Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Download topic as PDF

How to get certificates signed by a third-party

This topic describes one way you can use the version of OpenSSL that ships with Splunk Enterprise to obtain third-party certificates that you can use to secure your forwarder-to-indexer and inter-Splunk communication.

To get certificates that you can use to secure for browser-to-Splunk Web communication, see Get certificates signed by a third-party for Splunk Web.

If you already possess or know how to generate the certificates you can, skip this topic and go directly to the configuration steps, which are described later in this manual:

Note: If you plan to use multiple common names in your configurations, you can repeat the steps described here to create a different server certificate using the same root CA for each instance with it's own common name and then configure your Splunk instances to use them. See Configure Splunk forwarding to use your own certificates for more information about configuring your forwarders and indexers.

Before you begin

In this discussion, $SPLUNK_HOME refers to the Splunk Enterprise installation directory. We recommend that you follow this convention, but if you do not, you should replace $SPLUNK_HOME with your installation directory when using these examples.

For Windows, you might need to set this variable at the command line or in the Environment tab in the System Properties dialog.

Default home directories depend on your platform:

  • For Windows, the Splunk Enterprise directory is at C:\Program Files\Splunk by default.
  • For most *nix platforms, the default installation directory is at /opt/splunk.
  • For Mac OS, it is /Applications/splunk.

See the Administration Guide to learn more about working with Windows and *nix.

Create a new directory for your certificates

Create a new directory for your new certificates. In our example, we are using $SPLUNK_HOME/etc/auth/mycerts:

# mkdir $SPLUNK_HOME/etc/auth/mycerts
# cd $SPLUNK_HOME/etc/auth/mycerts

When you make a new folder you protect the existing certificates and keys in $SPLUNK_HOME/etc/auth. Working in a new directory protects the default certificates and lets you use them for other Splunk Software components as necessary.

Request your server certificate

Create and sign a Certificate Signing Request (CSR) to send to your Certificate Authority.

Important: This example shows you how to create a new private key and request a server certificate. You can distribute this server certificate to all forwarders, indexers as well your Splunk instances that communicate on the management port. If you want to use a different common names for each instance, you simply repeat the process described here to create different certificates (each with a different common name) for your Splunk instances.

For example, when configuring multiple forwarders, you can use the following example to create the certificate myServerCertificate.pem for your indexer, then create another certificate myForwarderCertificate.pem using the same root CA and install that certificate on your forwarder. An indexer will only accept a properly generated and configured certificate from a forwarder that is signed by the same root CA.

See Configure Splunk forwarding to use your own certificates for more information about configuring your forwarders and indexers.

Generate a private key for your server certificate

1. Create a new private key. The following example uses DES3 encryption and a 2048 bit key length. We recommend a key length of 2048 or higher.

In *nix:

$SPLUNK_HOME/bin/splunk cmd openssl genrsa -des3 -out myServerPrivateKey.key 2048

In Windows:

$SPLUNK_HOME\bin\splunk cmd openssl genrsa -des3 -out myServerPrivateKey.key 2048 

2. When prompted, create a password for your key.

When you are done, a new private key myServerPrivateKey.key is created in your directory. You will use this key to sign your Certificate Signing Request (CSR).

Generate a new Certificate Signing Request (CSR)

1. Use your private key myServerPrivateKey.key to generate a CSR for your server certificate:

In *nix:

$SPLUNK_HOME/bin/splunk cmd openssl req -new 
-key myServerPrivateKey.key -out myServerCertificate.csr

In Windows:

$SPLUNK_HOME\bin\splunk cmd openssl req -new 
-key myServerPrivateKey.key -out myServerCertificate.csr

2. When prompted, provide the password you created for your private key myServerPrivateKey.key.

3. Provide the requested information for your certificate. To use common-name checking, make sure to provide a Common Name when entering your certificate details.

When you are done, a new CSR myServerCertificate.csr appears in your directory.

Download and verify the server certificate and public key

1. Send your CSR to your Certificate Authority (CA) to request a new server certificate. The request process varies based on the Certificate Authority you use.

2. Download the new server certificate from your Certificate Authority. For the examples in this manual, let's call this myServerCertificate.pem.

3. Also download your Certificate Authority's public CA certificate. For the examples in this manual, let's call this myCACertificate.pem.

If your Certificate Authority does not provide you with certificates in PEM format, you must convert them using the OpenSSL command appropriate to your existing file type, consult your OpenSSL documentation for more information about converting different file types.

4. View the contents to make sure it has everything you need:

  • The "Issuer" entry should refer to your CA's information.
  • The "Subject" entry should show the information (country name, organization name, Common Name, etc) that you entered when creating the CSR earlier.

Note: For *nix, you can view the contents your certificate using the following command:

$SPLUNK_HOME\bin\splunk cmd openssl x509 -in myServerCertificate.pem -text

Next steps

You should now have the following files in the directory you created, which is everything you need to configure indexers, forwarders, and Splunk instances that communicate over the management port:

  • myServerCertificate.pem
  • myServerPrivateKey.key
  • myCACertificate.pem

Now that you have the certificates you need, you must prepare your server certificate (including appending any intermediate certificates), and then configure Splunk software to find and use your certificates:

PREVIOUS
How to self-sign certificates
  NEXT
Self-sign certificates for Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0


Comments

This example cipher should be changed from des3 to aes256
$SPLUNK_HOME/bin/splunk cmd openssl genrsa -des3 -out myServerPrivateKey.key 2048

$SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out myServerPrivateKey.key 2048

Nhdpotter
March 14, 2019

Great idea Ed, I've added that to the docs. Thanks for the feedback!

Cheers,
jen

Jworthington splunk, Splunker
November 21, 2017

Hi Splunk Team,

It would be helpful if there was an instruction in this document on how to view the contents of a pem-encoded certificate that has been received from the third-party in Windows and Linux.

For instance, under section entitled "Download and verify the server certificate and public key", at the end of point 4., there should be instruction for verifying the server certificate in Linux such as:
"To view the contents of the PEM-encoded certificate in Linux via openssl, use the following command which will print the cert contents in plain-text.
openssl x509 -in myServerCertificate.pem -text"

Overall, a handy document.

Thank you.

Ed

Edaus
October 11, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters