Splunk® Enterprise

Securing Splunk Enterprise

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

How to create and sign your own TLS certificates

Transport layer security (TLS) certificates that come from third parties are the most secure way to protect communications between your Splunk platform infrastructure from potential security breaches. If you are not able to acquire certificates from a third party, or your Splunk platform deployment receives protection from firewalls or other network infrastructure, you can secure the contact points in the deployment by creating and signing TLS certificates yourself.

As you are the certificate authority, there is no cost to creating and signing certificates on your own. Additionally, you can create the certificates whenever you need and they are ready for use immediately after you create them.

Because you sign these certificates yourself, third parties can't validate them. This means that even though they can protect communications, even across multiple sites that you or trusted parties control, and are better than the default certificates that Splunk software provides, they are not as secure as those which you obtain from a third-party CA. You can use certificates you create for advanced security efforts like TLS certificate host name validation and mutually authenticated TLS (mTLS), but if you use them for Splunk Web, your browser will display warnings whenever you access Splunk Web because your self-signed certificate won't be in your browser certificate store.

As a reminder, Splunk best practice is to get certificates from a third party to secure your Splunk platform deployment, regardless of whether a firewall protects that deployment, and especially if your deployment communicates with parties that you don't know.

Generate and distribute multiple self-signed certificates

You can distribute certificates that you create and sign yourself to any type of Splunk platform instance. This includes but is not limited to the following:

  • Forwarders and indexers
  • Search heads and search peers
  • Search head cluster nodes
  • Indexer cluster nodes
  • License managers and peers
  • Deployment servers and clients
  • Splunk Web and your browser
  • Search head clusters and the App Key Value Store service

If you want to use a different common name for each machine or instance type, you can create different certificates, each with a different common name, for those instances, by repeating the "Create server certificates and sign them with the root certificate authority certificate" process in this topic. As long as you have signed the certificates using the same certificate authority certificate, connections using the certificates work.

You can create wildcard certificates that protect multiple instances within a domain at once. You can also add Subject Alternate Name fields to a certificate to protect groups of individual instances.

If you already have self-signed certificates

If you already have certificates that you have created, proceed to the Next Steps section of this topic for a link to certificate installation and configuration instructions.

Prerequisites to creating and signing your own TLS certificates

Before you can create and sign your own certificates, you must have the following:

  • Administrative access to the Splunk Enterprise instance on which you want to generate and sign the certificates.
  • Access to a shell prompt, command line, or Terminal window. You can only create and sign certificates from the command line.

Create and self-sign a TLS certificate

There are several steps to creating and signing certificates on your own:

  1. Create a root certificate authority certificate.
  2. Create server certificates and sign them with the root certificate authority certificate.

Create the root certificate authority certificate

The root certificate authority certificate serves as the base certificate that you use to sign the certificates that you'll distribute to the Splunk platform instances in your deployment. It's called the "root certificate authority certificate" for this reason: You, as the certificate authority, establish that you trust the certificates that are based on this root certificate.

You only need to create one root certificate authority certificate.

When you create the root certificate authority certificate, back up both the certificate file and the private key to a safe offline location where possible. If you lose either, you won't be able to create new certificates based on this root certificate and must generate a new root certificate. You must also replace any existing client and server certificates which are based on the lost root certificate. This can result in significant periods of downtime.

  1. Open a command line interface, for example, a shell prompt, or a Terminal or PowerShell window.
  2. Connect to the Splunk platform instance where you want to generate the CSR.
  3. Create a new directory within the Splunk platform instance installation for the certificates.
    *nix command Windows command
    mkdir $SPLUNK_HOME/etc/auth/mycerts
    mkdir %SPLUNK_HOME%\etc\auth\mycerts
  4. Create a private key for your root certificate authority certificate.
    *nix command Windows command
    $SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out myCertAuthPrivateKey.key 2048
    %SPLUNK_HOME%\bin\splunk cmd openssl genrsa -aes256 -out myCertAuthPrivateKey.key 2048
  5. When the OpenSSL program prompts you, enter a password for the key. The OpenSSL program then creates a file myCertAuthPrivateKey.key.
  6. Use the private key myCertAuthPrivateKey.key to generate a CSR for your certificate:
    Unix command Windows command
    $SPLUNK_HOME/bin/splunk cmd openssl req -new
    -key myCertAuthPrivateKey.key -out myCertAuthCertificate.csr
    $SPLUNK_HOME\bin\splunk cmd openssl req -new
    -key myCertAuthPrivateKey.key -out myCertAuthCertificate.csr
  7. When the OpenSSL program prompts you, enter the password you created for your private key myCertAuthPrivateKey.key.
  8. The OpenSSL program asks for several different fields. At a minimum, provide values for the following:
    • Country Name
    • State or Province Name (full name)
    • Locality Name (eg, city)
    • Organization Name (eg, company)
    • Organizational Unit Name (eg, section)
    • Common Name (e.g. server FQDN or YOUR name)
    • Email Address


    If you want to specify a wildcard certificate, when the program asks for the Common Name, prepend a *. to the top-level domain name that you want the certificate to protect as the response. For example, if your top level domain name is mycompany.com, enter *.mycompany.com. The certificate protects any machine within that domain level, but not domains on different subdomain levels. For example splunkserver1.mycompany.com or splunkserver2.mycompany.com. It does not protect splunkserver1.eng.mycompany.com, you need a certificate with a Common Name of *.eng.mycompany.com for that.

    Additionally, you can provide one or more Subject Alternate Names which the certificate will also protect when you install and configure the Splunk platform to use it and check those Subject Alternate Names.

    After you enter the information, the OpenSSL program creates a new CSR file called myCertAuthCertificate.csr.
  9. Use the CSR file you created and sign it with the private key you created previously to create the root certificate authority certificate.
    Unix command Windows command
    $SPLUNK_HOME/bin/splunk cmd openssl x509 -req -in myCertAuthCertificate.csr -sha512
     -signkey myCertAuthPrivateKey.key -CAcreateserial -out myCertAuthCertificate.pem -days 1095
    %SPLUNK_HOME%\bin\splunk cmd openssl x509 -req -in myCertAuthCertificate.csr -sha512
     -signkey myCertAuthPrivateKey.key -CAcreateserial -out myCertAuthCertificate.pem -days 1095
  10. When the OpenSSL program prompts you, enter the password you created for your private key myCertAuthPrivateKey.key again. The OpenSSL program creates the root certificate authority certificate file called myCertAuthCertificate.pem.

Create server certificates and sign them with the root certificate authority certificate

After you have created the root certificate authority certificate, you can create additional certificates and then sign them with your root CA certificate.

Similar to a root CA certificate, you have to create a private key and a certificate signing request to generate a certificate for a Splunk server.

  1. Create a private key for the server certificate.
    *nix command Windows command
    $SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out myServerPrivateKey.key 2048
    %SPLUNK_HOME%\bin\splunk cmd openssl genrsa -aes256 -out myServerPrivateKey.key 2048
  2. When the OpenSSL program prompts you, enter a password for the key. The OpenSSL program then creates a file myServerPrivateKey.key.

    Do not use the same password you used to sign the private key for the certificate authority certificate.

  3. Use the private key myServerPrivateKey.key to generate a CSR for your certificate:
    Unix command Windows command
    $SPLUNK_HOME/bin/splunk cmd openssl req -new -key 
    myServerPrivateKey.key -out myServerCertificate.csr
    $SPLUNK_HOME/bin/splunk cmd openssl req -new -key 
    myServerPrivateKey.key -out myServerCertificate.csr
  4. When the OpenSSL program prompts you, enter the password you created for the private key myServerPrivateKey.key.
  5. Provide the requested information for your certificate. The OpenSSL program creates a new CSR file called myCertAuthCertificate.csr.

    The information that you provide for the Common Name field is what the Splunk platform uses for TLS certificate host name validation.

  6. Use the CSR file you created and sign it with the private key you created previously, the certificate authority certificate, and its private key to create the server certificate.
    Unix command Windows command
    $SPLUNK_HOME/bin/splunk cmd openssl x509 -req -in 
    myServerCertificate.csr -SHA256 -CA myCACertificate.pem -CAkey myCAPrivateKey.key 
    -CAcreateserial -out myServerCertificate.pem -days 1095
    %SPLUNK_HOME%\bin\splunk cmd openssl x509 -req -in myCertAuthCertificate.csr -sha512
     -signkey myCertAuthPrivateKey.key -CAcreateserial -out myCertAuthCertificate.pem -days 1095
  7. When the OpenSSL program prompts you, enter the password you created for the private key myCertAuthPrivateKey.key again. The OpenSSL program creates the server certificate file called myServerCertificate.pem.

Next steps

Now that you have the certificate authority certificate and at least one server certificate, you can prepare the certificates for use on The Splunk platform, including concatenating any intermediate certificates.

  • Back up the certificate authority certificate and private key files to a safe place. If you lose either, you will have to recreate a new certificate authority certificate and key, and regenerate and distribute new certificates based on the new root certificate and key.
  • If you need to create additional server certificates, for example, for additional domain levels or for single or groups of IP addresses, repeat the "Create server certificates and sign them with the root certificate authority certificate" section of this topic for as many certificates as you need.
  • See Prepare your signed TLS certificates to learn how to set up your certificates to work with the Splunk platform.
Last modified on 13 June, 2022
PREVIOUS
How to obtain certificates from a third-party for Splunk Web
  NEXT
How to prepare TLS certificates for use with the Splunk platform

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters