To make Nagios CORE security compliant with a SHA2/SHA256 cert, follow these steps using Openssl and you will be ready in no time with a PCI compliant cert. This is a standard requirement nowadays in any PCI compliant environment. This is implemented with Apache backend. Run the below command to generate .crt and .key files.
Command to generate SHA256 Cert
# openssl req -x509 -nodes -sha256 -days 1095 -newkey rsa:2048 -keyout hostname.local.key -out hostname.local.crt
Output:
[@nagios admin]# openssl req -x509 -nodes -sha256 -days 1095 -newkey rsa:2048 -keyout nagios.off.local.key -out nagios.off.local.crt
Generating a 2048 bit RSA private key
……………………..+++
……………….+++
writing new private key to ‘nagios.off.local.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:BERKS
Locality Name (eg, city) [Default City]:READING
Organization Name (eg, company) [Default Company Ltd]:Personal
Organizational Unit Name (eg, section) []:DEV
Common Name (eg, your name or your server’s hostname) []:nagios.off.local
Email Address []:admin@nagios.local
Now you can see that it has generated two files as given below.
[@nagios admin]# ls
nagios.off.local.crt nagios.off.local.key
Now to verify that the generated key is SHA256 compliant run this command and look for SHA256.
# openssl x509 -noout -text -in nagios.off.local.crt | grep 256
Output:
[@nagios admin]# openssl x509 -noout -text -in nagios.off.local.crt | grep 256
Signature Algorithm: sha256WithRSAEncryption
Signature Algorithm: sha256WithRSAEncryption
Now copy the Key and Cert to TLS folder
# cp nagios.off.local.crt /etc/pki/tls/certs/
# cp nagios.off.local.key /etc/pki/tls/private/
Now reflect the location of the newly generated Certs in ssl.conf
Edit ssl.conf
# vi /etc/httpd/conf.d/ssl.conf
— SSLCertificateFile /etc/pki/tls/certs/nagios.off.local.crt
— SSLCertificateKeyFile /etc/pki/tls/private/nagios.off.local.key
Restart Apache
# service httpd restart (or) /etc/init.d/httpd restart
# service nagios restart (or) /etc/init.d/nagios restart
If you browse via Firefox/IE you can see that the cert is now SHA256 compliant.
That should be it and you are all ready with a SHA256 cert.