What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

How can I create a TLS certificate?

Votes:

0

I want to use the multi-platform probe, but it requires a Transport Layer Security (TLS) Certificate. What is TLS and how can I create a TLS certificate to use with the multi-platform probe?

multi-platform-probe nats-server probe-adapter prtg

Created on Oct 4, 2023 8:23:24 AM by Yasodhara Das [Paessler Support]

Last change on Jul 31, 2024 3:12:22 PM by Jacqueline Conforti [Paessler Support]



1 Reply

Accepted Answer

Votes:

0

This applies as of PRTG 24

If you already know you want to create a self-signed certificate authority root certificate and a TLS server certificate, skip to How to create a self-signed certificate

What is TLS and why is it necessary?

Transport Layer Security (TLS) is a protocol that provides various security features for network communication. You can use TLS certificates in the following scenarios in PRTG:

  • Secure your PRTG instance
  • Encrypt and protect data transferred between multi-platform probes, a NATS server, and your PRTG core servers

Where do TLS certificates come from?

Most organizations use TLS certificates issued by a public certificate authority (CA) or by their own internal root CA. In both these scenarios, the CA maintains a root certificate that issues and validates any TLS server certificates (also known as a leaf certificate or an end-user certificate).

CA root certificates are long-lasting, often valid for 10 or more years, and rarely need to be updated. Trusted root certificates usually come with most systems – or in the case of an internal root CA, are installed on your internal systems by your IT administrators – and are found in your system trust store.

In some cases, you might also have one or multiple intermediate certificates. A CA uses the root certificate to issue an intermediate certificate, which administrators can use to issue server certificates. This creates an additional layer of security as both the root certificate and intermediate certificate need to be present on a system to validate the server certificate.

How can I check what certificates exist in my system trust store?

Before you go through the process of creating a self-signed certificate, check your system trust store if there is a CA already available for you to use. You also need to access you trust store to manually add any new certificates you want to trust across your entire system.

Linux

If the certificates on your system exist in /etc/ssl/certs, you can view a list of them by navigating to the certs file. You can list all the CA certificates present on your system and their details with the following command:

awk -v decoder='openssl x509 -noout -subject 2>/dev/null' '/BEGIN/{close(decoder)};{print | decoder}' < /etc/ssl/certs/ca-certificates.crt

Note: Remember to adjust the path of the certificate – in this case, /etc/ssl/certs/ca-certificates.crt – in this command to your system’s specifications.

Windows

The most straightforward way to manage certificates on a Windows system is through the Microsoft Management Console. For more information and a step-by step guide, see the Microsoft documentation: Trusted Root Certification Authorities Certificate Store.

What do I do if I need a new TLS server certificate?

The process to obtain a new TLS server certificate is unique to every organization and situation. If you are unsure how your organization handles certificates, contact your IT administrators.

Three common scenarios:

  1. If your organization uses a public certificate authority, you often must purchase a TLS server certificate from the CA itself.
  2. If your organization uses an internal root or intermediate CA, you must request a new TLS server certificate from whomever maintains the root CA.
  3. If neither of the above options fit your situation, you can also create a self-signed CA certificate and use it to generate a TLS server certificate.

The benefit of using a self-signed certificate is that you can stipulate how long it is valid for, you can easily customize the host names and IP address it needs to be valid on, and you can renew it whenever you need to.

However, despite the flexibility a self-signed certificate gives you, it requires more work to set up and maintain. You must also manually add any self-signed certificates to every system you want to use the certificate with.

How to create a self-signed certificate

Follow the steps below to create your own CA root certificate and then use that CA root certificate to generate a TLS server certificate.

Note: You can change any of the file names presented in the commands. If you change any file names, be extra careful when copying commands and ensure that you use the correct file name.

At the end of this process, the following files are in your system:

FileDescriptionExample file nameKeep this file?
CA certificateThe root certificate used to generate and validate the server certificate.

This certificate must be saved in your trust store manually. It must be present on all client systems: PRTG core server, NATS server, multi-platform probes

For the multi-platform probe, use this file in the Multi-Platform Probe Connection Settings.		ca.crtYes, on every system you need it on
CA private keyThe root key used to sign and issue new server certificates.

Note: Take the necessary steps to secure this file.		ca.keyYes, secured*
TLS server certificateThe server certificate that is presented for authentication upon connection.

This file is only required on the system you want to use it on as it is unique to that system.

For the multi-platform probe, use this file to set up the NATS server.		server.crtYes
TLS server private keyThe key used to authenticate the TLS server certificate and to encrypt communication.

Note: Take the necessary steps to secure this file.

For the multi-platform probe, use this file to set up the NATS server.		server.keyYes, secured*
Certificate signing request (CSR)Functions as an intermediate file to tell OpenSSL what data should be in the server certificate.server.csrNo. You can delete this file.

Additional Information:

  • All Multi-Platform Probe components require certificates and keys in the PEM format. Common file extensions include .pem, .crt, .cer, and .key.

* For more information on best practices to secure your files, see the PRTG Manual: Data Storage.

Step 1: Obtain SSL

Linux

Most Linux distributions come with OpenSSL pre-installed. Run openssl version in a terminal to check for its availability. If it is not available, refer to your distributions documentation on how to install it. On Debian, for example, the command looks like this:

sudo apt install openssl

Windows

For Windows there is no official distribution of OpenSSL, but there are two alternatives:

  1. If you are using a package manger like Scoop, Winget or Chocolatey, install the openssl package from there.
  2. You can install OpenSSL through any of the OpenSSL distributions links listed in the OpenSSLWiki: Binaries. By default, OpenSSL is saved in your Program Files. Once you have successfully downloaded OpenSSL, you can run the commands from your Windows Terminal or cmd.

Step 2: Create your own CA

Input

openssl req -x509 -nodes -newkey rsa:4096 -sha256 -subj "/CN=Example_CA_Name" -keyout ca.key -out ca.crt -days 36500

Important: Replace Example_CA_Name with the name of your choice. T This name is publicly available. We do not recommend using any sensitive information.

Output

  • CA certificate (ca.crt) - valid for 10 years
  • CA certificate private key (ca.key)

You can use these files to create additional server certificates in the future. We recommend that you keep both files in a safe place for future use. If you want to add this CA to your system, manually add it to your trust store.

Step 3: Generate the TLS server private key and CSR

Create a server private key and a CSR.

Input

openssl req -nodes -newkey rsa:4096 -sha256 -keyout server.key -out server.csr -subj "/CN=example.com"

Important: Replace example.com with the host name or domain of your NATS server.

Output

  • Server private key (server.key)
  • Server certificate signing request (server.csr)

(Optional) Step 4: Specify Subject Alternative Names

Use Subject Alternative Names (SANs) to specify additional host names for a single certificate. These must be written to a configuration file.

If you plan to use this TLS server certificate to create a NATS server, list the addresses that the system where you intend to install the NATS server is known by. For example, if you plan to install the NATS server on your local system, you might want to include DNS:localhost and IP:127.0.0.1.

Enter SANs in a comma-separated list with no spaces between host names.

  • DNS names must be prefixed with DNS:
    • Hostnames (DNS:localhost)
    • Domains (DNS:example.com)
    • Subdomains (DNS:nats.example.com)
    • Wildcard subdomains (DNS:*.example.com - Matches all subdomains of example.com)
  • IP addresses must be prefixed with IP:
    • IPv4 (IP:192.0.2.0)
    • IPv6 (IP:::1)

Input

Linux echo “subjectAltName=DNS:localhost,DNS:example.com,DNS:nats.example.com,DNS:*.example.com,IP:192.0.2.0” > ext.cnf

Windows echo subjectAltName=DNS:localhost,DNS:example.com,DNS:nats.example.com,DNS:*.example.com,IP:127.0.0.1 > ext.cnf

Output

  • Configuration file (ext.cnf)

Step 5: Create and sign the TLS server certificate

Use the ca.crt, ca.key, and server.csr files you created in previous steps to create the server certificate.

Input

openssl x509 -req -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -extfile ext.cnf -days 36500

Note: If you skipped the optional step 4, remove the following section of the command: -extfile ext.cnf.

Output

  • Server certificate (server.crt) - valid for 10 years

You now have a usable TLS server certificate.

FAQs

Can I update the server certificate’s configuration file?

No. If your network changes or you need to change any SANs, create a new server certificate using the CA certificate files from step 2.

My server certificate is about to expire. What should I do?

Use the CA certificate and CA certificate key from step 2 to issue a new server certificate. If you use the server certificate with a NATS server, make sure you reconfigure your NATS server and use the new TLS server certificate and server certificate key files.

I made this certificate to use with the NATS server. What do I do now?

Find the next step to install a NATS server in the Multi-Platform Probe for PRTG manual. You can start from chapter 1.2 Install a NATS server.

Created on Nov 22, 2023 5:02:07 AM by Jacqueline Conforti [Paessler Support]

Last change on Aug 14, 2024 12:19:25 PM by Jacqueline Conforti [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.