Powered by Zoomin Software. For more details please contactZoomin

Flowmon User Guide

How to Generate Keys for TLS Export

  • Last Updated: April 5, 2026
  • 4 minute read
    • Flowmon Products
    • Flowmon
    • Documentation

Before we start

This guide provides information how to generate the required keys and root Certificate Authority for encrypted (TLS) export of flows generated by the Flowmon Probe or encrypted flow forwarding from one Flowmon Collector to another over a TCP connection.

To generate keys and certificates it is possible to use the OpenSSL library, which is already installed on Flowmon Appliances or any other Linux or Windows version.

Key generation

For TCP/TLS, the set of keys and certificates must be generated for the flow exporting device (Probe) and for the Collector. All certificates must be signed by the same Certification Authority (CA). Its certificate (CA certificate) must be provided together with the key and certificate to each configuration using the TCP/TLS protocol. The CA certificate is used to ensure that the exporter and collector are legitimate.

CA root certificate

If you do not have any CA in your corporation yet, it is possible generate a private key and certificate using the following steps.

Note:

It is not possible to use multiple root certificates. Only one is valid at a time.

1. Generate a CA private key using the following command:

openssl genrsa -out rootCA.key 2048 

2. Generate a self-signed certificate for the CA:

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

This starts the process of generating a certificate, where you must specify some details you would like to have in the certificate. During the process, you will see settings that can be entered.

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CZ
State or Province Name (full name) [Some-State]:n/a
Locality Name (eg, city) []:Brno
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Flowmon Networks, a.s.
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:flowmon.com
Email Address []:support@flowmon.com

Create a certificate for the exporter/collector

Now, for each exporter and collector you must create a certificate that will be signed by the CA certificate we created (or one used in the company).

Note:

You can replace the "exporter" keyword if needed.

1. First, generate a private key:

openssl genrsa -out exporter.key 2048
Note:

Password-protected keys cannot be used.

2. Then, create a certificate signing request:

openssl req -new -key exporter.key -out exporter.csr

You will again be asked various questions like when you generated a certificate for authority. The important question to answer is the Common name, where you should specify the IP address or domain name of the appliance.

You are about to be asked to enter information that will be incorporated into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [AU]:CZ 
State or Province Name (full name) [Some-State]:n/a 
Locality Name (eg, city) []:Brno 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Flowmon Networks, a.s. 
Organizational Unit Name (eg, section) []:IT 
Common Name (e.g. server FQDN or YOUR name) []:127.0.0.1 
Email Address []:support@flowmon.com 
Please enter the following 'extra' attributes to be sent with your certificate request 
A challenge password []: 
An optional company name []: 

3. Create a configuration file with X.509 extensions to add:

cat > exporter.v3.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
EOF

4. Finally, sign it using the CA certificate and key:

openssl x509 -req -in exporter.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out exporter.crt -days 1024 -sha256 -extfile exporter.v3.ext

Command output:

Signature ok 
subject=/C=CZ/ST=n/a/L=Brno/O=Flowmon Networks, a.s./OU=IT/CN=127.0.0.1/emailAddress=support@flowmon.com 
Getting CA Private Key 

Using certificates for configuration

Repeat the previous step for all the Probes and Collectors in your infrastructure where you want to use encrypted flow export or forwarding. Once you have generated a certificates for all the devices (in addition to the root certification authority) you can upload them into devices and configure encrypted flow export or forwarding.

First, configure a Collector to accept TCP connection over TLS. To do this, edit the listening port in the Configuration Center → FMC Configuration → Listening Ports.

Upload the certificate and private key files, created in previous steps:

  • CA certificate - rootCA.pem
  • Certificate - exporter.crt
  • Private key - exporter.key

Then, configure the Probe Monitoring Port to use its certificate. To do this, edit the target in the Configuration Center → Monitoring Ports.

Upload the certificate and private key files:

  • CA certificate - rootCA.pem
  • Certificate - exporter.crt
  • Private key - exporter.key
TitleResults for “How to create a CRG?”Also Available inAlert