Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Download topic as PDF

How to self-sign certificates

This topic describes one way you can use OpenSSL to self-sign certificates for securing forwarder-to-indexer and Inter-Splunk communication.

If you already possess or know how to generate the needed certificates, you can skip this topic and go directly to the configuration steps, described later in this manual:

Self-signed certificates are best for data communication that occurs within an organization or between known entities. If you communicate with unknown entities, we recommend CA-signed certificates to secure your data.

Before you begin

In this discussion, $SPLUNK_HOME refers to the Splunk Enterprise installation directory:

  • For Windows, Splunk software is installed in C:\Program Files\splunk by default
  • For most Unix platforms, the default installation directory is at /opt/splunk
  • For Mac OS, it is /Applications/splunk

See the Administration Guide to learn more about working with Windows and *nix.

Create a new directory for your certificates

Create a new directory to work from when creating your certificates. In our example, we are using $SPLUNK_HOME/etc/auth/mycerts:

# mkdir $SPLUNK_HOME/etc/auth/mycerts
# cd $SPLUNK_HOME/etc/auth/mycerts

This ensures you do not overwrite the Splunk-provided certificates that reside in $SPLUNK_HOME/etc/auth.

Create the root certificate

First you create a root certificate that serves as your root certificate authority. You use this root CA to sign the server certificates that you generate and distribute to your Splunk instances.

Generate a private key for your root certificate

1. Create a key to sign your certificates.

In *nix:

$SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out myCAPrivateKey.key 2048

In Windows:

$SPLUNK_HOME\bin\splunk cmd openssl genrsa -aes256 -out myCAPrivateKey.key 2048 

2. When prompted, create a password for the key.

When the step is completed, the private key myCAPrivateKey.key appears in your directory.

Generate and sign the certificate

1. Generate a new Certificate Signing Request (CSR):

In *nix:

$SPLUNK_HOME/bin/splunk cmd openssl req -new -key myCAPrivateKey.key -out myCACertificate.csr

In Windows:

$SPLUNK_HOME\bin\splunk cmd openssl req -new -key myCAPrivateKey.key -out myCACertificate.csr

2. When prompted, enter the password you created for the private key in $SPLUNK_HOME/etc/auth/mycerts/myCAPrivateKey.key.

3. Provide the requested certificate information, including the common name if you plan to use common name checking in your configuration.

A new CSR myCACertificate.csr appears in your directory.

4. Use the CSR myCACertificate.csr to generate the public certificate:

In *nix:

$SPLUNK_HOME/bin/splunk cmd openssl x509 -req -in myCACertificate.csr -sha512
 -signkey myCAPrivateKey.key -CAcreateserial -out myCACertificate.pem -days 1095

In Windows:

$SPLUNK_HOME\bin\splunk cmd openssl x509 -req -in myCACertificate.csr -sha512
 -signkey myCAPrivateKey.key -CAcreateserial -out myCACertificate.pem -days 1095

5. When prompted, enter the password for the private key myCAPrivateKey.key.

A new file myCACertificate.pem appears in your directory. This is the public CA certificate that you will distribute to your Splunk instances.

Create the server certificate

Now that you have created a root certificate to serve as your CA, you must create and sign your server certificate.

A note about common name checking

This topic shows you how to create a new private key and server certificate.

You can distribute this server certificate to all forwarders, indexers as well your Splunk instances that communicate on the management port. If you plan to use a different common name for each instance, you simply repeat the process described here to create different certificates (each with a different common name) for your Splunk instances.

For example, if configuring multiple forwarders, you can use the following example to create the certificate myServerCertificate.pem for your indexer, then create another certificate myForwarderCertificate.pem using the same root CA and install that certificate on your forwarder. Note that an indexer will only accept a properly generated and configured certificate from a forwarder that is signed by the same root CA.

See Configure Splunk forwarding to use your own certificates for more information about configuring your forwarders and indexers.

Generate a key for your server certificate

1. Generate a new RSA private key for your server certificate. In this example we are again using AES encryption and a 2048 bit key length:

In *nix:

$SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out myServerPrivateKey.key 2048

In Windows:

$SPLUNK_HOME\bin\splunk cmd openssl genrsa -aes256 -out myServerPrivateKey.key 2048

2. When prompted, create a new password for your key.

A new key myServerPrivateKey.key is created. You will use this key to encrypt the outgoing data on any Splunk Software instance where you install it as part of the server certificate.

Generate and sign a new server certificate

1. Use your new server private key myServerPrivateKey.key to generate a CSR for your server certificate.

In *nix:

$SPLUNK_HOME/bin/splunk cmd openssl req -new -key 
myServerPrivateKey.key -out myServerCertificate.csr

In Windows:

$SPLUNK_HOME\bin\splunk cmd openssl req -new -key 
myServerPrivateKey.key -out myServerCertificate.csr

2. When prompted, provide the password to the private key myServerPrivateKey.key.

3. Provide the requested information for your certificate, including a Common Name if you plan to configure Splunk Software to authenticate via common-name checking.

A new CSR myServerCertificate.csr appears in your directory.

4. Use the CSR myServerCertificate.csr and your CA certificate and private key to generate a server certificate.

In *nix:

$SPLUNK_HOME/bin/splunk cmd openssl x509 -req -in 
myServerCertificate.csr -SHA256 -CA myCACertificate.pem -CAkey myCAPrivateKey.key 
-CAcreateserial -out myServerCertificate.pem -days 1095

In Windows:

$SPLUNK_HOME\bin\splunk cmd openssl x509 -req -in 
myServerCertificate.csr -SHA256 -CA myCACertificate.pem -CAkey myCAPrivateKey.key 
-CAcreateserial -out myServerCertificate.pem -days 1095

5. When prompted, provide the password for the certificate authority private key myCAPrivateKey.key. Make sure to sign this with your private key and not the server key you just created.

A new public server certificate myServerCertificate.pem appears in your directory.

Next steps

You should now have the following files in the directory you created, which is everything you need to configure indexers, forwarders, and Splunk instances that communicate over the management port:

  • myServerCertificate.pem
  • myServerPrivateKey.key
  • myCACertificate.pem

Now that you have the certificates you need, prepare your server certificate (including appending any intermediate certificates), and then configure Splunk to find and use them:

PREVIOUS
Avoid malicious CSV files in searches
  NEXT
How to get certificates signed by a third-party

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2.0


Comments

Hi Samhodgson,

Yes, you do need to use the Splunk version of OpenSSL.

We don't include it as an extra step because the code samples supplied in the topic point to the correct version of OpenSSL, saving a step. We talk about OpenSSL versions a bit here: http://docs.splunk.com/Documentation/Splunk/7.0.1/Security/AboutusingSSLtoolsinWindowsandLinux

I can look into adding a note or link that clarifies this issue.

Thanks!
Jen

Jworthington splunk, Splunker
January 10, 2018

TWiseOne
Jbarlow splunk,

Thanks for the feedback, you can definitely use DES. I think we were just trying to allow more options. I'll reach out to one of our experts and see if we can do a better job of describing the commands here.

Hope that helps!
Cheers,
jen

Jworthington splunk, Splunker
January 10, 2018

Do I need to use a splunk version of openssl config for this? The following article and also comments on this page suggest so:
https://answers.splunk.com/answers/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certificates-and-authentication.html
This is the second time i've had to create self signed certs for splunk and the first effort took me hours too..im currently seeing:
01-10-2018 10:11:21.196 +0000 ERROR SSLCommon - Can't read key file /opt/splunk/etc/auth/mycerts/myServerCertificate.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line.
01-10-2018 10:11:21.196 +0000 ERROR HTTPServer - SSL context could not be created - error in cert or password is wrong

Samhodgson
January 10, 2018

I take it we can use any aes variant? I am almost sure that it used to be des so just wondering if it s typo?

TWiseOne
May 25, 2017

for "genrsa" , -AES is not a param
https://wiki.openssl.org/index.php/Command_Line_Utilities#rsa_.2F_genrsa
-aes128, -aes192, -aes256

Jbarlow splunk, Splunker
May 3, 2017

"Run $SPLUNK_HOME/bin/setSplunkEnv before you create your certificates."
should be "Run source $SPLUNK_HOME/bin/setSplunkEnv before you create your certificates."
(the source command include the env variables)

Maraman splunk, Splunker
May 27, 2016

Thanks for catching that, I've fixed the directory path.

Jworthington splunk
February 3, 2014

The following sentence under "Before you begin": <br /><br />"Make sure that you are using the version of OpenSSL provided with Splunk by setting your environment to the version in $SPLUNK_HOME/splunk/lib in *nix or $SPLUNK_HOME/splunk/bin in Windows."<br /><br />Should read: <br /><br />"Make sure that you are using the version of OpenSSL provided with Splunk by setting your environment to the version in $SPLUNK_HOME/splunk/bin in *nix or $SPLUNK_HOME\splunk\bin in Windows."

Xzjc3q
February 3, 2014

Rturk, thanks for the heads up, we've fixed that link.

Jworthington splunk, Splunker
June 19, 2013

FYI - The link ("How to prepare your signed certificates for Splunk") in the last paragraph is borked :-)

Rturk
June 17, 2013

Fixed! Thanks for the feedback.

Jworthington splunk, Splunker
November 8, 2012

There is a typo in the first code box. <br /><br />'# mkdir $SPLUNK_HOME/etc/certs '<br />should be<br />'# mkdir $SPLUNK_HOME/etc/auth/mycerts'

Richprescott
November 8, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters