Powered by Zoomin Software. For more details please contactZoomin

Flowmon User Guide

Table of Contents

Certificates

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 5, 2026
  • 4 minute read
    • Flowmon Products
    • Flowmon
    • Documentation

Use the Certificates page to manage keys and X.509 certificates for encrypted (TLS) export of flows from the Flowmon Probe. Flow encryption with TLS authenticates both sides. Each side presents a certificate whose signature chain is validated against the same root CA certificate.

Certificates screen
Certificates screen

The table lists one root CA certificate per row. Expand a root CA certificate to display its certificate pairs. A certificate pair is a device certificate and its private key signed by the expanded root CA.

Add a root CA certificate

To upload a new root CA certificate, click New CA Certificate and provide:

  • Name
  • Description (optional)
  • Certificate file (.crt or .pem)

Add a certificate pair

To upload a new certificate pair, click New Certificate Pair and provide:

  • Name
  • Description (optional)
  • Private key file (.key)
  • Certificate file (.crt or .pem)

After adding a certificate pair, you can use it in a TCP/TLS export Target. The Usage column shows how many targets use the certificate pair and the detail view lists the individual targets.

All certificates can be downloaded (download icon), replaced (pencil icon), or deleted (trash bin icon). You can only delete a certificate pair if there is no target using it. You can only delete a root CA certificate after deleting all its certificate pairs. Click Reload to refresh the usage counts in the table.

Key generation

You can generate keys and certificates with the OpenSSL toolkit installed on Flowmon appliances and on most Linux and Windows systems.

For TCP/TLS you must generate a:

  • Root CA private key and self-signed CA certificate (only once unless you rotate the CA).
  • Private key and signed certificate for each device (Probe or Collector) that participates in encrypted transport.

Root CA certificate

If you do not already have a corporate CA, generate a private key and self-signed root certificate.

  1. Generate the CA private key:
openssl genrsa -out rootCA.key 2048
  1. Generate the self-signed root CA certificate:
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

During the prompt, enter the Distinguished Name (DN) fields. You can leave fields empty by pressing Enter or entering a period (.). Sample input:

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CZ
State or Province Name (full name) [Some-State]:n/a
Locality Name (eg, city) []:Brno
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Flowmon Networks, a.s.
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:flowmon.com
Email Address []:example@flowmon.com

Keep the rootCA.key secure. Only distribute the rootCA.pem where trust is required.

Probe and Collector certificates

Create one certificate for each Probe and each Collector. All must be signed by the same CA. Replace the placeholder <name> as needed.

Note:

Do not password protect private keys. Password-protected keys are not supported.

  1. Generate the private key:
openssl genrsa -out <name>.key 2048
  1. Create the Certificate Signing Request (CSR):
openssl req -new -key <name>.key -out <name>.csr

Enter the DN fields. Set the Common Name to the appliance Fully Qualified Domain Name (FQDN) or IP address used by peers (for example, 127.0.0.1 or probe01.example.com).

You are about to be asked to enter information that will be incorporated into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [AU]:CZ 
State or Province Name (full name) [Some-State]:n/a 
Locality Name (eg, city) []:Brno 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Flowmon Networks, a.s. 
Organizational Unit Name (eg, section) []:IT 
Common Name (e.g. server FQDN or YOUR name) []:127.0.0.1 
Email Address []:example@flowmon.com 
Please enter the following 'extra' attributes to be sent with your certificate request 
A challenge password []: 
An optional company name []:
  1. (Optional but recommended): Create an extensions file to define X.509 v3 extensions:
cat > <name>.v3.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
EOF
  1. Sign the CSR with the CA certificate and key:
openssl x509 -req -in <name>.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out <name>.crt -days 1024 -sha256 -extfile <name>.v3.ext

Command output example:

Signature ok
subject=/C=CZ/ST=n/a/L=Brno/O=Flowmon Networks, a.s./OU=IT/CN=127.0.0.1/emailAddress=example@flowmon.com 
Getting CA Private Key

Resulting files

  • rootCA.key: Root CA private key (keep secret).
  • rootCA.pem: Root CA self-signed certificate (distribute for trust).
  • rootCA.srl: Serial file created automatically to track issued certificate serial numbers.
  • <name>.key: Device private key (only keep on the device).
  • <name>.crt: Device certificate signed by the root CA.
  • <name>.v3.ext: Extensions file used during signing (optional, can be deleted after signing).
  • <name>.csr: CSR (temporary, can be deleted after signing).
TitleResults for “How to create a CRG?”Also Available inAlert