Being our own authority

We'll start by creating the certificates in a separate directory. For simplicity's sake, let's do this on A test host;, choose any directory where our certificate signing will happen.

The following is not intended to be a good practice. It's actually doing quite a few bad and insecure things to get the certificates faster. Don't follow these steps for any production setup.
Let's create a folder with our own certificates that we can use to encrypt our traffic.
$ mkdir zabbix_ca
$ chmod 700 zabbix_ca
$ cd zabbix_ca

Generate the root CA key:

$ openssl genrsa -aes256 -out zabbix_ca.key 4096

When prompted, enter a password twice to protect the key. Generate and self-sign the root certificate:

$ openssl req -x509 -new -key zabbix_ca.key -sha256 -days 3560 -out zabbix_ca.crt

When prompted, enter the password you used for the key before. Fill in the values as prompted; the easiest might be supplying empty values for most, except the country code and common name. The common name doesn't have to be anything too meaningful for our test, so using a simple string such as zabbix_ca will suffice.

Now, on to creating a certificate we'll use for the Zabbix server. First, let's generate a server key and Certificate Signing Request (CSR):

$ openssl genrsa -out zabbix_server.key 2048
$ openssl req -new -key zabbix_server.key -out zabbix_server.csr

When prompted, enter the country code and common name strings as before. The common name doesn't have to match the server or agent name or anything else, so using a simple string such as zabbix_server will suffice. Let's sign this request now:

$ openssl x509 -req -in zabbix_server.csr -CA zabbix_ca.crt -CAkey zabbix_ca.key -CAcreateserial -out zabbix_server.crt -days 1460 -sha256

When prompted, enter the CA passphrase. Let's continue with the certificate we'll use for the Zabbix agent. Generate an agent key and certificate signing request:

$ openssl genrsa -out zabbix_agent.key 2048
$ openssl req -new -key zabbix_agent.key -out zabbix_agent.csr

When prompted, enter the country code and common name strings as before. The common name doesn't have to match the server or agent name or anything else, so using a simple string such as zabbix_agent will suffice. Now, let's sign this request:

$ openssl x509 -req -in zabbix_agent.csr -CA zabbix_ca.crt -CAkey zabbix_ca.key -CAcreateserial -out zabbix_agent.crt -days 1460 -sha256

When prompted, enter the CA passphrase.

We're done with creating our test certificates. Both keys were created unencrypted; Zabbix doesn't support prompting for the key password at this time.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.218.61.16