
How to create certificates to authorize Bro's SSL connections
=============================================================

- Create a global CA key/certificate once:

  * Create some directory to store the CA stuff, and create
  	a few things there:

	    mkdir <ca-dir>
		cd <ca-dir>
  		mkdir private newcerts cert crl
		chmod 700 private
		touch index.txt
		echo 01 >serial
		cp bro/openssl.conf .

  * Create a private CA key:
   	    openssl genrsa -des3 -out private/ca_key.pem

  * Self-sign it:
  		openssl req -new -x509 -key private/ca_key.pem -out ca_cert.pem -days 1095

- For each Bro:

  * Create a private key (w/o password):
  		openssl genrsa -out bro_key.pem

  * Create a certification request:
  		openssl req -new -key bro_key.pem -out bro.csr

  * Create a certificate using the CA key:
  		openssl ca -config openssl.cnf -in bro.csr -out bro_cert.pem

  * Verify that the certicate is ok:
  		openssl verify  -CAfile ca_cert.pem bro_cert.pem

  * Concat Bro key and certificate:
  		cat bro_key.pem bro_cert.pem >bro.pem

  * Copy this and the CA certificate to the IDS machine:
  		 scp bro.pem ca_cert.pem ids:...

  * Redef Bro's variables to point to the files:
  		 redef ssl_ca_certificate = "...../ca_cert.pem";
  		 redef ssl_private_key = "...../bro.pem";

  * Remove the unnecessary stuff:
  		 rm bro_key.pem bro.csr bro_cert.pem bro.pem
