Management Center is unable to verify the CA certificate for syslog servers using TLS.
search cancel

Management Center is unable to verify the CA certificate for syslog servers using TLS.


Article ID: 176489


Updated On:


Management Center


Management Center   is not accepting syslog server certificate signed by our Internal PKI chain

Management Center  sending Alert 21, Unknown CA  towards  TLS syslog server 

How to configure encrypted syslogging on Management Center  

syslog-ng[22825]: SSL error while reading stream; tls_error='SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca' 


Management Center running code version 3.0.x and below (e.g. 2.4.x.x, 2.3.x.x, etc)

Management Center with TLS syslogging.  



Prior Management Center version 3.1.1.x, MC would only validate TLS syslog collector's certificate signed by Management Center's certificate named default_ca.   


You would need to ensure that the Syslog's SSL server certificate is signed by Management Center's default_CA.  This requires exporting the default_CA private  key and certificate to openssl/syslog server.   Below are the steps needed on the Management Center side:

1. CLI commands to view default_ca's keypair and certificate:

conf terminal
ssl view keypair default_ca (this is the private key)
ssl view certificate default_ca  

2. Save above  private key and certificate to your openssl and/or syslog server.      Openssl would require these two files when signing syslog server's certificate- signing-request (CSR) and syslog client's CSR if mutual authentication is desired.

 3. You would need to edit/configure your syslog server conf file to locate the server key, certificate and likely ca-certificate signer.   For more information how to configure your syslog server, please refer to the OS distribution documentation, openssl project and syslog projects sites  (see site links below) related to organization syslog implementation.

4. When using syslog over TLS with mutual authentication, you would need to import the client private key and certificate created from your openssl to Management Center.   It's highly suggested to create new ssl-context and CCL specific for your syslog / TLS and; create new ca-certificate copying the contents of default_ca certificate.  

The following are sample commands importing the  client private key and certificate created from your openssl

conf terminal
  inline keyring syslog-client-cert showable yes
  inline certificate syslog-client-cert
5.  Creating new ssl-context, CCL, ca-certificate and how to associate them to be used by syslog/TLS

The following commands assumes you are still in MC's "(config-ssl)#" prompt

create ssl-context syslog-ssl-context
create ccl syslog-ccl
inline ca-certificate default-ca-certificate (copy/paste the default_ca certificate.  ctrl-d to save it)

edit ccl syslog-ccl
add default-ca-certificate
edit ssl-context syslog-ssl-context
ccl syslog-ccl
keyring syslog-client-cert

6. Configure syslog over tls using syslog-ssl-context created above(assumption, you are at MC's (config)# prompt.

Command below  assumes you in MC's "(config)#" prompt

event-log syslog add tls host port ssl-context syslog-ssl-context

This solution is acceptable for FIPS certification but not for common criteria.     

If you need more information about cli commands given above, kindly refer to Management Center Command Line Reference document following the link below