How to prepare signed certificates for inter-Splunk communication
SSL certificates let you secure communication between Splunk Enterprise components from end to end. After you obtain the certificates, you must prepare them for use with your deployment before you install and configure your deployment to use them.
In general, you have two options to obtain SSL certificates if you do not already have them available:
- You can request that a third party signs and delivers the certificates to you. This is the most secure method, but takes time and involves an outside party. See How to obtain certificates signed by a third party for inter-Splunk communication.
- You can create and sign them yourself, This is easier to do and doesn't involve an outside party, but is not nearly as secure. See How to self-sign certificates.
Both of these methods involve using the OpenSSL binary that comes with your Splunk Enterprise installation. For these options to work, the certificates and public keys that you generate or receive must adhere to the x.509 standard of public key certificates, and the private key that you generate must be in the RSA public key format.
Regardless of which method you use to generate the certificates, as part of preparing the certificates for use, you must combine them with your keys into a single file that Splunk Enterprise can use.
Create a single combined certificate file
There are several certificates that are available for combination, depending on the method you used to generate your certificates. The following procedures and filenames assume that you have created the certificates using the certificate generation procedures in this manual.
If you created and signed a certificate yourself, you have six files:
myCAPrivateKey.key
, the private key file that you used to create and sign the root certificate.myCACertificate.csr
, the root certificate signing request file.myCACertificate.pem
, the root certificate file that you generated with the private key file and the root certificate signing request file.myServerPrivateKey.key
, the private key file that you created to create and sign the server certificate.myServerCertificate.csr
, the server certificate signing request file.myServerCertificate.pem
, the server certificate file. You created this file using the private key and the server certificate signing request file.
If you got the certificate by creating a certificate signing request and submitting it to a third-party certificate authority, you have four files:
myServerPrivateKey.key
, the private key file that you created and subsequently used to create the certificate signing request.myServerCertificate.csr
, the certificate signing request file.myServerCertificate.pem
, the server certificate file that you downloaded from the certificate authority after submitting your certificate signing request.myCACertificate.pem
, the certificate authority certificate file that you downloaded from the certificate authority after downloading the server certificate.
Depending on the method you used, you must combine the server certificate, private key, and public certificate, in that order, into a single file. The file must be in privacy-enhanced mail (PEM) format.
*nix command | Windows command |
---|---|
cat myServerCertificate.pem myServerPrivateKey.key myCACertificate.pem > myCombinedServerCertificate.pem |
>type myServerCertificate.pem myServerPrivateKey.key myCACertificate.pem > myCombinedServerCertificate.pem |
After you create the combined certificate file, review the file. Its contents must contain, in the following order:
- The server certificate (
myServerCertificate.pem
). - The private key (
myServerPrivateKey.key
) - The certificate authority, or root, certificate (
myCACertificate.pem
)
Following is an example of a properly concatenated certificate:
-----BEGIN CERTIFICATE----- MIICUTCCAboCCQCscBkn/xey1TANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJV ... <Server Certificate> ... 8/PZr3EuXYk1c+N5hgIQys5a/HIn -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,CFCECC7976725DE5 S+DPcQ0l2Z1bk71N3cBqr/nwEXPNDQ4uqtecCd3iGMV3B/WSOWAQxcWzhe9JnIsl ... <Server Private Key – Passphrase protected> ... -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIICUTCCAboCCQCscBkn/xey1TANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJV ... <Certificate Authority Public Key> ... 8/PZr3EuXYk1c+N5hgIQys5a/HIn -----END CERTIFICATE-----
How to configure certificate chains
To use multiple certificates, place intermediate certificates after the server certificate and before the root certificate. You can add as many certificates as you need, in decreasing order of hierarchy, up to the root certificate.
Concatenate multiple certificates in the following order:
[ server certificate] [ intermediate certificate] [ root certificate (if required) ]
The following is an example of a certificate chain:
-----BEGIN CERTIFICATE----- ... (certificate for your server)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the intermediate certificate)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the root certificate for the CA)... -----END CERTIFICATE-----
In another example, when you use Splunk forwarder to indexer certificates that contain a Private Key, the completed certificate file might look like the following:
-----BEGIN CERTIFICATE----- ... (certificate for your server)... -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- ...<Server Private Key – Passphrase protected> -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- ... (certificate for your server)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the intermediate certificate)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the root certificate for the CA)... -----END CERTIFICATE-----
Next steps
After you combine certificates into one file, you can then configure Splunk Enterprise to locate and use the certificates.
- See Configure Splunk forwarding to use your own certificates to learn more about configuring certificate authentication for forwarding.
- See About securing inter-Splunk communication to learn more about configuring certificate authentication for inter-Splunk communications.
About cipher suites and TLS encryption | Determine your cipher suite |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12
Feedback submitted, thanks!