cmdReporter Wiki

Certificates for Remote Endpoint Logging

Which Certificates Do You Need

It is best practice to manually define the full certificate chain you are expecting the client to connect to. A simple example for most let's encrypt certificates would look like this:

<key>LogRemoteEndpointTLS</key>
<dict>
  <key>TLSServerCertificate</key>
  <array>
    <string>server_name.company.com</string>
    <string>Let's Encrypt Authority X3</string>
    <string>DST Root CA X3</string>
  </array>
</dict>

The names of the certificates reference the common name of certificates stored in the SYSTEM keychain. No other keychains are searched when looking for certificates at this time.


How To Get The Certificates - Command Line

Note - This process is only for initial configuration. After validating settings configuration profiles should be used to deploy certificates to endpoints in production.

# Get the full output to a file
echo -n | openssl s_client -showcerts -connect HOSTNAME:PORT

# Depending on how your collection server is configured an entire certificate chain or only the server certificate will be returned. Each certificate is defined by blocks of text like this
-----BEGIN CERTIFICATE-----
MIIFazCCBFOgAwIBAgISBIuX8OD2k1mBKORs6oCdBeaFMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
... (truncated for readability)
-----END CERTIFICATE-----

# Copy each block including the "BEGIN CERTIFICATE and END CERTIFICATE" lines to a plain text file each.

# Rename that plain text file to ".pem" and double click to import into the system keychain.

# End result should be similar to this for a simple cert chain:
$ ls -la certs.d
server-leaf-cert.pem
intermediate-ca.pem
root-ca.pem

$ cat server-leaf-cert.pem
-----BEGIN CERTIFICATE-----
MIIFazCCBFOgAwIBAgISBIuX8OD2k1mBKORs6oCdBeaFMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
... (truncated for readability)
-----END CERTIFICATE-----


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.