How to get certificates signed by a third-party
This topic describes one way you can use the version of OpenSSL that ships with Splunk Enterprise to obtain third-party certificates that you can use to secure your forwarder-to-indexer and inter-Splunk communication.
To get certificates that you can use to secure for browser-to-Splunk Web communication, see Get certificates signed by a third-party for Splunk Web.
If you already possess or know how to generate the certificates you can, skip this topic and go directly to the configuration steps, which are described later in this manual:
Note: If you plan to use multiple common names in your configurations, you can repeat the steps described here to create a different server certificate using the same root CA for each instance with it's own common name and then configure your Splunk instances to use them. See Configure Splunk forwarding to use your own certificates for more information about configuring your forwarders and indexers.
Before you begin
In this discussion,
$SPLUNK_HOME refers to the Splunk Enterprise installation directory. We recommend that you follow this convention, but if you do not, you should replace $SPLUNK_HOME with your installation directory when using these examples.
For Windows, you might need to set this variable at the command line or in the Environment tab in the System Properties dialog.
Default home directories depend on your platform:
- For Windows, the Splunk Enterprise directory is at
C:\Program Files\Splunkby default.
- For most *nix platforms, the default installation directory is at
- For Mac OS, it is
See the Administration Guide to learn more about working with Windows and *nix.
Create a new directory for your certificates
Create a new directory for your new certificates. In our example, we are using
# mkdir $SPLUNK_HOME/etc/auth/mycerts # cd $SPLUNK_HOME/etc/auth/mycerts
When you make a new folder you protect the existing certificates and keys in
$SPLUNK_HOME/etc/auth. Working in a new directory protects the default certificates and lets you use them for other Splunk Software components as necessary.
Request your server certificate
Create and sign a Certificate Signing Request (CSR) to send to your Certificate Authority.
Important: This example shows you how to create a new private key and request a server certificate. You can distribute this server certificate to all forwarders, indexers as well your Splunk instances that communicate on the management port. If you want to use a different common names for each instance, you simply repeat the process described here to create different certificates (each with a different common name) for your Splunk instances.
For example, when configuring multiple forwarders, you can use the following example to create the certificate
myServerCertificate.pem for your indexer, then create another certificate
myForwarderCertificate.pem using the same root CA and install that certificate on your forwarder. An indexer will only accept a properly generated and configured certificate from a forwarder that is signed by the same root CA.
See Configure Splunk forwarding to use your own certificates for more information about configuring your forwarders and indexers.
Generate a private key for your server certificate
1. Create a new private key. The following example uses DES3 encryption and a 2048 bit key length. We recommend a key length of 2048 or higher.
$SPLUNK_HOME/bin/splunk cmd openssl genrsa -des3 -out myServerPrivateKey.key 2048
$SPLUNK_HOME\bin\splunk cmd openssl genrsa -des3 -out myServerPrivateKey.key 2048
2. When prompted, create a password for your key.
When you are done, a new private key
myServerPrivateKey.key is created in your directory. You will use this key to sign your Certificate Signing Request (CSR).
Generate a new Certificate Signing Request (CSR)
1. Use your private key
myServerPrivateKey.key to generate a CSR for your server certificate:
$SPLUNK_HOME/bin/splunk cmd openssl req -new -key myServerPrivateKey.key -out myServerCertificate.csr
$SPLUNK_HOME\bin\splunk cmd openssl req -new -key myServerPrivateKey.key -out myServerCertificate.csr
2. When prompted, provide the password you created for your private key
3. Provide the requested information for your certificate. To use common-name checking, make sure to provide a Common Name when entering your certificate details.
When you are done, a new CSR
myServerCertificate.csr appears in your directory.
Download and verify the server certificate and public key
1. Send your CSR to your Certificate Authority (CA) to request a new server certificate. The request process varies based on the Certificate Authority you use.
2. Download the new server certificate from your Certificate Authority. For the examples in this manual, let's call this
3. Also download your Certificate Authority's public CA certificate. For the examples in this manual, let's call this
If your Certificate Authority does not provide you with certificates in PEM format, you must convert them using the OpenSSL command appropriate to your existing file type, consult your OpenSSL documentation for more information about converting different file types.
4. View the contents to make sure it has everything you need:
- The “Issuer” entry should refer to your CA’s information.
- The “Subject” entry should show the information (country name, organization name, Common Name, etc) that you entered when creating the CSR earlier.
Note: For *nix, you can view the contents your certificate using the following command:
$SPLUNK_HOME\bin\splunk cmd openssl x509 -in myServerCertificate.pem -text
You should now have the following files in the directory you created, which is everything you need to configure indexers, forwarders, and Splunk instances that communicate over the management port:
Now that you have the certificates you need, you must prepare your server certificate (including appending any intermediate certificates), and then configure Splunk software to find and use your certificates:
- See "How to prepare your signed certificates for Splunk" to learn how to set up your certificates to work with Splunk.
- See "Configure Splunk forwarding to use your own certificates" to learn more about configuring certificate authentication for forwarding.
- See "About securing inter-Splunk communication" to learn more about configuring certificate authentication for inter-Splunk communications.
How to self-sign certificates
Self-sign certificates for Splunk Web
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4