SSL Server Certificate

Your system uses Secure Sockets Layer (SSL) technology to communicate securely over an encrypted channel with its clients, such as SmartConnectors, when using the SmartMessaging technology and other ArcSight systems. Your system ships with a self-signed certificate so that an SSL session can be established the first time you use the appliance. For more information on this option, see Generating a Self-Signed Certificate.

Although a self-signed certificate is provided for your use, you should use a certificate authority (CA) signed certificate. To facilitate obtaining a CA-signed certificate, your system can generate a Certificate Signing Request. After a signed certificate file is available from the CA, it can be uploaded to your system for use in a subsequent authentication. For detailed instructions, see Generating a Certificate Signing Request (CSR).

Your system generates an audit event when the installed SSL certificate is going to expire in less than 30 days or has already expired. The event with Device Event Class ID “platform:407” is generated periodically until you replace the certificate with one that is not due to expire within 30 days.

Generating a Self-Signed Certificate

Your system ships with a self-signed certificate so that an SSL session can be established the first time you connect. This type of certificate does not require signing from another entity and can be used immediately.

To generate a self-signed certificate:

  1. Click Administration > Setup > System Admin.

  2. Click SSL Server Certificate from the Security section in the left panel to display the Generate Certificate/Certificate Signing Request page.

  3. Click the Generate Certificate tab.  

  4. From the Generate Certificate For Protocol field, use the Network Protocol drop-down menu to choose the appropriate protocol  

    Parameter

    Description

    HTTPS

    Choose this option to generate a CSR for use with the HTTPS protocol. This is the most commonly used option.

    FTPS

    Choose this option only when generating a CSR for use with FTPS.

  5. From the Enter Certificate Settings field, enter new values for the following fields:

    Parameter

    Description

    Country

    ISO 3166-1 two-letter country code, such as ‘US’ for the United States.

    State/Province

    State or province name, such as ‘California.’

    City/Locality

    City name, such as ‘Sunnyvale’.

    Organization Name

    Company name, governmental entity, or similar overall organization.

    Organizational Unit

    Division or department within the organization.

    Hostname

    The host name or IP address of this system.

    When specifying the host name, make sure that this name matches the name registered in the Domain Name Service (DNS) server for the system. Additionally, this name must be identical to the host name specified in NICs.

    Note: If the host name or IP address of this system changes in the future, you must generate a new self-signed certificate or CSR. After a new certificate is obtained, you must upload it to ensure that the connectors which communicate with the system are able to validate the host name.

    Email Address

    The email address of the administrator or contact person for this CSR.

    Private Key Length

    Private key length is 2048 bits.

  6. Use the first two buttons to generate a CSR or a self-signed certificate. The View Certificate button is only used to view the resulting certificate.

    Button

    Description

    Generate CSR

    Click to generate a Certificate Signing Request (CSR).

    Generate Certificate

    Click to generate a self-signed certificate.

    View Certificate

    Click to view the generated certificate.

  7. Click the Generate Certificate button to generate the self-signed certificate.

  8. Click Ok after the confirmation message appears.

  9. Click the View Certificate button to view the PEM encoded self-signed certificate.

Generating a Certificate Signing Request (CSR)

The first step in obtaining a CA-signed certificate is to generate a Certificate Signing Request (CSR). The CSR must be generated on the system for which you are requesting a certificate. That is, you cannot generate a CSR for System A on System B or use a third-party utility for generation.

The resulting CSR must be sent to a CA, such as VeriSign, which responds with a signed certificate file.

To generate a certificate signing request:

  1. Click Administration > System Admin.

  2. Click SSL Server Certificate from the Security section in the left panel to display the Generate Certificate/Certificate Signing Request page.

  3. Click the Generate Certificate tab.  

  4. From the Generate Certificate For Protocol field, use the Network Protocol drop-down menu to choose the appropriate protocol. From the Generate Certificate For Protocol field, use the Network Protocol drop-down menu to choose the appropriate protocol.   

    Parameter

    Description

    HTTPS

    Choose this option to generate a CSR for use with the HTTPS protocol. This is the most commonly used option.

    FTPS

    Choose this option only when generating a CSR for use with FTPS.

  5. From the Enter Certificate Settings field, enter new values for the following fields:

    Parameter

    Description

    Country

    A two-letter country code, such as ‘US’ for the United States.

    State / Province

    State or province name, such as ‘California.’

    City / Locality

    City name, such as ‘Sunnyvale’.

    Organization Name

    Company name, governmental entity, or similar overall organization.

    Organizational Unit

    Division or department within the organization.

    Hostname

    The host name or IP address of this system.

    When specifying the host name, make sure that this name matches the name registered in the Domain Name Service (DNS) server for the system. Additionally, this name must be identical to the host name specified in NICs.

    Note: If the host name or IP address of this system changes in the future, you must generate a new self-signed certificate or CSR. After a new certificate is obtained, you must upload it to ensure that the connectors which communicate with the system are able to validate the host name.

    Email Address

    The email address of the administrator or contact person for this CSR.

    Private Key Length

    Select the length (in bits) of the private key: 1024, 2048, 4096, or 8192.

  6. Use the first two buttons to generate a CSR or a self-signed certificate. The View Certificate button is only used to view the resulting certificate.

    Button

    Description

    Generate CSR

    Click to generate a Certificate Signing Request (CSR).

    Generate Certificate

    Click to generate a self-signed certificate.

    View Certificate

    Click to view the generated certificate.

  7. Choose Generate CSR to generate a certificate signing request.

  8. If the CSR was successfully generated, a pop-up window appears, allowing you to either download the CSR file or to cut-and-paste its content.

    To do so, copy all the lines from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST-----.

  9. Send the CSR file to your certificate authority to obtain the CA-signed certificate.

  10. After the CA-signed certificate file is obtained, continue on to Importing a Certificate.

Importing a Certificate

If you have obtained a certificate from your certificate authority (CA), follow the steps below to import it onto your system.

  1. Click Administration > System Admin.

  2. Click SSL Server Certificate under the Security section in the left panel.

  3. Select the Import Certificate tab. 

  4. From the Import Certificate For Protocol field, use the Network Protocol drop-down menu to select the appropriate protocol type.

    Parameter

    Description

    HTTPS

    Choose to import an HTTPS certificate. (This option may require a reboot).

    FTPS

    Choose to import an FTPS certificate.

  5. Click the Browse button to locate the signed certificate file on your local file system. 

    Note: The imported certificate must be in Privacy Enhanced Mail (PEM) format.

  6. Click Import and Install to import the specified certificate.

  7. If using HTTPS and depending on your browser, you may need to close and restart the browser for the new certificate to take effect. If you are unsure of your browser's requirements, close and restart it.