Certificates Management
The Certificates Management module for Sysdig Secure provides a simple interface for administrators to create, upload, update, or delete the certificates that are used for content exported from the Sysdig environment.
Specifically, it:
- Optimizes the secure handling of certificates
- Supports .csr flows
- Provides a UI for certificate management
- Adds support for client-side certificates in the events forwarder
At this time, the feature is for Sysdig Secure SaaS only, and is integrated with the appropriate event forwarding options:
(Note: Kafka authentication is handled through a different mechanism.)
Access the Certificates Management Page
Log in to Sysdig Secure as admin and navigate to
Settings
from your user profile.Select
Certificates Management
.
Create a Certificate
Certificate creation requires several steps, defined below.
Thereafter, you can assign the certificate to the event forwarding integrations.
Generate a CA-Signed Key and Cert
You must have a signed key and certificate from a Certificate Authority (CA), a step that your organization may already have done. If not, follow these steps:
Generate the CA key:
openssl genrsa -out ca.key 4096
Generate the CA certificate, setting the expiration to 10 years from now:
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1825 -out ca.pem
You will be prompted to provide details to populate the certificate information. Be as thorough as possible. Save the resulting ca.pem
file.
Obtain the Certificate Signing Request (CSR)
The Certificates Management UI streamlines the process of obtaining a certificate-signing request (CSR).
Log in to Sysdig Secure as
admin
and selectSettings > Certificates Management
.Select
New CSR
and copy the text using theCopy and Next
button.You will be prompted to leave the Sysdig UI to finish generating the certificate in an external tool.
Generate the .crt Certificate File Externally
Use a 3rd-party tool, such as OpenSSL or Digicert, to generate the .crt
file. Follow the instructions given with that tool, using the CSR you generated.
Below an example with openssl
:
openssl x509 -req -in signing-request.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out signed-cert.pem
signing-request.csr
is the filename given to Certificate Signing Request (CSR) retrieved from step aboveca.pem
is the filename of Certificate Authority (CA) certificateca.key
is Certificate Authority (CA) private keysigned-cert.pem
is the signed certificate that is gonna be uploaded on Sysdig UI (see step below)
Upload the .crt in the Sysdig UI
Return to the
Certificates Management
page in the Sysdig SecureSettings
and either clickNext
in the popup window or selectUpload Certificate
.Assign the certificate a meaningful name.
Click
Upload and Create
.The certificate will appear in the certificates list and can be applied as needed.
Apply Certificate to Event Forwarding
Log in to Sysdig Secure as admin and select
Settings > Event Forwarding
.Choose an existing or new integration for Splunk, Syslog, or Webhook.
Select the correct uploaded certificate from the
Certificate
field andSave
.
Manage Certificates
Check Where Certs Are Used
Each certificate shows in how many places it is used. Click that number to go to each integration using that certificate.
Remove a Certificate
To remove a certificate, first make it unused. Open each integration using the certificate and either remove it from the integration or remove the whole integration itself.
When the certificate is unused, you can remove it.
Update a Certificate
To update a certificate, add a completely new certificate and update the integrations to use it instead of the old one. Then you can remove the old one.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.