Management Center is not accepting syslog server certificate signed by our Internal PKI chain
Management Center sending Alert 21, Unknown CA towards TLS syslog server
How to configure encrypted syslogging on Management Center
syslog-ng[22825]: SSL error while reading stream; tls_error='SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca'
Management Center running code version 3.0.x and below (e.g. 2.4.x.x, 2.3.x.x, etc)
Management Center with TLS syslogging.
Prior Management Center version 3.1.1.x, MC would only validate TLS syslog collector's certificate signed by Management Center's certificate named default_ca.
You would need to ensure that the Syslog's SSL server certificate is signed by Management Center's default_CA. This requires exporting the default_CA private key and certificate to openssl/syslog server. Below are the steps needed on the Management Center side:
1. CLI commands to view default_ca's keypair and certificate:
en
conf terminal
ssl view keypair default_ca (this is the private key)
ssl view certificate default_ca
2. Save above private key and certificate to your openssl and/or syslog server. Openssl would require these two files when signing syslog server's certificate- signing-request (CSR) and syslog client's CSR if mutual authentication is desired.
3. You would need to edit/configure your syslog server conf file to locate the server key, certificate and likely ca-certificate signer. For more information how to configure your syslog server, please refer to the OS distribution documentation, openssl project and syslog projects sites (see site links below) related to organization syslog implementation.
https://www.openssl.org/
https://www.syslog-ng.com/
https://www.rsyslog.com/
4. When using syslog over TLS with mutual authentication, you would need to import the client private key and certificate created from your openssl to Management Center. It's highly suggested to create new ssl-context and CCL specific for your syslog / TLS and; create new ca-certificate copying the contents of default_ca certificate.
The following are sample commands importing the client private key and certificate created from your openssl
en
conf terminal
ssl
inline keyring syslog-client-cert showable yes
inline certificate syslog-client-cert
5. Creating new ssl-context, CCL, ca-certificate and how to associate them to be used by syslog/TLS
The following commands assumes you are still in MC's "(config-ssl)#" prompt
create ssl-context syslog-ssl-context
create ccl syslog-ccl
inline ca-certificate default-ca-certificate (copy/paste the default_ca certificate. ctrl-d to save it)
edit ccl syslog-ccl
add default-ca-certificate
exit
edit ssl-context syslog-ssl-context
ccl syslog-ccl
keyring syslog-client-cert
exit
exit
6. Configure syslog over tls using syslog-ssl-context created above(assumption, you are at MC's (config)# prompt.
Command below assumes you in MC's "(config)#" prompt
event-log syslog add tls host port ssl-context syslog-ssl-context
This solution is acceptable for FIPS certification but not for common criteria.
If you need more information about cli commands given above, kindly refer to Management Center Command Line Reference document following the link below