Splunk® Enterprise

Securing Splunk Enterprise

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

How to obtain certificates signed by a third-party for inter-Splunk communication

On Splunk Enterprise only, you can use the OpenSSL program that ships with the product to generate files that you can subsequently use to acquire certificates from a third party. You can then use these certificates to secure communication between Splunk Web and your browser, forwarders to indexers and other inter-Splunk communications.

If you want to get third-party certificates for use with securing Splunk Web communication, the process is similar, but slightly different. See Acquire certificates signed by a third-party for Splunk Web for an explanation and the procedure.

If you already possess the third party certificates or know how to generate them, proceed to the Next Steps section of this page for instructions on how to configure the certificates.

Prerequisites for obtaining third-party certificates for inter-Splunk communication

Before you can get certificates from a third party, you must have the following:

  • You must have administrative access to the Splunk Enterprise instance on which you want to generate the files that you need to acquire the third party certificates.
  • You must have an internet connection to upload the files to the certificate authority (CA) and subsequently download the certificates from the CA. It is not necessary that the Splunk Enterprise instance has direct Internet access.

$SPLUNK_HOME refers to the Splunk Enterprise installation directory. If necessary, replace $SPLUNK_HOME with your installation directory in the following procedure. If you run Splunk Enterprise on Windows, you might need to set this variable at the command line or in the Environment tab in the System Properties dialog.

Default home directories depend on the operating system on which you run the Splunk Enterprise instance:

  • For Windows, the Splunk Enterprise directory is at C:\Program Files\Splunk by default.
  • For most *nix platforms, the default installation directory is at /opt/splunk.
  • For Mac OS, it is /Applications/splunk.

Obtain a third-party certificate for inter-Splunk communication

You must create and sign a Certificate Signing Request (CSR) to send to a certificate authority to acquire a third-party certificate. The CSR consists of the private key and certificate signing request file that you create in the procedures that follow. The CA takes the CSR, generates your certificate, and signs it. You can then download and install the certificate to ensure that communications between Splunk Enterprise components are secure.

The following procedure details how to create a new private key and request a server certificate. You can distribute this server certificate to all forwarders and indexers as well as other Splunk platform instances that communicate on the management port.

If you want to use different certificate common names for each Splunk Enterprise instance, repeat this process to create certificates that each have a different common name. For example, when you configure multiple forwarders, you can use this example to create the certificate myServerCertificate.pem for an indexer, then create another certificate for the forwarder myForwarderCertificate.pemwith the same root CA. You can then install that certificate on the forwarder. An indexer only accepts a properly generated and configured certificate from a forwarder that is signed by the same root CA.

Create a new directory within the Splunk platform instance installation for the certificates

Start the certificate acquisition process by creating a directory in your Splunk Enterprise installation for your new certificates. The following example uses $SPLUNK_HOME/etc/auth/mycerts for the directory name:

# mkdir $SPLUNK_HOME/etc/auth/mycerts
# cd $SPLUNK_HOME/etc/auth/mycerts

When you make a new folder, you protect any existing certificates and keys in the $SPLUNK_HOME/etc/auth directory on the instance. Working in a new directory also lets you use the new certificate files for other Splunk software components as you need.

Generate a private key for your server certificate

After you create the directory to store your certificate files, you must create the private key on which the certificates will be based.

  1. Create a new private key using the OpenSSL binary that comes with the Splunk installation. The following example uses Triple Data Encryption Algorithm (3DES) encryption and a 2048-bit key length. For the most secure communications, use key lengths of 2048 bits or longer.
    Unix command Windows command
    $SPLUNK_HOME/bin/splunk cmd openssl genrsa -des3 -out myServerPrivateKey.key 2048
    $SPLUNK_HOME\bin\splunk cmd openssl genrsa -des3 -out myServerPrivateKey.key 2048 
  2. When prompted, type in a password for the key.

The OpenSSL binary creates a new private key myServerPrivateKey.key in the directory. You will use this key to sign your Certificate Signing Request (CSR).

Generate a new Certificate Signing Request (CSR)

After you generate the private key, you can then create the certificate signing request, which the certificate authority will use to generate your certificate.

  1. Use the private key myServerPrivateKey.key that you created in the previous procedure to generate a CSR for your server certificate:
    Unix command Windows command
    $SPLUNK_HOME/bin/splunk cmd openssl req -new 
    -key myServerPrivateKey.key -out myServerCertificate.csr
    $SPLUNK_HOME\bin\splunk cmd openssl req -new 
    -key myServerPrivateKey.key -out myServerCertificate.csr
  2. When prompted, type in the password you created for your private key myServerPrivateKey.key.
  3. Provide the requested information for your certificate. To use common-name checking, provide a Common Name when entering your certificate details.

The OpenSSL binary creates a new CSR file called myServerCertificate.csr in the directory.

Submit the CSR to the certificate authority

Now that you have the CSR and private key files, you can submit these files to a certificate authority which will take the files and generate a certificate that you can download.

Splunk does not provide recommendations for certificate authorities. While it is possible to get an SSL certificate for free, in many cases you might have to pay for this service. Some web hosting sites also offer certificate generation services.

In general, submitting the CSR involves visiting the certificate authority website, filling out a form, possibly paying a fee, then sending or uploading the CSR and private key files. Because each CA has their own process for accepting this information, there is no specific process for providing the necessary information to get an SSL certificate.

Download and verify the server certificate and public key

After you submit the required files to the certificate authority of your choice, that CA will advise you when your SSL certificate is ready for download.

All of the certificates that you download must be in privacy-enhanced mail (PEM) format. If your certificate authority does not provide you with certificates in this format, you must convert them to PEM using the OpenSSL binary that comes with the Splunk Enterprise installation. The binary must be able to read the existing file format and write to PEM format. Consult the OpenSSL documentation for more information about converting different file formats.

  1. After the CA notifies you that your certificate is ready, download the new certificate from the CA. In this example, the file is called myServerCertificate.pem.
  2. Next, download the CA public certificate authority certificate. In this example, the file is called myCACertificate.pem.
  3. View the contents of the certificate to confirm it has everything you need:
    • The "Issuer" entry must refer to your CA's information.
    • The "Subject" entry must show the information, including country name, organization name, Common Name, and so on, that you entered when you previously created the CSR.

On *nix, you can view the contents of your certificate using the following command:
$SPLUNK_HOME/bin/splunk cmd openssl x509 -in myServerCertificate.pem -text

After you complete this procedure, the following additional files exist in the directory you created. Use these files to configure indexers, forwarders, and other Splunk Enterprise instances that communicate over the management port.

  • myServerCertificate.pem
  • myCACertificate.pem

Next steps

Now that you have the certificates you need, you must prepare your server certificate, including appending any intermediate certificates, and then configure Splunk Enterprise to find and use the certificates.

Last modified on 13 June, 2022
PREVIOUS
How to self-sign certificates
  NEXT
Self-sign certificates for Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters