Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Download topic as PDF

Self-sign certificates for Splunk Web

This topic provides basic examples for creating the self-signed certificates in the command line using the version of OpenSSL included with Splunk software.

There are multiple ways you can create signed certificates, depending upon your organizations policies, your platform, and the tools that you are using. If you have already generated these certificates and key, or if you are experienced in generating certificates, you can skip this task and go directly to the configuration topic Secure Splunk Web with your own certificate in this manual.

Since self-signed certificates are signed by your organization, they are not contained in browser certificate stores. As a result, web browsers consider self-signed certificates "untrusted". This produces a warning page to users and may even prevent access for the user.

Self-signed certificates are best for browser to Splunk Web communication that happens within an organization or between known entities where you can add your own CA to all browser stores that will contact Splunk Web. For any other scenario, CA-signed certificates are recommended. See Get certificates signed by a third party for Splunk Web for more information.

Before you begin

In this discussion, $SPLUNK_HOME refers to the Splunk installation directory.

  • For Windows, the default installation directory is C:\Program Files\splunk.
  • For most *nix platforms, the default installation directory is /opt/splunk.
  • For Mac OS, the default installation directory is /Applications/splunk.

See the Administration Guide to learn more about working with Windows and *nix.

Generate a new root certificate to be your Certificate Authority

1. Create a new directory to host your certificates and keys. For this example we will use $SPLUNK_HOME/etc/auth/mycerts.

We recommend that you place your new certificates in a different directory than $SPLUNK_HOME/etc/auth/splunkweb so that you don't overwrite the existing certificates. This ensures that you are able to use the certificates that ship with Splunk software in $SPLUNK_HOME/etc/auth/splunkweb for other Splunk components as necessary.

Note: If you created a self-signed certificate as described in How to self-sign certificates, you can copy that root certificate into your directory and skip to the next step: Create a new private key for Splunk Web.

2. Generate a new RSA private key. Splunk Web supports 2048 bit keys, but you can specify larger keys if they are supported by your browser.

$SPLUNK_HOME/bin/splunk cmd openssl genrsa -des3 -out myCAPrivateKey.key 2048

Note that in Windows you may need to append the location of the openssl.cnf file:

$SPLUNK_HOME\bin\splunk cmd openssl genrsa -des3 -out myCAPrivateKey.key 2048  

Splunk Web supports 2048 bit keys, but you can specify larger keys if they are supported by your browser.

3. When prompted, create a password.

The private key myCAPrivateKey.key appears in your directory. This is your root certificate private key.

4. Generate a certificate signing request using the root certificate private key myCAPrivateKey.key:

In *nix:

$SPLUNK_HOME/bin/splunk cmd openssl req -new -key myCAPrivateKey.key -out myCACertificate.csr

In Windows:

$SPLUNK_HOME\bin\splunk cmd openssl req -new -key myCAPrivateKey.key -out myCACertificate.csr

5. Provide the password to the private key myCAPrivateKey.key.

A new CSR myCACertificate.csr appears in your directory.

6. Use the CSR to generate a new root certificate and sign it with your private key:

In *nix:

 
$SPLUNK_HOME/bin/splunk cmd openssl x509 -req -in myCACertificate.csr 
-signkey myCAPrivateKey.key -out myCACertificate.pem -days 3650

In Windows:

 >$SPLUNK_HOME\bin\splunk cmd openssl x509 -req -in myCACertificate.csr 
-signkey myCAPrivateKey.key -out myCACertificate.pem -days 3650 

7. When prompted, provide for the password to the private key myCAPrivateKey.key.

A new certificate myCACertificate.pem appears in your directory. This is your public certificate.

Create a new private key for Splunk Web

1. Generate a new private key:

In *nix:

$SPLUNK_HOME/bin/splunk cmd openssl genrsa -des3 -out mySplunkWebPrivateKey.key 2048

In Windows:

$SPLUNK_HOME\bin\splunk cmd openssl genrsa -des3 -out mySplunkWebPrivateKey.key 2048 -config

2. When prompted, create a password.

A new key, mySplunkWebPrivateKey.key appears in your directory.

3. Remove the password from your key. (Splunk Web does not support password-protected private keys.)

In *nix:

$SPLUNK_HOME/bin/splunk cmd openssl rsa -in mySplunkWebPrivateKey.key
 -out mySplunkWebPrivateKey.key

In Windows:

$SPLUNK_HOME\bin\splunk cmd openssl rsa -in mySplunkWebPrivateKey.key
 -out mySplunkWebPrivateKey.key

You can verify that your password was removed with the following command:

In *nix:

$SPLUNK_HOME/bin/splunk cmd openssl rsa -in mySplunkWebPrivateKey.key -text

In Windows:

$SPLUNK_HOME\bin\splunk cmd openssl rsa -in mySplunkWebPrivateKey.key -text

You should be able to read the contents of your certificate without providing a password.

Create and sign a server certificate

1. Create a new certificate signature request using your private keymySplunkWebPrivateKey.key:

In *nix:

$SPLUNK_HOME/bin/splunk cmd openssl req -new -key mySplunkWebPrivateKey.key
 -out mySplunkWebCert.csr

In Windows:

$SPLUNK_HOME\bin\splunk cmd openssl req -new -key mySplunkWebPrivateKey.key
 -out mySplunkWebCert.csr

The CSR mySplunkWebCert.csr appears in your directory.

2. Self-sign the CSR with the root certificate private key myCAPrivateKey.key:

In *nix:

$SPLUNK_HOME/bin/splunk cmd openssl x509 -req -in mySplunkWebCert.csr -CA myCACertificate.pem 
-CAkey myCAPrivateKey.key -CAcreateserial -out mySplunkWebCert.pem -days 1095

In Windows:

$SPLUNK_HOME\bin\splunk cmd openssl x509 -req -in mySplunkWebCert.csr -CA myCACertificate.pem 
-CAkey myCAPrivateKey.key -CAcreateserial -out mySplunkWebCert.pem -days 1095 

3. When prompted, provide the password to the root certificate private key myCAPrivateKey.key.

The certificate mySplunkWebCert.pem is added to your directory. This is your server certificate.

Create a single PEM file

Combine your server certificate and public certificates, in that order, into a single PEM file.

Here's an example of how to do this in Linux:

# cat mySplunkWebCert.pem myCACertificate.pem > mySplunkWebCertificate.pem

Here's an example in Windows:

# type mySplunkWebCert.pem myCACertificate.pem > mySplunkWebCertificate.pem

Set up certificate chains

To use multiple certificates, append the intermediate certificate to the end of the server's certificate file in the following order:

<div class=samplecode
[ server certificate]
[ intermediate certificate]
[ root certificate (if required) ]
</div>

So for example, a certificate chain might look like this:

	
-----BEGIN CERTIFICATE-----
... (certificate for your server)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the intermediate certificate)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the root certificate for the CA)...
-----END CERTIFICATE-----

Next steps

Now that you have your certificates, you need to distribute them and configure Splunkd and Splunk Web to use them. See Secure Splunk Web with your own certificate in this manual for more information.

PREVIOUS
How to get certificates signed by a third-party
  NEXT
Get certificates signed by a third-party for Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.3.0, 7.3.1, 7.3.2, 8.0.0


Comments

@Landen99 (ok, it's from June 30, 2017 - but for reference)
`openssl genrsa` does not have an option `-nodes`, this is only available for the `rsa` and `pkcs12` commands. But you can just leave out `-des3` and no password is asked for and no encryption is done.

Rvany
July 22, 2019

@Graether: both is true - the certificate created is the root certificate for your private CA and it's also public.

Rvany
July 22, 2019

Should
6. Use the CSR to generate a new root certificate and sign it with your private key:
not read
6. Use the CSR to generate a new public certificate and sign it with your private key:
?

Graether
June 18, 2019

Hey Landen99:

These are all really good questions. The general answer is that these instructions are one very simple path, which people with little certificate experience can use to create a simple certificate that will work with Splunk.

There are so many different options, methods, etc. for creating certificates. We wanted to avoid teaching SSL and/or the different approaches as much as possible and instead focus on one simple happy path.

We assume that people working with more complex SSL methods will not need instructions for creating a certificate. I am working on creating some new documentation that will help the advanced or intermediate user more specifically and will take your feedback into account.

Thanks so much for the feedback!
Cheers,
jen

Jworthington splunk, Splunker
November 22, 2017

Hi rturk: Good question. We are assuming the possibility that the user might perform one task but not the other. We are also assuming that these tasks are for people not familiar with certificates, so we try to be linear and not include too many shortcuts. I am working on some new topics that will provide more options for experienced users.

Pmeyerson: Yeah that is awkward wording. i've fixed it. Thanks for the tip!

N8lawrence: Indeed it is not the case here. Splunk Web certs work differently than server and forwarder certificates. It's a quirk that honestly I'm not sure I could fully explain other than "that is how we set it up to work." :)

Jworthington splunk, Splunker
November 22, 2017

Can we update these instructions to include SAN for current Chrome browser requirements?
-config san.cnf
Why does the Windows command have -config without a file referenced?
Can we include the -subj option where country, city, state, etc can be specified at the CLI?
Why create the key with a password and then remove the password, instead of just using the -nodes option?

Landen99
June 30, 2017

The section for creating server certificates asks you to include the server private key in the concatenated pem file - is that deliberately not the case here?

N8lawrence
May 31, 2017

To create a single PEM file in windows you can follow these instructions:
type mysplunkwebcert.pem mycacertificate.pem > mysplunkwebcertificate.pem ... took me a bit to figure out what you meant by this as this is not something I typically have to do.
Thanks.

Pmeyerson
November 3, 2015

RE: "Generate a new root certificate to be your Certificate Authority", is there any reason you couldn't or wouldn't want to re-use the root certificate made as part of earlier instructions (i.e. myCAPrivateKey.key). Just thinking in terms of consistency of documentation - Cheers :-)

Rturk
August 25, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters