by using vi or some other text editor.

      vi /opt/phoenix/config/phoenix_config.txt

    10. Locate the following line in your phoenix_config.txt file.

      listen_tls_port_list=6514

    11. Change the following lines that appear after listen_tls_port_list=6514 so they reference the new TLS certificate.

      tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt

      tls_key_file=/etc/pki/tls/private/tls-collector1.key

    12. Save the file, and as root, restart phParser using the following command.

      killall -9 phParser

    Previous
    Next

    How to Generate a Public SSL/TLS Certificate and Configure FortiSIEM Collector

    How to Set Up a FortiSIEM Collector with a Public SSL/TLS Certificate

    To set up a FortiSIEM Collector with a Public SSL/TLS Certificate, you will need to generate a certificate signing request (CSR), use the CSR to generate a certificate, then configure your FortiSIEM Collector with the certificate.

    Step 1 - Generate CSR

    To generate a public SSL/TSL certificate, take the following steps:

    1. Run the following commands on your collector to generate a CSR (Certificate Signing Request)

      cd /tmp

      openssl req -new -newkey rsa:4096 -nodes -keyout /etc/pki/tls/private/tls-collector1.key -out tls-collector1.csr

    2. Take the following actions when prompted.

      1. When Prompted for Country Name, enter your Country Abbreviation. For example, the United States is "US".

      2. Enter your State or Province. For example, California would be "CA".

      3. Enter your Locality. For example, a city would be "Sunnyvale".

      4. Enter your desired org name. For example, "Fortinet".

      5. Enter Unit Name, which is optional. For example, "IT".

      6. Enter Common Name. It must match the FQDN of Collector. For example, "collector1.myorg.fortinet.com".

      7. Email Address. This can be left blank. Press "Enter" to continue.

      8. If prompted for a challenge password, press "Enter" to leave blank and continue.

      9. Press Enter again to confirm.

    A Certificate Signing Request is created in /tmp/tls-collector1.csr.

    Step 2 - Generate Certificate

    Take the following steps to generate a certificate.

    1. Using WinSCP or another SCP utility, download the CSR file to your desktop.

    2. Go to your preferred public Certificate Authority (CA), e.g. GoDaddy, Comodo, SSL.com, Symantec, and upload this CSR when prompted to generate a new SSL certificate file.

    When you have your new certificate zip file, it will normally contain 2-3 files.

    Configure Collector

    Take the following steps to configure your FortiSIEM Collector with the generated certificate.

    1. Use WinSCP to copy the certificate zip file to /tmp on your Collector.

    2. Unzip the file if needed, by using the following command.

      unzip <filename>.zip

      The .crt file is your certificate, and is usually a concatenation of all chain certificates.

    3. Rename the cert files if needed using similar commands here.

      cd /tmp

      mv 11111111.crt tls-collector1.crt

    4. Copy the cert to the correct folder using the following command.

      cp tls-collector1.crt /etc/pki/tls/certs/tls-collector1.crt

      Note:

      If the TLS certificate provided has the entire certificate chain in the certificate, a certificate chain file is not needed.

      If the public CA provided in the download is an intermediate cert chain file, you can copy that to the same directory using similar commands here.

      cp vendorchain_cert.crt /etc/pki/tls/certs/tls-chain-certs.crt

      chmod 644 /etc/pki/tls/certs/tls-chain-certs.crt

    5. Set permissions using the following commands.

      chmod 644 /etc/pki/tls/certs/tls-collector1.crt

      chmod 640 /etc/pki/tls/private/tls-collector1.key

      chown root:admin /etc/pki/tls/private/tls-collector1.key

      The new public CA signed TLS/SSL certificate, associated private key, and any certificate chain certificates must be referenced in the following two Collector files:

      /etc/httpd/conf.d/ssl.conf

      /opt/phoenix/config/phoenix_config.txt

    6. Use vi or another text editor to open the ssl.conf file.

      vi /etc/httpd/conf.d/ssl.conf

    7. Find the following 3 directives and overwrite the existing values, or use "#" to change the lines to comments.

      Note: The last directive is optional. If the TLS cert was directly signed by a root CA, it is not needed. Also, if the cert chain is already chained inside the SSL certificate itself, the intermediate chain file is not needed separately.

      SSLCertificateFile /etc/pki/tls/certs/tls-collector1.crt

      SSLCertificateKeyFile /etc/pki/tls/private/tls-collector1.key

      SSLCertificateChainFile /etc/pki/tls/certs/tls-chain-certs.crt

    8. Save the file and restart Apache by running the following command.

      systemctl restart httpd

    9. Next, update the /opt/phoenix/config/phoenix_config.txt file to reference the new TLS certificate by using vi or some other text editor.

      vi /opt/phoenix/config/phoenix_config.txt

    10. Locate the following line in your phoenix_config.txt file.

      listen_tls_port_list=6514

    11. Change the following lines that appear after listen_tls_port_list=6514 so they reference the new TLS certificate.

      tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt

      tls_key_file=/etc/pki/tls/private/tls-collector1.key

    12. Save the file, and as root, restart phParser using the following command.

      killall -9 phParser

    Previous
    Next