Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

How to generate keys for encrypted flow export and forwarding





This guide provides information on generating the required keys and root Certificate Authority for encrypted (TLS) export of flows generated by Flowmon Probe or encrypted flow forwarding from one Flowmon Collector to another over a TCP connection. 


Product: Flowmon OS

Version: Any

Platform: Any

Question/Problem Description:

How to generate keys for encrypted flow export and forwarding?

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  

To generate keys and certificates, the OpenSSL library, which is already installed on Flowmon Appliances or any other Linux or Windows version, can be used.

For TCP/TLS, the set of keys and certificates must be generated for the flow exporting device (exporter) and the collector. All certificates must be signed by the same certification authority (CA). Its certificate (CA certificate) must be provided together with the key and certificate to each configuration using TCP/TLS protocol. The CA certificate ensures that the exporter and collector are legitimate.

Generate the CA private key and self-signed certificate using commands:

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

Generate key/certificate pair for every flow exporter/collector:

openssl genrsa -out exporter.key 2048
openssl req -new -key exporter.key -out exporter.csr

cat > exporter.v3.ext << EOF
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

openssl x509 -req -in exporter.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out exporter.crt -days 1024 -sha256 -extfile exporter.v3.ext

The "exporter" keyword can be replaced according to your needs.

These files have to be uploaded in the GUI:

  • CA certificate - rootCA.pem
  • Certificate - exporter.crt
  • Private key - exporter.key

Password-protected keys cannot be used.

It is not possible to use multiple root certificates. Only one is valid at a time. 


Was this article helpful?
0 out of 0 found this helpful