logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

How to verify a certificate to be used by Cb Response Cloud for SIEM/syslog integration

How to verify a certificate to be used by Cb Response Cloud for SIEM/syslog integration

Version
Carbon Black Response Cloud 6.x

Topic
How to verify a certificate to be used by Cb Response Cloud for SIEM/syslog integration.

This should be done prior to providing Cb Cloud Ops with certificate.

Steps

To check the certificate handshake with the SIEM server:

From any Linux machine with network connectivity, as root

copy  the certificate to your current working directory

# openssl s_client -connect 1.2.3.4:5055 -CAfile my.siem.crt -msg                  // where 1.2.3.4 is the SIEM IP address

Here is what a successful SSL connection attempt looks like with the same command, on a host with SSL properly configured:

{code}# openssl s_client -connect google.com:443

CONNECTED(00000003)

depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority

verify return:1

depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA

verify return:1

depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2

verify return:1

depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.google.com

verify return:1

---

Certificate chain

0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com

i:/C=US/O=Google Inc/CN=Google Internet Authority G2

1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2

i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

---

Server certificate

-----BEGIN CERTIFICATE-----

<redacted for brevity>

-----END CERTIFICATE-----

subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com

issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2

---

No client certificate CA names sent

Server Temp Key: ECDH, prime256v1, 256 bits

---

SSL handshake has read 4800 bytes and written 373 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES128-GCM-SHA256

Session-ID: 61C35ECF80C77058C19F3281DFE239C3647469A5EF37DC75A15FB9BF5C7934A4

Session-ID-ctx:

Master-Key: F9186170D54C3CD9B0C1E56897E982AEAF1644EC0051C614F494FBDFF91C7F20FC72100E4E36B73E339F25B918764967

Key-Arg : None

<redacted for brevity>

{code}

An optional way to validate the cert is with this command

# openssl x509 -in certificate.crt -text -noout

Related Content

The Most Common OpenSSL Commands

Was this article helpful? Yes No
No ratings
Article Information
Author:
mbridgeo
Creation Date:
‎09-08-2017
Views:
971
logo