How to obtain certificates from a third-party for inter-Splunk communication
Transport layer security (TLS) certificates that come from third parties are the most secure way to protect communications between your Splunk platform infrastructure from potential security breaches. In this context, "inter-Splunk communication" means any type of communication that does not involve Splunk Web, and includes but isn't limited to the following kinds of communication:
- Forwarders and indexers
- Search heads and search peers
- Search head cluster nodes
- Indexer cluster nodes
- License managers and peers
- Deployment servers and clients
- Search head clusters and the App Key Value Store service
There are a number of options available to obtain a valid TLS certificate from a third party certificate authority (CA).
Option | Description | Advantages | Caveats | Learn more |
---|---|---|---|---|
Get a certificate from a CA | You can request and download a certificate that a CA signs and prepares for you. | Fastest, simplest, most secure way to secure your Splunk platform infrastructure | Almost always involves a cost; CAs might attempt to bundle additional, unnecessary services | Learn more |
Create a certificate signing request (CSR) to send to a CA | You generate the certificate signing request, and the CA signs the certificate with that request and returns the signed certificate. | Free, or lower cost than buying a certificate from a CA directly | Requires technical skill and experience using command line tools | Learn more |
If using a third party CA is not an option for technical or budgetary reasons, you can always create your own certificates. | ||||
Generate and sign your own certificate | You are the CA. You create and sign the certificate | Free; acceptable for securing deployments in a private network, or with IP addresses rather than host names | Requires technical skill and experience using command line tools; might result in browser certificate warnings | Learn more |
If you already have third-party certificates for inter-Splunk communication
If you already have the third-party certificates, proceed to the Next Steps section of this topic for a link to certificate installation and configuration instructions.
If you need third-party certificates for Splunk Web
If you need third-party certificates for use with securing Splunk Web communication, the process is similar, but slightly different. See How to obtain certificates from a third-party for Splunk Web for an explanation and the procedure.
Prerequisites for obtaining certificates for inter-Splunk communication
Before you can get certificates from a third party, you must have the following:
- A decision on the method you want to use to get the third-party certificates.
- Administrative access to the Splunk Enterprise instance on which you want to generate the files that you need to acquire the third party certificates.
- An internet connection to upload files to the CA and download the certificates from the CA. It is not necessary that the Splunk Enterprise instance has direct Internet access.
- Access to a shell prompt, command line, or Terminal window. You can only create certificate signing requests from the command line.
Steps to obtain a third-party certificate for inter-Splunk communication
The process you use to get certificates from a third party depends on how you want to get the certificates, as described earlier in this topic. You don't need to do both of these procedures to obtain a certificate.
Get certificates from a CA
This is the fastest option for obtaining third-party certificates, but almost always involves a cost, depending on the kind of certificate you need. Many certificate authorities let you purchase and download the certificate immediately.
- Visit the certificate authority where you want to get the certificate.
- Provide information about the domains that the certificate is to protect.
You can specify a wildcard certificate or supply subject alternative names for your certificate in this step. This might involve an increased cost over a standard certificate.
- Pay for the certificate.
- Download the certificate when it is available.
- Proceed to the Next Steps section in this topic for a link to instructions on how to install and configure the certificate.
Create a certificate signing request to send to a CA
If you want, you can create and sign a CSR to send to a CA to acquire a third-party certificate. The CSR is based on the private key and certificate signing request file that you create in the procedures that follow. The CA takes the CSR, generates your certificate, and signs it. Some CAs do not charge for this, but might limit the kinds of certificates they issue for free.
In general, submitting a CSR involves visiting the certificate authority website, filling out a form, possibly paying a fee, then sending or uploading the CSR file. Because each CA has their own process for accepting this information, there is no specific process for providing the necessary information to get a TLS certificate.
All of the certificates that you download must be in privacy-enhanced mail (PEM) format. If your certificate authority does not provide you with certificates in this format, you can convert them to PEM format using the OpenSSL binary that comes with the Splunk platform installation. The program must be able to read the existing file format and write to PEM format. Consult the OpenSSL documentation for more information about converting certificate file formats.
- Open a command line interface, for example, a shell prompt, or a Terminal or PowerShell window.
- Connect to the Splunk platform instance where you want to generate the CSR.
- Create a new directory within the Splunk platform instance installation for the certificates.
*nix command Windows command mkdir $SPLUNK_HOME/etc/auth/mycerts
mkdir %SPLUNK_HOME%\etc\auth\mycerts
- Create a private key for your certificates The following example uses Advanced Encryption Standard (AES) encryption and a 2048-bit key length.
*nix command Windows command $SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out myServerPrivateKey.key 2048
%SPLUNK_HOME%\bin\splunk cmd openssl genrsa -aes256 -out myServerPrivateKey.key 2048
- When the OpenSSL command prompts for a password, type in one. The OpenSSL command then creates a file
myServerPrivateKey.key
. - Use the private key
myServerPrivateKey.key
to generate a CSR for your certificate:Unix command Windows command $SPLUNK_HOME/bin/splunk cmd openssl req -new -key myServerPrivateKey.key -out myServerCertificate.csr
$SPLUNK_HOME\bin\splunk cmd openssl req -new -key myServerPrivateKey.key -out myServerCertificate.csr
- When prompted, type in the password you created for your private key
myServerPrivateKey.key
. - Provide the requested information for your certificate. The OpenSSL program asks for several different fields. At a minimum, provide values for the following fields:
- Country Name
- State or Province Name (full name)
- Locality Name (eg, city)
- Organization Name (eg, company)
- Organizational Unit Name (eg, section)
- Common Name (e.g. server FQDN or YOUR name)
- Email Address
If you want to specify a wildcard certificate, when the program asks for the Common Name, prepend a
After you enter the information, the OpenSSL program creates a new CSR file called*.
to the top-level domain name that you want the certificate to protect as the response. For example, if your top level domain name ismycompany.com
, enter*.mycompany.com
. The certificate protects any machine within that domain level, for examplesplunkserver1.mycompany.com
orsplunkserver2.mycompany.com
.
Conversely, you can provide one or more Subject Alternative Names which the certificate will protect instead of the Common Name when you install and configure the Splunk platform to use it.myServerCertificate.csr
. - Visit the website of a certificate authority that can generate a certificate from a CSR.
- Provide information about the certificate, including the domains that the certificate is to protect.
- (Optional) If necessary, pay for the certificate.
- Upload the CSR file to the CA website.
- Download the certificate when it is available.
- Download the CA public certificate authority certificate.
- View the contents of the certificate to confirm it meets your needs.
Unix command Windows command $SPLUNK_HOME/bin/splunk cmd openssl x509 -in myServerCertificate.pem -text
%SPLUNK_HOME%/bin/splunk cmd openssl x509 -in myServerCertificate.pem -text
- The "Issuer" entry must refer to the information that the CA provides.
- The "Subject" entry must show the information that you entered when you created the CSR, including country name, organization name, Common Name, and so on.
- If you can successfully verify the certificate, proceed to the Next Steps section in this topic for a link to instructions on how to install and configure the certificate.
Next steps
Now that you have certificates, you must prepare them, including appending any intermediate certificates. This step must happen before you can configure Splunk Enterprise to find and use the certificates.
- See How to prepare TLS certificates for the Splunk platform for instructions on configuring certificates to work with the Splunk platform.
Steps for securing your Splunk Enterprise deployment with TLS | How to obtain certificates from a third-party for Splunk Web |
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1
Feedback submitted, thanks!