Generate/Create a SHA2/SHA256 cert for Nagios CORE - RedHat/CentOS

To make Nagios CORE security compliant with a SHA2/SHA256 cert, follow these steps using Openssl and you will be ready in no time with a PCI compliant cert. This is a standard requirement nowadays in any PCI compliant environment. This is implemented with Apache backend. Run the below command to generate .crt and .key files.

Command to generate SHA256 Cert

# openssl req -x509 -nodes -sha256 -days 1095 -newkey rsa:2048 -keyout hostname.local.key -out hostname.local.crt

Output:

[@nagios admin]# openssl req -x509 -nodes -sha256 -days 1095 -newkey rsa:2048 -keyout nagios.off.local.key -out nagios.off.local.crt
Generating a 2048 bit RSA private key
..........................+++
...................+++
writing new private key to 'nagios.off.local.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:BERKS
Locality Name (eg, city) [Default City]:READING
Organization Name (eg, company) [Default Company Ltd]:Personal
Organizational Unit Name (eg, section) []:DEV
Common Name (eg, your name or your server's hostname) []:nagios.off.local
Email Address []:admin@nagios.local

Now you can see that it has generated two files as given below.

[@nagios admin]# ls
nagios.off.local.crt  nagios.off.local.key

Now to verify that the generated key is SHA256 compliant run this command and look for SHA256.

# openssl x509 -noout -text -in nagios.off.local.crt | grep 256

Output:

[@nagios admin]# openssl x509 -noout -text -in nagios.off.local.crt | grep 256
    Signature Algorithm: sha256WithRSAEncryption    
    Signature Algorithm: sha256WithRSAEncryption

Now copy the Key and Cert to TLS folder

# cp nagios.off.local.crt /etc/pki/tls/certs/
# cp nagios.off.local.key /etc/pki/tls/private/

Now reflect the location of the newly generated Certs in ssl.conf

Edit ssl.conf

# vi /etc/httpd/conf.d/ssl.conf
  --- SSLCertificateFile /etc/pki/tls/certs/nagios.off.local.crt
  --- SSLCertificateKeyFile /etc/pki/tls/private/nagios.off.local.key

Restart Apache

# service httpd restart (or) /etc/init.d/httpd restart
# service nagios restart (or) /etc/init.d/nagios restart

If you browse via Firefox/IE you can see that the cert is now SHA256 compliant.

That should be it and you are all ready with a SHA256 cert.

Monitoring Related Articles....