tls: synced the description of the client/server mutual tls auth conf…

…ig setup (#162) Signed-off-by: Hofi <[email protected]>
syslog-ng · Feb 7, 2025 · ad1fd20 · ad1fd20
2 parents d76380a + 1f9461c
commit ad1fd20
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 33 deletions.
diff --git a/...ansfer/002_Mutual_authentication_using_TLS/000_Configuring_mutual_TLS_client.md b/...ansfer/002_Mutual_authentication_using_TLS/000_Configuring_mutual_TLS_client.md
@@ -17,28 +17,28 @@ syslog() driver):
 1. Create an X.509 certificate for the {{ site.product.short_name }} client.
 
 2. Copy the certificate (for example, client_cert.pem) and the
-    matching private key (for example, client.key) to the syslog-ng
+    matching private key (for example, client.key) to the {{ site.product.short_name }}
     client host, for example, into the
     /opt/syslog-ng/etc/syslog-ng/cert.d directory. The certificate must
-    be a valid X.509 certificate in PEM format. If you want to use a
-    password-protected key, see
-    Password-protected keys.
+    be a valid X.509 certificate in PEM format. The key must be in PEM format.
+    If you want to use a password-protected key, see Password-protected keys.
 
-3. Copy the CA certificate of the Certificate Authority (for example,
-    cacert.pem) that issued the certificate of the {{ site.product.short_name }} server (or
-    the self-signed certificate of the {{ site.product.short_name }} server) to the
-    {{ site.product.short_name }} client hosts, for example, into the
+3. Copy the CA certificate (for example, cacert.pem) of the Certificate
+    Authority that issued the certificate of the {{ site.product.short_name }} server
+    (or the self-signed certificate of the {{ site.product.short_name }} server) to the
+    {{ site.product.short_name }} client host, for example, into the
     /opt/syslog-ng/etc/syslog-ng/ca.d directory.
 
-    Issue the following command on the certificate: **openssl x509
-    -noout -hash -in cacert.pem** The result is a hash (for example,
+    If you wish to use the ca-dir() option, instead of the ca-file(), in the
+    {{ site.product.short_name }} configuration file (step 4.) then
+    - issue the following command on the certificate:\
+    `openssl x509 -noout -hash -in cacert.pem`\
+    The result is a hash (for example,
     6d2962a8), a series of alphanumeric characters based on the
     Distinguished Name of the certificate.
-
-    Issue the following command to create a symbolic link to the
+    - issue the following command to create a symbolic link to the
     certificate that uses the hash returned by the previous command and
-    the **.0** suffix.
-
+    the **.0** suffix:\
     `ln -s cacert.pem 6d2962a8.0`
 
 4. Add a destination statement to the {{ site.product.short_name }} configuration file that
@@ -49,6 +49,9 @@ syslog() driver):
     Include the client\'s certificate and private key in the tls()
     options.
 
+    For the details of the available tls() options, see
+    TLS options.
+
     Example: A destination statement using mutual authentication
 
     The following destination encrypts the log messages using TLS and

diff --git a/...ansfer/002_Mutual_authentication_using_TLS/001_Configuring_mutual_TLS_server.md b/...ansfer/002_Mutual_authentication_using_TLS/001_Configuring_mutual_TLS_server.md
@@ -11,38 +11,37 @@ Complete the following steps on the {{ site.product.short_name }} server:
 
 ## Steps
 
-1. Copy the certificate (for example, syslog-ng.cert) of the syslog-ng
-    server to the {{ site.product.short_name }} server host, for example, into the
+1. Create an X.509 certificate for the {{ site.product.short_name }} server.
+
+2. Copy the certificate (for example, syslog-ng.cert) and the
+    matching private key (for example, syslog-ng.key) to the {{ site.product.short_name }}
+    server host, for example, into the
     /opt/syslog-ng/etc/syslog-ng/cert.d directory. The certificate must
-    be a valid X.509 certificate in PEM format.
+    be a valid X.509 certificate in PEM format. The key must be in PEM format.
+    If you want to use a password-protected key, see Password-protected keys.
 
-2. Copy the CA certificate (for example, cacert.pem) of the Certificate
+3. Copy the CA certificate (for example, cacert.pem) of the Certificate
     Authority that issued the certificate of the {{ site.product.short_name }} clients to
-    the {{ site.product.short_name }} server, for example, into the
+    the {{ site.product.short_name }} server host, for example, into the
     /opt/syslog-ng/etc/syslog-ng/ca.d directory.
 
-    Issue the following command on the certificate: **openssl x509
-    -noout -hash -in cacert.pem** The result is a hash (for example,
+    If you wish to use the ca-dir() option, instead of the ca-file(), in the
+    {{ site.product.short_name }} configuration file (step 4.) then
+    - issue the following command on the certificate:\
+    `openssl x509 -noout -hash -in cacert.pem`\
+    The result is a hash (for example,
     6d2962a8), a series of alphanumeric characters based on the
     Distinguished Name of the certificate.
-
-    Issue the following command to create a symbolic link to the
+    - issue the following command to create a symbolic link to the
     certificate that uses the hash returned by the previous command and
-    the **.0** suffix.
-
+    the **.0** suffix:\
     `ln -s cacert.pem 6d2962a8.0`
 
-3. Copy the private key (for example, syslog-ng.key) matching the
-    certificate of the {{ site.product.short_name }} server to the {{ site.product.short_name }} server host,
-    for example, into the /opt/syslog-ng/etc/syslog-ng/key.d directory.
-    The key must be in PEM format. If you want to use a
-    password-protected key, see Password-protected keys.
-
 4. Add a source statement to the {{ site.product.short_name }} configuration file that uses
     the tls( key-file(key_file_fullpathname)
     cert-file(cert_file_fullpathname) ) option and specify the key and
     certificate files. The source must use the source driver (network()
-    or syslog()) matching the destination driver used by the syslog-ng
+    or syslog()) matching the destination driver used by the {{ site.product.short_name }}
     client. Also specify the directory storing the certificate of the CA
     that issued the client's certificate.
 
@@ -52,7 +51,7 @@ Complete the following steps on the {{ site.product.short_name }} server:
     Example: A source statement using TLS
 
     The following source receives log messages encrypted using TLS,
-    arriving to the 1999/TCP port of any interface of the syslog-ng
+    arriving to the 1999/TCP port of any interface of the {{ site.product.short_name }}
     server.
 
     ```config