Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise versions higher than version 9.4.2 are documented on our new documentation portal only. To get started, see the Splunk Enterprise page on help.splunk.com and the Splunk Enterprise 9.4.3 release notes. For information about how version selection works in the new portal, see Version selection on the About This Site page.

How to prepare TLS certificates for use with the Splunk platform

TLS certificates let you secure communication between Splunk Enterprise components from end to end. After you get the certificates, you need to prepare them for use with your deployment before you install them and configure your deployment to use them.

As part of preparing TLS certificates for use, you must combine them with the private keys that you either received or generated to create the certificates into a single certificate file that the Splunk platform can use.

All certificates and respective keys that you use on the Splunk platform must be concatenated in this manner. A certificate or key alone does not work, even if you configure it correctly. Regardless of the service or contact point you secure, they all must use combined certificates files.

Create a single combined certificate file

After you obtain certificates, several files are available depending on the method you used to get them. You will combine these files into one file. You must combine the files in the right order and the combined file must be in the correct format. If you don't combine them correctly, your Splunk platform instance won't be able to use the file to secure its communications with other instances.

If you got the certificate by purchasing them from a certificate authority, you'll have the following at a minimum:

  • The private key file
  • The server certificate file
  • The certificate authority certificate file, which was used to create the server certificate

The certificate authority certificate is also known as the root certificate.

If you got the certificate by creating a certificate signing request and submitting that request to a CA, you will have the following:

  • The private key file that you created and subsequently used to create the certificate signing request
  • The certificate signing request file
  • The server certificate file that you downloaded from the certificate authority after submitting your certificate signing request.
  • The certificate authority certificate file that you downloaded from the certificate authority after downloading the server certificate.

If you created and signed a certificate yourself, you will have the following:

  • The private key file that you used to create and sign the certificate authority certificate.
  • The certificate authority certificate signing request file
  • The root certificate file that you generated with the private key file and the certificate authority certificate signing request file
  • The private key file that you created to create and sign the server certificate
  • The server certificate signing request file
  • The server certificate file. You created this file using the private key and the server certificate signing request file

Depending on the method you used, you must combine the server certificate, the private key, and the public certificate, in that order, into a single file. The combined file must be in privacy-enhanced mail (PEM) format.

*nix command Windows command 
cat <server certificate file> <server private key file> <certificate authority certificate file> > <combined server certificate file>
 
type <server certificate file> <server private key file> <certificate authority certificate file> > <combined server certificate file>

After you create the combined certificate file, review it using a text editor. Its contents must contain, in the following order:

  • The server certificate
  • The private key
  • The certificate authority certificate

Following is an example of a properly concatenated certificate. Each certificate and key must include the "BEGIN" and "END" markers to be considered complete. 

        -----BEGIN CERTIFICATE-----
        MIICUTCCAboCCQCscBkn/xey1TANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJV
        ...
        <Server Certificate>
        ...
        8/PZr3EuXYk1c+N5hgIQys5a/HIn
        -----END CERTIFICATE-----
        -----BEGIN RSA PRIVATE KEY-----
        Proc-Type: 4,ENCRYPTED
        DEK-Info: DES-EDE3-CBC,CFCECC7976725DE5
        
        S+DPcQ0l2Z1bk71N3cBqr/nwEXPNDQ4uqtecCd3iGMV3B/WSOWAQxcWzhe9JnIsl
        ...
        <Server Private Key – Passphrase protected>
        ...
        -----END RSA PRIVATE KEY-----
        -----BEGIN CERTIFICATE-----
        MIICUTCCAboCCQCscBkn/xey1TANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJV
        ...
        <Certificate Authority Public Key>
        ...
        8/PZr3EuXYk1c+N5hgIQys5a/HIn

        -----END CERTIFICATE-----

How to configure a certificate chain

To use multiple certificates, place any intermediate certificates after the server certificate and before the root certificate. You can add as many intermediate certificates as you need, in decreasing order of hierarchy, up to the root certificate.

Concatenate multiple certificates in the following order: 

[ server certificate]
[ intermediate certificate]
[ certificate authority certificate (if required) ]

The following is an example of a certificate chain: 

	
-----BEGIN CERTIFICATE-----
... (certificate for your server)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the intermediate certificate)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the root certificate for the CA)...
-----END CERTIFICATE-----

Valid certificate chains must contain the -----BEGIN CERTIFICATE---- and -----END CERTIFICATE----- certificate markers to be valid. Do not remove these markers from the certificate file.

In another example, when you use Splunk forwarder to indexer certificates that contain a Private Key, the completed certificate file might look like the following: 

-----BEGIN CERTIFICATE-----
... (certificate for your server)...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
...<Server Private Key – Passphrase protected>
 -----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
... (certificate for your server)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the intermediate certificate)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the certificate authority certificate)...
-----END CERTIFICATE-----

Next steps

After you combine certificates into one file, you can then configure the Splunk platform to use the certificates.

Last modified on 23 February, 2023
How to create and sign your own TLS certificates   Configure Splunk indexing and forwarding to use TLS certificates

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters