Splunk® Enterprise

Securing the Splunk Platform

Download manual as PDF

Download topic as PDF

Self-sign certificates for Splunk Web

This topic provides basic examples for creating the self-signed certificates in the command line using the version of OpenSSL included with Splunk software.

There are multiple ways you can create signed certificates, depending upon your organizations policies, your platform, and the tools that you are using. If you have already generated these certificates and key, or if you are experienced in generating certificates, you can skip this task and go directly to the configuration topic Secure Splunk Web with your own certificate in this manual.

Since self-signed certificates are signed by your organization, they are not contained in browser certificate stores. As a result, web browsers consider self-signed certificates "untrusted". This produces a warning page to users and may even prevent access for the user.

Self-signed certificates are best for browser to Splunk Web communication that happens within an organization or between known entities where you can add your own CA to all browser stores that will contact Splunk Web. For any other scenario, CA-signed certificates are recommended. See Get certificates signed by a third party for Splunk Web for more information.

Before you begin

In this discussion, $SPLUNK_HOME refers to the Splunk installation directory.

  • For Windows, the default installation directory is C:\Program Files\splunk.
  • For most *nix platforms, the default installation directory is /opt/splunk.
  • For Mac OS, the default installation directory is /Applications/splunk.

See the Administration Guide to learn more about working with Windows and *nix.

Generate a new root certificate to be your Certificate Authority

1. Create a new directory to host your certificates and keys. For this example we will use $SPLUNK_HOME/etc/auth/mycerts.

We recommend that you place your new certificates in a different directory than $SPLUNK_HOME/etc/auth/splunkweb so that you don't overwrite the existing certificates. This ensures that you are able to use the certificates that ship with Splunk software in $SPLUNK_HOME/etc/auth/splunkweb for other Splunk components as necessary.

Note: If you created a self-signed certificate as described in How to self-sign certificates, you can copy that root certificate into your directory and skip to the next step: Create a new private key for Splunk Web.

2. Generate a new RSA private key. Splunk Web supports 2048 bit keys, but you can specify larger keys if they are supported by your browser.

$SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out myCAPrivateKey.key 2048

Note that in Windows you may need to append the location of the openssl.cnf file:

$SPLUNK_HOME\bin\splunk cmd openssl genrsa -aes256 -out myCAPrivateKey.key 2048  

Splunk Web supports 2048 bit keys, but you can specify larger keys if they are supported by your browser.

3. When prompted, create a password.

The private key myCAPrivateKey.key appears in your directory. This is your root certificate private key.

4. Generate a certificate signing request using the root certificate private key myCAPrivateKey.key:

In *nix:

$SPLUNK_HOME/bin/splunk cmd openssl req -new -key myCAPrivateKey.key -out myCACertificate.csr

In Windows:

$SPLUNK_HOME\bin\splunk cmd openssl req -new -key myCAPrivateKey.key -out myCACertificate.csr

5. Provide the password to the private key myCAPrivateKey.key.

A new CSR myCACertificate.csr appears in your directory.

6. Use the CSR to generate a new root certificate and sign it with your private key:

In *nix:

 
$SPLUNK_HOME/bin/splunk cmd openssl x509 -req -in myCACertificate.csr 
-signkey myCAPrivateKey.key -out myCACertificate.pem -days 3650

In Windows:

 >$SPLUNK_HOME\bin\splunk cmd openssl x509 -req -in myCACertificate.csr 
-signkey myCAPrivateKey.key -out myCACertificate.pem -days 3650 

7. When prompted, provide for the password to the private key myCAPrivateKey.key.

A new certificate myCACertificate.pem appears in your directory. This is your public certificate.

Create a new private key for Splunk Web

1. Generate a new private key:

In *nix:

$SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out mySplunkWebPrivateKey.key 2048

In Windows:

$SPLUNK_HOME\bin\splunk cmd openssl genrsa -aes256 -out mySplunkWebPrivateKey.key 2048 -config

2. When prompted, create a password.

A new key, mySplunkWebPrivateKey.key appears in your directory.

3. Remove the password from your key. (Splunk Web does not support password-protected private keys.)

In *nix:

$SPLUNK_HOME/bin/splunk cmd openssl rsa -in mySplunkWebPrivateKey.key
 -out mySplunkWebPrivateKey.key

In Windows:

$SPLUNK_HOME\bin\splunk cmd openssl rsa -in mySplunkWebPrivateKey.key
 -out mySplunkWebPrivateKey.key

You can verify that your password was removed with the following command:

In *nix:

$SPLUNK_HOME/bin/splunk cmd openssl rsa -in mySplunkWebPrivateKey.key -text

In Windows:

$SPLUNK_HOME\bin\splunk cmd openssl rsa -in mySplunkWebPrivateKey.key -text

You should be able to read the contents of your certificate without providing a password.

Create and sign a server certificate

1. Create a new certificate signature request using your private keymySplunkWebPrivateKey.key:

In *nix:

$SPLUNK_HOME/bin/splunk cmd openssl req -new -key mySplunkWebPrivateKey.key
 -out mySplunkWebCert.csr

In Windows:

$SPLUNK_HOME\bin\splunk cmd openssl req -new -key mySplunkWebPrivateKey.key
 -out mySplunkWebCert.csr

The CSR mySplunkWebCert.csr appears in your directory.

2. Self-sign the CSR with the root certificate private key myCAPrivateKey.key:

In *nix:

$SPLUNK_HOME/bin/splunk cmd openssl x509 -req -in mySplunkWebCert.csr -CA myCACertificate.pem 
-CAkey myCAPrivateKey.key -CAcreateserial -out mySplunkWebCert.pem -days 1095

In Windows:

$SPLUNK_HOME\bin\splunk cmd openssl x509 -req -in mySplunkWebCert.csr -CA myCACertificate.pem 
-CAkey myCAPrivateKey.key -CAcreateserial -out mySplunkWebCert.pem -days 1095 

3. When prompted, provide the password to the root certificate private key myCAPrivateKey.key.

The certificate mySplunkWebCert.pem is added to your directory. This is your server certificate.

Create a single PEM file

Combine your server certificate and public certificates, in that order, into a single PEM file.

Here's an example of how to do this in Linux:

# cat mySplunkWebCert.pem myCACertificate.pem > mySplunkWebCertificate.pem

Here's an example in Windows:

# type mySplunkWebCert.pem myCACertificate.pem > mySplunkWebCertificate.pem

Set up certificate chains

To use multiple certificates, append the intermediate certificate to the end of the server's certificate file in the following order:

[ server certificate]
[ intermediate certificate]
[ root certificate (if required) ]

So for example, a certificate chain might look like this:

	
-----BEGIN CERTIFICATE-----
... (certificate for your server)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the intermediate certificate)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the root certificate for the CA)...
-----END CERTIFICATE-----

Next steps

Now that you have your certificates, you need to distribute them and configure Splunkd and Splunk Web to use them. See Secure Splunk Web with your own certificate in this manual for more information.

Last modified on 19 February, 2020
PREVIOUS
How to get certificates signed by a third-party
  NEXT
Get certificates signed by a third-party for Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters