Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Download topic as PDF

Get certificates signed by a third-party for Splunk Web

This topic provides basic examples for creating the third-party signed certificates necessary to configure Splunk Web for SSL authentication and encryption.

There are multiple ways you can create these certificates, depending upon your organization's policies, your network structure and the tools that you are using. If you have already generated these certificates and key, or if you are experienced with third-party certificates, you may prefer to skip this step and go directly to the configuration topic in this manual at Secure Splunk Web with your own certificate.

Before you begin

In this discussion, $SPLUNK_HOME refers to the Splunk installation directory. On Windows, Splunk software is installed at C:\Program Files\splunk by default. For most Unix platforms, the default installation directory is at /opt/splunk; for Mac OS, it is /Applications/splunk. See the Administration Guide to learn more about working with Windows and *nix.

Create a new private key for Splunk Web

1. Create a new directory to host your own certificates and keys. In this example we will use $SPLUNK_HOME/etc/auth/mycerts.

We recommend that you place your new certificates in a different directory than $SPLUNK_HOME/etc/auth/splunkweb so that you don't overwrite the existing certificates. This ensures that you can use the certificates that ship with Splunk for other Splunk components as necessary.

2. Generate a new private key. Splunk Web supports 2048-bit keys or larger.


$SPLUNK_HOME/bin/splunk cmd openssl genrsa -des3 -out mySplunkWebPrivateKey.key 2048


$SPLUNK_HOME\bin\splunk cmd openssl genrsa -des3 -out mySplunkWebPrivateKey.key 2048

3. Create a password when prompted to enter the passphrase for the original key.

A new private key mySplunkWebPrivateKey.key is added to your directory. You can use this key to sign your CSR.

4. Remove the password from the private key. Splunk Web does not support private key passwords.


$SPLUNK_HOME/bin/splunk cmd openssl rsa -in mySplunkWebPrivateKey.key -out mySplunkWebPrivateKey.key


$SPLUNK_HOME\bin\splunk cmd openssl rsa -in mySplunkWebPrivateKey.key -out mySplunkWebPrivateKey.key

You can use to following command to make sure that your password was successfully removed:

# openssl rsa -in mySplunkWebPrivateKey.key -text

If the password was successfully removed, you can view the certificate contents without providing a password.

Create a Certificate Authority (CA) request and obtain your server certificate

1. Create a new certificate signature request using your private key mySplunkWebPrivateKey.key:

In *nix:

$SPLUNK_HOME/bin/splunk cmd openssl req -new -key mySplunkWebPrivateKey.key -out mySplunkWebCert.csr

In Windows:

$SPLUNK_HOME\bin\splunk cmd openssl req -new -key mySplunkWebPrivateKey.key -out mySplunkWebCert.csr 

Note for Windows platforms: If you see an error similar to this:

Unable to load config info from c:\\build-amd64-5.0.2-20130120-1800\\splunk/ssl/openssl.cnf

Try typing the following in your command prompt then run the openssl command again:

set OPENSSL_CONF=c:/Program Files/Splunk/openssl.cnf

2. Use the CSR mySplunkWebCert.csr to request a new signed certificate from your Certificate Authority (CA). The process for requesting a signed certificate varies depending on how your Certificate Authority handles a certificate signature request. Contact your CA for more information.

3. Download the server certificate returned by your Certificate Authority. For this example, let's call it "mySplunkWebCert.pem."

4. Download your Certificate Authority's public CA certificate. For this example, let's call it "myCAcert.pem."

5. Make sure that both the server certificate and the public CA certificate are both in PEM format. If the certificates are not in PEM format, convert them using the openssl command appropriate to your existing file type. Here's an example of a command that you can use for DER formats:

$SPLUNK_HOME/bin/splunk cmd openssl x509 -in mySplunkWebCert.crt -inform DER -out mySplunkWebCert.pem -outform PEM
$SPLUNK_HOME\bin\splunk cmd openssl x509 -in myCACert.crt -inform DER -out myCACert.pem -outform PEM

6. Check both certificates to make sure they have the necessary information and are not password protected.

$SPLUNK_HOME/bin/splunk cmd openssl x509 -in myCACert.pem -text
$SPLUNK_HOME/bin/splunk cmd openssl x509 -in mySplunkWebCert.pem -text
$SPLUNK_HOME/bin/splunk cmd openssl x509 -in myCACert.pem -text
$SPLUNK_HOME\bin\splunk cmd openssl x509 -in mySplunkWebCert.pem -text

The issuer information for mySplunkWebCert.pem should be the subject information for myCACert.pem (unless you are using intermediary certificates).

Combine your certificate and keys into a single file

Combine your server certificate and public certificate, in that order, into a single PEM file.

Set up certificate chains

To use multiple certificates, append the intermediate certificate to the end of the server's certificate file in the following order:

[ server certificate]
[ intermediate certificate]
[ root certificate (if required) ]

So for example, a certificate chain might look like this:

... (certificate for your server)...
... (the intermediate certificate)...
... (the root certificate for the CA)...

Note that the root CA that signed the intermediate certificate and all intermediary certificates must be in the browser certificate stores.

Next steps

Configure Splunk's web.conf file to find and use your certificates for authentication. See Secure Splunk Web with your own certificate for more information.

Self-sign certificates for Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1, 8.0.2


Jcurtiss, we've updated the topic based on your feedback. Thanks for the comment!

Andrewb splunk, Splunker
February 16, 2020

$SPLUNK_HOME\bin\splunk cmd openssl rsa -in mySplunkWebPrivateKey.key -out mySplunkWebPrivateKey.key -config $SPLUNK_HOME\openssl.cnf

"unknown option -config"

December 2, 2019

Nhdpotter, thanks for these suggestions. I've filed a request for the responsible writer to confirm and update the info.

Andrewb splunk, Splunker
August 30, 2019


like in the link https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Howtoself-signcertificates

August 29, 2019

we should not be recommending to do genrsa -des3

We should be recommending aes

August 29, 2019

@Jworthington splunk
I just did a test with version 7.1.2 on Linux with an encrypted private key. The password in web.conf -> [settings] -> sslPassword was "encrypted" during the restart of Splunk, Splunk web was started without any message in the terminal windows and I could connect to port 8000 and log in. I alos checked, that my newly created certificate was used. I re-checked, commented out "sslPassword" and restarted Splunk again which led to error messages in the terminal window and also in splunkd.log. Removing the comment and restarting led to the same running behaviour as described first.

July 22, 2019

Hi Xysarah,

My understanding is that we still do not support private key passwords in Splunk Web. I've reached out to our dev team to see if this has been updated in the back end without my knowledge and let you know what I find out. (And update the docs accordingly). Thanks so much for pointing this out!


Jworthington splunk, Splunker
June 14, 2018

"Splunk Web does not support private key passwords" from this document is conflicted with the web.conf in "https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Webconf". The parameter "sslPassword" in web.conf is to protect the private key with password.
So which one is correct? Does Splunk Web does support private key passwords?

June 11, 2018

I believe there's a mistake in section "Create a new private key for Splunk Web", Step 4, Windows:

To remove the password from private key on a Windows host the command should be:
# openssl rsa -in mySplunkWebPrivateKey.key -out mySplunkWebPrivateKey.key -config $SPLUNK_HOME\openssl.cnf

# openssl rsa -in mySplunkWebPrivate.key -text
This just outputs the contents but doesn't change the password

May 5, 2015

Useful article. It might be nice to include the commands on how to chain the web and CA certs together though.

September 20, 2013

Hi Adam, <br /><br />Thanks for the feedback! I agree that a larger key size is more secure, so I've added that as a recommendation.

Jworthington splunk, Splunker
November 26, 2012

My 2045 generation command should have been:<br /># openssl genrsa -des3 -out mySplunkWebPrivateKey.key 2048

Adam Sealey
November 25, 2012

The command <br /># openssl genrsa -desf3 -out mySplunkWebPrivateKey.key 1024<br /><br />should be<br /># openssl genrsa -des3 -out mySplunkWebPrivateKey.key 1024<br /><br />I changed mine to 2048 per organizational requirements, which I would suggest others do as well<br /># openssl genrsa -desf3 -out mySplunkWebPrivateKey.key 2048

Adam Sealey
November 23, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters