Get certificates signed by a third-party for Splunk Web
This topic provides basic examples for creating the third-party signed certificates necessary to configure Splunk Web for SSL authentication and encryption.
There are multiple ways you can create these certificates, depending upon your organization's policies, your network structure and the tools that you are using. If you have already generated these certificates and key, or if you are experienced with third-party certificates, you may prefer to skip this step and go directly to the configuration topic in this manual at Secure Splunk Web with your own certificate.
Before you begin
In this discussion,
$SPLUNK_HOME refers to the Splunk installation directory. On Windows, Splunk software is installed at
C:\Program Files\splunk by default. For most Unix platforms, the default installation directory is at
/opt/splunk; for Mac OS, it is
/Applications/splunk. See the Administration Guide to learn more about working with Windows and *nix.
Create a new private key for Splunk Web
1. Create a new directory to host your own certificates and keys. In this example we will use
We recommend that you place your new certificates in a different directory than
$SPLUNK_HOME/etc/auth/splunkweb so that you don't overwrite the existing certificates. This ensures that you can use the certificates that ship with Splunk for other Splunk components as necessary.
2. Generate a new private key. Splunk Web supports 2048-bit keys or larger.
$SPLUNK_HOME/bin/splunk cmd openssl genrsa -des3 -out mySplunkWebPrivateKey.key 2048
$SPLUNK_HOME\bin\splunk cmd openssl genrsa -des3 -out mySplunkWebPrivateKey.key 2048
3. Create a password when prompted to enter the passphrase for the original key.
A new private key
mySplunkWebPrivateKey.key is added to your directory. You can use this key to sign your CSR.
4. Remove the password from the private key. Splunk Web does not support private key passwords.
You can use to following command to make sure that your password was successfully removed:
If the password was successfully removed, you can view the certificate contents without providing a password.
Create a Certificate Authority (CA) request and obtain your server certificate
1. Create a new certificate signature request using your private key
$SPLUNK_HOME/bin/splunk cmd openssl req -new -key mySplunkWebPrivateKey.key -out mySplunkWebCert.csr
$SPLUNK_HOME\bin\splunk cmd openssl req -new -key mySplunkWebPrivateKey.key -out mySplunkWebCert.csr
Note for Windows platforms: If you see an error similar to this:
Try typing the following in your command prompt then run the
openssl command again:
2. Use the CSR
mySplunkWebCert.csr to request a new signed certificate from your Certificate Authority (CA). The process for requesting a signed certificate varies depending on how your Certificate Authority handles a certificate signature request. Contact your CA for more information.
3. Download the server certificate returned by your Certificate Authority. For this example, let's call it "
4. Download your Certificate Authority's public CA certificate. For this example, let's call it "
5. Make sure that both the server certificate and the public CA certificate are both in PEM format. If the certificates are not in PEM format, convert them using the
openssl command appropriate to your existing file type. Here's an example of a command that you can use for DER formats:
6. Check both certificates to make sure they have the necessary information and are not password protected.
$SPLUNK_HOME/bin/splunk cmd openssl x509 -in myCACert.pem -text $SPLUNK_HOME/bin/splunk cmd openssl x509 -in mySplunkWebCert.pem -text
$SPLUNK_HOME/bin/splunk cmd openssl x509 -in myCACert.pem -text $SPLUNK_HOME\bin\splunk cmd openssl x509 -in mySplunkWebCert.pem -text
The issuer information for
mySplunkWebCert.pem should be the subject information for
myCACert.pem (unless you are using intermediary certificates).
Combine your certificate and keys into a single file
Combine your server certificate and public certificate, in that order, into a single PEM file.
Set up certificate chains
To use multiple certificates, append the intermediate certificate to the end of the server's certificate file in the following order:
[ server certificate] [ intermediate certificate] [ root certificate (if required) ]
So for example, a certificate chain might look like this:
-----BEGIN CERTIFICATE----- ... (certificate for your server)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the intermediate certificate)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the root certificate for the CA)... -----END CERTIFICATE-----
Note that the root CA that signed the intermediate certificate and all intermediary certificates must be in the browser certificate stores.
web.conf file to find and use your certificates for authentication. See
Secure Splunk Web with your own certificate for more information.
Self-sign certificates for Splunk Web
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0