How to create and sign your own TLS certificates

Transport layer security (TLS) certificates that come from third parties are the most secure way to protect communications between your Splunk platform infrastructure from potential security breaches. Splunk uses TLS certificates to protect Splunk Cloud Platform deployments and forwarders that connect to those deployments. It's a Splunk best practice to use third-party TLS certs on the Splunk platform infrastructure that you manage.

If you are not able to acquire certificates from a third party, or your Splunk platform deployment receives protection from firewalls or other network infrastructure, you can secure the contact points in the deployment by creating and signing TLS certificates yourself.

As you are the certificate authority in this scenario, there is no cost to creating and signing certificates on your own. Additionally, you can create the certificates whenever you need and they are ready for use immediately after you create them, for as long as you need them.

There are caveats to this method. Because you sign these certificates yourself, third parties can't validate them. This means that even though they can protect communications, even across multiple sites that you or trusted parties control, and are better than the default certificates that Splunk software provides, they are not as secure as those which you obtain from a third-party CA. You can use certificates you create for advanced security efforts like TLS certificate host name validation and mutually authenticated TLS (mTLS), but if you use them for Splunk Web, your browser will display warnings whenever you access Splunk Web because your self-signed certificate won't be in your browser certificate store.

As a reminder, Splunk best practice is to get certificates from a third party to secure your Splunk platform deployment, regardless of whether a firewall protects that deployment, and especially if your deployment communicates with parties that you don't know.

Generate and distribute multiple self-signed certificates

You can distribute certificates that you create and sign yourself to any type of Splunk platform instance. This includes but is not limited to the following:

• Forwarders and indexers
• Search heads and search peers
• Search head cluster nodes
• Indexer cluster nodes
• License managers and peers
• Deployment servers and clients
• Splunk Web and your browser
• Search head clusters and the App Key Value Store service

If you want to use a different common name, or fully-qualified domain name, for each machine or instance type, you can create different certificates that contain a different common name. Repeat the "Create server certificates and sign them with the root certificate authority certificate" process in this topic to create the additional certificates. As long as you sign each certificate using the same certificate authority certificate, connections using the certificates work.

You can create "wildcard" certificates that protect multiple instances within a domain at once. You can also add Subject Alternative Name fields to a certificate to protect groups of individual instances.

If you already have self-signed certificates

If you already have certificates that you have created, proceed to the Next Steps section of this topic for a link to certificate installation and configuration instructions.

Prerequisites to creating and signing your own TLS certificates

Before you can create and sign your own certificates, you must have the following:

• Administrative access to the Splunk Enterprise instance on which you want to generate and sign the certificates.
• Access to a shell prompt, command line, or Terminal window. You can only create and sign certificates from the command line.

Create and self-sign a TLS certificate

There are several steps to creating and signing certificates on your own:

1. Create a root certificate authority certificate.
2. Create server certificates and sign them with the root certificate authority certificate.

Create the root certificate authority certificate

The root certificate authority certificate serves as the base certificate that you use to sign additional certificates that you'll distribute to the Splunk platform instances in your deployment. It's called the "root certificate authority certificate" for this reason: You, as the certificate authority, establish that you trust any certificates that are based on this root certificate.

You only need to create one root certificate authority certificate.

When you create the root certificate authority certificate, back up both the certificate file and the private key to a safe offline location where possible. If you lose either, you won't be able to create new certificates based on this root certificate and must generate a new root certificate. You must also replace any existing client and server certificates which are based on the lost root certificate. This can result in significant periods of downtime.

1. Open a command line interface, for example, a shell prompt, or a Terminal or PowerShell window.
2. Connect to the Splunk platform instance where you want to generate the certificate signing request (CSR).
3. Create a new directory within the Splunk platform instance installation for the certificates.

   *nix command	Windows command
   mkdir $SPLUNK_HOME/etc/auth/mycerts	mkdir %SPLUNK_HOME%\etc\auth\mycerts

4. Create a private key for your root certificate authority certificate.

   *nix command	Windows command
   $SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out myCertAuthPrivateKey.key 2048	%SPLUNK_HOME%\bin\splunk cmd openssl genrsa -aes256 -out myCertAuthPrivateKey.key 2048

5. When the OpenSSL program prompts you, enter a password for the key. The OpenSSL program then creates a file myCertAuthPrivateKey.key.
6. Use the private key myCertAuthPrivateKey.key to generate a CSR for your certificate:

   Unix command	Windows command
   $SPLUNK_HOME/bin/splunk cmd openssl req -new -key myCertAuthPrivateKey.key -out myCertAuthCertificate.csr	%SPLUNK_HOME%\bin\splunk cmd openssl req -new -key myCertAuthPrivateKey.key -out myCertAuthCertificate.csr

7. When the OpenSSL program prompts you, enter the password you created for your private key myCertAuthPrivateKey.key.
8. The OpenSSL program asks for several different fields. At a minimum, provide values for the following:
   
   • Country Name
   • State or Province Name (full name)
   • Locality Name (eg, city)
   • Organization Name (eg, company)
   • Organizational Unit Name (eg, section)
   • Common Name (e.g. server FQDN or YOUR name)
   • Email Address

   
   

   If you want to specify a wildcard certificate, when the program asks for the Common Name, prepend a *. to the top-level domain name that you want the certificate to protect as the response. For example, if your top level domain name is mycompany.com, enter *.mycompany.com. The certificate protects any machine within that domain level, but not domains on different subdomain levels. For example splunkserver1.mycompany.com or splunkserver2.mycompany.com. It does not protect splunkserver1.eng.mycompany.com, you need a certificate with a Common Name of *.eng.mycompany.com for that.
   
   Additionally, you can provide one or more Subject Alternative Names which the certificate will also protect when you install and configure the Splunk platform to use it and check those Subject Alternative Names.

   After you enter the information, the OpenSSL program creates a new CSR file called myCertAuthCertificate.csr.
9. Use the CSR file you created and sign it with the private key you created previously to create the root certificate authority certificate.
   

   Unix command	Windows command
   $SPLUNK_HOME/bin/splunk cmd openssl x509 -req -in myCertAuthCertificate.csr -sha512 -signkey myCertAuthPrivateKey.key -CAcreateserial -out myCertAuthCertificate.pem -days 1095	%SPLUNK_HOME%\bin\splunk cmd openssl x509 -req -in myCertAuthCertificate.csr -sha512 -signkey myCertAuthPrivateKey.key -CAcreateserial -out myCertAuthCertificate.pem -days 1095

10. When the OpenSSL program prompts you, enter the password you created for your private key myCertAuthPrivateKey.key again. The OpenSSL program creates the root certificate authority certificate file called myCertAuthCertificate.pem.

Create server certificates and sign them with the root certificate authority certificate

After you have created the root certificate authority certificate, you can create additional certificates and then sign them with your root CA certificate.

Similar to a root CA certificate, you have to create a private key and a certificate signing request to generate a certificate for a Splunk server.

1. Create a private key for the server certificate.

   *nix command	Windows command
   $SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out myServerPrivateKey.key 2048	%SPLUNK_HOME%\bin\splunk cmd openssl genrsa -aes256 -out myServerPrivateKey.key 2048

2. When the OpenSSL program prompts you, enter a password for the key. The OpenSSL program then creates a file myServerPrivateKey.key.
   

   Do not use the same password you used to sign the private key for the certificate authority certificate.

3. Use the private key myServerPrivateKey.key to generate a CSR for your certificate:

   Unix command	Windows command
   $SPLUNK_HOME/bin/splunk cmd openssl req -new -key myServerPrivateKey.key -out myServerCertificate.csr	%SPLUNK_HOME%\bin\splunk cmd openssl req -new -key myServerPrivateKey.key -out myServerCertificate.csr

4. When the OpenSSL program prompts you, enter the password you created for the private key myServerPrivateKey.key.
5. Provide the requested information for your certificate. The OpenSSL program creates a new CSR file called myServerCertificate.csr.
   

   The information that you provide for the Common Name field is what the Splunk platform uses for TLS certificate host name validation.

6. Use the CSR file you created and sign it with the private key you created previously, the certificate authority certificate, and its private key to create the server certificate.
   

   Unix command	Windows command
   $SPLUNK_HOME/bin/splunk cmd openssl x509 -req -in myServerCertificate.csr -SHA256 -CA myCertAuthCertificate.pem -CAkey myCertAuthPrivateKey.key -CAcreateserial -out myServerCertificate.pem -days 1095	%SPLUNK_HOME%\bin\splunk cmd openssl x509 -req -in myServerCertificate.csr -SHA256 -CA myCertAuthCertificate.pem -CAkey myCertAuthPrivateKey.key -CAcreateserial -out myServerCertificate.pem -days 1095

7. When the OpenSSL program prompts you, enter the password you created for the private key myCertAuthPrivateKey.key again. The OpenSSL program creates the server certificate file called myServerCertificate.pem.

Next steps

Now that you have the certificate authority certificate and at least one server certificate, you can prepare the certificates for use on The Splunk platform, including concatenating any intermediate certificates.

• Back up the certificate authority certificate and private key files to a safe place. If you lose either, you will have to recreate a new certificate authority certificate and key, and regenerate and distribute new certificates based on the new root certificate and key.
• If you need to create additional server certificates, for example, for additional domain levels or for single or groups of IP addresses, repeat the "Create server certificates and sign them with the root certificate authority certificate" section of this topic for as many certificates as you need.
• See How to prepare TLS certificates for use with the Splunk platform to learn how to set up your certificates to work with the Splunk platform.