With the release of Management Center (MC) version 3.1.1.1, MC administrators can now configure Management Center to send syslogs over TLS without signing the syslog server's certificate using the MC's default_CA .  

MC version 3.0.x and earlier requires the signing of the syslog server certificate using MC's default_CA.  Refer to Management Center is unable to verify the CA certificate for syslog servers using TLS if you are running older versions of Management Center.

This article demonstrates how to configure syslog  over TLS on Management Center, with or without mutual certificate checks.  We will also use a certificate chain composing of an intermediate and root signers in our example.

Management Center 3.1.1.1 or above

TLS syslog server 

Assuming you have followed the Create keypair and import signed certificate in Management Center for creating/importing sslkey keyrings, certificates, and imported the the ca-certificates to MC:

SSH to MC and go to (config-ssl) prompt: 

% en

# conf t

(config)#ssl

(config-ssl)#create ssl-context syslog-tls
(config-ssl)#create ccl syslog-ccl

(config-ssl)# edit ccl syslog-ccl
(config-ccl-syslog-ccl)#add intermediate-ca-certificate
(config-ccl-syslog-ccl)#add root-ca-certificate
(config-ccl-syslog-ccl)#exit

(config-ssl)#edit ssl-context syslog-tls
(config-ssl-context syslog-tls)#keyring sslkey

Note: If a mutual certificate check is not a required, the self-signed default keyring could be used. Replace the "sslkey" string above with "default" if a mutual certificate check isn't required.

(config-ssl-context syslog-tls)#ccl syslog-ccl
(config-ssl-context syslog-tls)#exit
(config-ssl)#exit
(config)# event-log
(config-event-log)#syslog

(config-syslog)#add tls host syslog-server-cert port 6514 ssl-context syslog-tls

(config-syslog)exit
(config)#exit

Restart the MC after multiple configuration changes are made on the CLI: 
#restart

For the mutual authentication option, a keyring and certificate signed by your internal PKI needs to be created/imported to Management Center.  You could also use the self-signed  "default"  if mutual authentication is not required.  For this demonstration, we will use the keyring and certificate named sslkey.  Please refer to Create keypair and import signed certificate in Management Center for creating and importing certificates to Management Center.

Terminologies used in this article and examples:

syslog-server-cert - Certificate presented by syslog server.   Syslog server certificate should have the host name or IP of the server under CN (common name) or SAN (server alternative name).

intermediate-ca-certificate - In our example, this is CA that signed the syslog-server-cert.  

root-ca-certificate - In our example, this is the CA that signed the intermediate-ca-certificate

syslog-tls - Thsi is the ssl-context to be used for our TLS syslogging. The ssl-context  dictates the ciphers, protocol versions, trusted certificates (CCL) and other TLS options used by service (e.g TLS syslog) on MC.

syslog-ccl - This is a collection of trusted certificates and their signers ( e.g intermediate-ca-certificate, root-ca-certificate) associated to syslog-tls.

default - MC's default self-signed certificate.