Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

How to prepare signed certificates for inter-Splunk communication

SSL certificates let you secure communication between Splunk Enterprise components from end to end. After you obtain the certificates, you must prepare them for use with your deployment before you install and configure your deployment to use them.

In general, you have two options to obtain SSL certificates if you do not already have them available:

Both of these methods involve using the OpenSSL binary that comes with your Splunk Enterprise installation. For these options to work, the certificates and public keys that you generate or receive must adhere to the x.509 standard of public key certificates, and the private key that you generate must be in the RSA public key format.

Regardless of which method you use to generate the certificates, as part of preparing the certificates for use, you must combine them with your keys into a single file that Splunk Enterprise can use.

Create a single combined certificate file

There are several certificates that are available for combination, depending on the method you used to generate your certificates. The following procedures and filenames assume that you have created the certificates using the certificate generation procedures in this manual.

If you created and signed a certificate yourself, you have six files:

  • myCAPrivateKey.key, the private key file that you used to create and sign the root certificate.
  • myCACertificate.csr, the root certificate signing request file.
  • myCACertificate.pem, the root certificate file that you generated with the private key file and the root certificate signing request file.
  • myServerPrivateKey.key, the private key file that you created to create and sign the server certificate.
  • myServerCertificate.csr, the server certificate signing request file.
  • myServerCertificate.pem, the server certificate file. You created this file using the private key and the server certificate signing request file.

If you got the certificate by creating a certificate signing request and submitting it to a third-party certificate authority, you have four files:

  • myServerPrivateKey.key, the private key file that you created and subsequently used to create the certificate signing request.
  • myServerCertificate.csr, the certificate signing request file.
  • myServerCertificate.pem, the server certificate file that you downloaded from the certificate authority after submitting your certificate signing request.
  • myCACertificate.pem, the certificate authority certificate file that you downloaded from the certificate authority after downloading the server certificate.

Depending on the method you used, you must combine the server certificate, private key, and public certificate, in that order, into a single file. The file must be in privacy-enhanced mail (PEM) format.

*nix command Windows command
cat myServerCertificate.pem myServerPrivateKey.key myCACertificate.pem > myCombinedServerCertificate.pem
 >type myServerCertificate.pem myServerPrivateKey.key myCACertificate.pem > myCombinedServerCertificate.pem

After you create the combined certificate file, review the file. Its contents must contain, in the following order:

  • The server certificate (myServerCertificate.pem).
  • The private key (myServerPrivateKey.key)
  • The certificate authority, or root, certificate (myCACertificate.pem)

Following is an example of a properly concatenated certificate:

        -----BEGIN CERTIFICATE-----
        MIICUTCCAboCCQCscBkn/xey1TANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJV
        ...
        <Server Certificate>
        ...
        8/PZr3EuXYk1c+N5hgIQys5a/HIn
        -----END CERTIFICATE-----
        -----BEGIN RSA PRIVATE KEY-----
        Proc-Type: 4,ENCRYPTED
        DEK-Info: DES-EDE3-CBC,CFCECC7976725DE5
        
        S+DPcQ0l2Z1bk71N3cBqr/nwEXPNDQ4uqtecCd3iGMV3B/WSOWAQxcWzhe9JnIsl
        ...
        <Server Private Key – Passphrase protected>
        ...
        -----END RSA PRIVATE KEY-----
        -----BEGIN CERTIFICATE-----
        MIICUTCCAboCCQCscBkn/xey1TANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJV
        ...
        <Certificate Authority Public Key>
        ...
        8/PZr3EuXYk1c+N5hgIQys5a/HIn

        -----END CERTIFICATE-----

How to configure certificate chains

To use multiple certificates, place intermediate certificates after the server certificate and before the root certificate. You can add as many certificates as you need, in decreasing order of hierarchy, up to the root certificate.

Concatenate multiple certificates in the following order:

[ server certificate]
[ intermediate certificate]
[ root certificate (if required) ]

The following is an example of a certificate chain:

	
-----BEGIN CERTIFICATE-----
... (certificate for your server)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the intermediate certificate)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the root certificate for the CA)...
-----END CERTIFICATE-----

In another example, when you use Splunk forwarder to indexer certificates that contain a Private Key, the completed certificate file might look like the following:

-----BEGIN CERTIFICATE-----
... (certificate for your server)...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
...<Server Private Key – Passphrase protected>
 -----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
... (certificate for your server)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the intermediate certificate)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the root certificate for the CA)...
-----END CERTIFICATE-----

Next steps

After you combine certificates into one file, you can then configure Splunk Enterprise to locate and use the certificates.

Last modified on 13 June, 2022
About cipher suites and TLS encryption   Determine your cipher suite

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters