Splunk® Enterprise

Securing the Splunk Platform

Acrobat logo Download manual as PDF


Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

How to obtain certificates signed by a third-party

On Splunk Enterprise only, you can use the version of OpenSSL that ships with Splunk Enterprise to obtain third-party certificates with which you can secure forwarder-to-indexer and inter-Splunk communications.

If you already possess or know how to generate the certificates, proceed directly to the following topics to configure Splunk Enterprise to use them:

To acquire third-party certificates for securing browser-to-Splunk Web communication, see Get certificates signed by a third-party for Splunk Web.

If you want to use multiple certificate common names in your configurations, you can repeat the procedures in this topic to create a different server certificate using the same root certificate authority (CA) for each instance with its own common name, then configure your Splunk platform instances to use the certificates. See Configure Splunk forwarding to use your own certificates for more information about configuring certificates for your forwarders and indexers.

Prerequisites

In this discussion, $SPLUNK_HOME refers to the Splunk Enterprise installation directory. If necessary, replace $SPLUNK_HOME with your installation directory when you use the following examples. If you run Splunk Enterprise on Windows, you might need to set this variable at the command line or in the Environment tab in the System Properties dialog.

Default home directories depend on the operating system on which you run the Splunk platform instance:

  • For Windows, the Splunk Enterprise directory is at C:\Program Files\Splunk by default.
  • For most *nix platforms, the default installation directory is at /opt/splunk.
  • For Mac OS, it is /Applications/splunk.

Create a new directory within the Splunk platform instance installation for the certificates

Create a new directory for your new certificates. In our example, we are using $SPLUNK_HOME/etc/auth/mycerts:

# mkdir $SPLUNK_HOME/etc/auth/mycerts
# cd $SPLUNK_HOME/etc/auth/mycerts

When you make a new folder you protect the existing certificates and keys in the $SPLUNK_HOME/etc/auth directory. Working in a new directory also lets you use them for other Splunk software components as necessary.

Request a server certificate

Create and sign a Certificate Signing Request (CSR) to send to your Certificate Authority.

The following example details how to create a new private key and request a server certificate. You can distribute this server certificate to all forwarders and indexers as well as other Splunk platform instances that communicate on the management port.

If you want to use different certificate common names for each instance, repeat the process to create different certificates, each with a different common name. For example, when configuring multiple forwarders, you can use this example to create the certificate myServerCertificate.pem for an indexer, then create another certificate myForwarderCertificate.pem using the same root CA, and install that certificate on your forwarder. An indexer will only accept a properly generated and configured certificate from a forwarder that is signed by the same root CA.

See Configure Splunk forwarding to use your own certificates for more information about configuring certificates for your forwarders and indexers.

Generate a private key for your server certificate

  1. Create a new private key using the OpenSSL binary that comes with the Splunk platform. The following example uses Triple Data Encryption Algorithm (3DES) encryption and a 2048-bit key length. For the most secure communications, use key lengths of 2048 bits or longer.
    Unix command Windows command
    $SPLUNK_HOME/bin/splunk cmd openssl genrsa -des3 -out myServerPrivateKey.key 2048
    $SPLUNK_HOME\bin\splunk cmd openssl genrsa -des3 -out myServerPrivateKey.key 2048 
  2. When prompted, type in a password for the key.

The OpenSSL binary creates a new private key myServerPrivateKey.key in the directory. You will use this key to sign your Certificate Signing Request (CSR).

Generate a new Certificate Signing Request (CSR)

  1. Use the private key myServerPrivateKey.key that you created in the previous procedure to generate a CSR for your server certificate:
    Unix command Windows command
    $SPLUNK_HOME/bin/splunk cmd openssl req -new 
    -key myServerPrivateKey.key -out myServerCertificate.csr
    $SPLUNK_HOME\bin\splunk cmd openssl req -new 
    -key myServerPrivateKey.key -out myServerCertificate.csr
  2. When prompted, type in the password you created for your private key myServerPrivateKey.key.
  3. Provide the requested information for your certificate. To use common-name checking, provide a Common Name when entering your certificate details.

The OpenSSL binary creates a new CSR file called myServerCertificate.csr in the directory.

Download and verify the server certificate and public key

All of the certificates you download must be in privacy-enhanced mail (PEM) format. If your certificate authority does not provide you with certificates in this format, you must convert them to PEM using the OpenSSL binary. The binary must be able to read the existing file format and write to PEM format. Consult the OpenSSL documentation for more information about converting different file formats.

  1. Send the CSR you created to your CA to request a new server certificate. The request process varies based on the CA you use.
  2. After the CA notifies you that your certificate is ready, download the new certificate from the CA. In this example, the file is called myServerCertificate.pem.
  3. Next, download the CA public certificate authority certificate. In this example, the file is called myCACertificate.pem.
  4. View the contents of the certificate to confirm it has everything you need:
    • The "Issuer" entry must refer to your CA's information.
    • The "Subject" entry must show the information, including country name, organization name, Common Name, and so on, that you entered when you previously created the CSR.

On *nix, you can view the contents your certificate using the following command:
$SPLUNK_HOME/bin/splunk cmd openssl x509 -in myServerCertificate.pem -text

Next steps

After you complete this procedure, the following files exist in the directory you created. Use these files to configure indexers, forwarders, and Splunk instances that communicate over the management port.

  • myServerCertificate.pem
  • myServerPrivateKey.key
  • myCACertificate.pem

Now that you have the certificates you need, you must prepare your server certificate, including appending any intermediate certificates, and then configure Splunk Enterprise to find and use the certificates.

Last modified on 20 August, 2021
PREVIOUS
How to self-sign certificates
  NEXT
Self-sign certificates for Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.2.0, 8.2.1, 8.2.2


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters