How to Generate Keys for TLS Export
- Last Updated: April 5, 2026
- 4 minute read
- Flowmon Products
- Flowmon
- Documentation
Before we start
This guide provides information how to generate the required keys and root Certificate Authority for encrypted (TLS) export of flows generated by the Flowmon Probe or encrypted flow forwarding from one Flowmon Collector to another over a TCP connection.
To generate keys and certificates it is possible to use the OpenSSL library, which is already installed on Flowmon Appliances or any other Linux or Windows version.
Key generation
For TCP/TLS, the set of keys and certificates must be generated for the flow exporting device (Probe) and for the Collector. All certificates must be signed by the same Certification Authority (CA). Its certificate (CA certificate) must be provided together with the key and certificate to each configuration using the TCP/TLS protocol. The CA certificate is used to ensure that the exporter and collector are legitimate.
CA root certificate
If you do not have any CA in your corporation yet, it is possible generate a private key and certificate using the following steps.
It is not possible to use multiple root certificates. Only one is valid at a time.
1. Generate a CA private key using the following command:
openssl genrsa -out rootCA.key 2048
2. Generate a self-signed certificate for the CA:
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
This starts the process of generating a certificate, where you must specify some details you would like to have in the certificate. During the process, you will see settings that can be entered.
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CZ
State or Province Name (full name) [Some-State]:n/a
Locality Name (eg, city) []:Brno
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Flowmon Networks, a.s.
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:flowmon.com
Email Address []:support@flowmon.com
Create a certificate for the exporter/collector
Now, for each exporter and collector you must create a certificate that will be signed by the CA certificate we created (or one used in the company).
You can replace the "exporter" keyword if needed.
1. First, generate a private key:
openssl genrsa -out exporter.key 2048
Password-protected keys cannot be used.
2. Then, create a certificate signing request:
openssl req -new -key exporter.key -out exporter.csr
You will again be asked various questions like when you generated a certificate for authority. The important question to answer is the Common name, where you should specify the IP address or domain name of the appliance.
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CZ
State or Province Name (full name) [Some-State]:n/a
Locality Name (eg, city) []:Brno
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Flowmon Networks, a.s.
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:127.0.0.1
Email Address []:support@flowmon.com
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
3. Create a configuration file with X.509 extensions to add:
cat > exporter.v3.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
EOF
4. Finally, sign it using the CA certificate and key:
openssl x509 -req -in exporter.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out exporter.crt -days 1024 -sha256 -extfile exporter.v3.ext
Command output:
Signature ok
subject=/C=CZ/ST=n/a/L=Brno/O=Flowmon Networks, a.s./OU=IT/CN=127.0.0.1/emailAddress=support@flowmon.com
Getting CA Private Key
Using certificates for configuration
Repeat the previous step for all the Probes and Collectors in your infrastructure where you want to use encrypted flow export or forwarding. Once you have generated a certificates for all the devices (in addition to the root certification authority) you can upload them into devices and configure encrypted flow export or forwarding.
First, configure a Collector to accept TCP connection over TLS. To do this, edit the listening port in the Configuration Center → FMC Configuration → Listening Ports.
Upload the certificate and private key files, created in previous steps:
- CA certificate - rootCA.pem
- Certificate - exporter.crt
- Private key - exporter.key
Then, configure the Probe Monitoring Port to use its certificate. To do this, edit the target in the Configuration Center → Monitoring Ports.
Upload the certificate and private key files:
- CA certificate - rootCA.pem
- Certificate - exporter.crt
- Private key - exporter.key