The Syslog protocol (TLS1.2/RFC5424) requires the following:
- Operation confirmed Syslog server which supports TLS1.2.
- The server supports communications using the TLS security settings that are set in accordance with the procedure in Setting SSL/TLS communications using the Tool Panel.
- Server certificate that has been set on the Syslog server
The server certificate that meets the following requirements can be used:
Certificate type Requirements Server certificate of Syslog server - If the public key of the certificate is RSA, the key length must be 2048 bits or more.
- If the public key of the certificate is ECDSA, the public key parameter must be any of the following:
- ECDSA_P256 (secp256r1)
- ECDSA_P384 (secp384r1)
- ECDSA_P521 (secp521r1)
- The signature hash algorithm of the certificate must be SHA-256, SHA-384, or SHA-512.
- The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
- subjectAltName
- CRLDistributionPoint
- AuthorityInfoAccess
- BasicConstraints
- KeyUsage
- SubjectKeyIdentifier
The IP address of the Syslog server must be entered in subjectAltName or CommonName. Domain name cannot be specified.
- When you perform a certificate revocation check by using CRL, set the URI of the CRL repository for cRLDistributionPoint (CRL distribution point) of the intermediate certificate and the server certificate that have been set on the connected server. The CRL repository must be on the network that can be accessed by the SVP so that the SVP can communicate with the CRL repository. If the SVP cannot communicate with the CRL repository, the communications with the Syslog server fails.
- When you perform a certificate revocation check by using OCSP, correctly set the URI of the OCSP responder for authorityInfoAccess (Authority Information Access) of the intermediate certificate and the server certificate that have been set on the connected server. The OCSP responder must be on the network that can be accessed by the SVP so that the SVP can communicate with the OCSP responder. If the SVP cannot communicate with the OCSP responder, the communications with the Syslog server fails.
- Check the number of tiers of the certificate chain to be used. The maximum number supported is 20 tiers. Make sure to use a certificate in a certificate chain with no more than 20 tiers.
- Root certificate of the Syslog server
The root certificate that meets the following requirements can be uploaded to the SVP.
Certificate type Requirements Certificate format - X509 DER format
- X509 PEM format
Root certificate -
If the public key of the certificate to be uploaded to the SVP is RSA, the key length must not be less than the key length that is set for Minimum Key Length (Key Exchange) in the TLS Security Settings dialog box.
-
If the public key of the certificate to be uploaded to the SVP is ECDSA, the public key parameter must be any of the following:
- ECDSA_P256 (secp256r1)
- ECDSA_P384 (secp384r1)
- ECDSA_P521 (secp521r1)
- The signature hash algorithm of the certificate to be uploaded to the SVP must be SHA-256, SHA-384, or SHA-512
- Client certificate
The client certificate that meets the following requirements can be uploaded to the SVP.
Certificate type Requirements Certificate format PKCS#12 format TLS security settings The server supports communications using the TLS security settings that are set in Setting SSL/TLS communications using the Tool Panel. Client certificate - If the public key of the certificate to be uploaded to the SVP is RSA, the key length must not be less than the key length that is set for Minimum Key Length (Key Exchange) in the TLS Security Settings dialog box.
- If the public key of the certificate to be uploaded to the SVP is ECDSA, the public key parameter must be any of the following:
- ECDSA_P256 (secp256r1)
- ECDSA_P384 (secp384r1)
- ECDSA_P521 (secp521r1)
- The signature hash algorithm of the certificate to be uploaded to the SVP must be SHA-256, SHA-384, or SHA-512.
- If an intermediate certificate exists, you must prepare a signed public key certificate in a certificate chain that contains the intermediate certificate.
- The number of tiers of the certificate chain for the certificate to be uploaded must be 20 tiers or less including the root CA certificate.
Convert the client certificate signed by a CA (Certificate Authority) on the Syslog server to the PKCS#12 format. For more information, see Obtaining a client certificate for the Syslog protocol
- The certificates have expiration dates. If a certificate expires, you will not be able to connect to the Syslog server. Make sure to update the certificate before the expiration date.
- For more information about the certificate management, contact the Syslog server administrator.