Splunk® Enterprise

Securing Splunk Enterprise

How to obtain certificates from a third-party for Splunk Web

Transport layer security (TLS) certificates that come from third parties are the most secure way to protect communications that involve Splunk Web from potential security breaches. There are a number of options available to obtain a valid TLS certificate from a third party certificate authority (CA) for use with Splunk Web.

Option Description Advantages Caveats Learn more
Get a certificate from a CA You can request and download a certificate that a CA signs and prepares for you. Fastest, simplest, most secure way to secure your Splunk platform infrastructure Almost always involves a cost; CAs might attempt to bundle additional, unnecessary services Learn more
Create a certificate signing request (CSR) to send to a CA You generate the certificate signing request, and the CA signs the certificate with that request and returns the signed certificate. Free, or lower cost than buying a certificate from a CA directly Requires technical skill and experience using command line tools Learn more

If you already have third-party certificates for Splunk Web

If you already have the third-party certificates, proceed to the Next Steps section of this topic for a link to certificate installation and configuration instructions.

If you need third-party certificates for inter-Splunk communication

If you need third-party certificates for use with securing inter-Splunk communications, the process is similar, but slightly different. See How to obtain certificates from a third-party for inter-Splunk communication for an explanation and the procedure.

Prerequisites for obtaining certificates for Splunk Web

Before you can get certificates from a third party, you must have the following:

  • A decision on the method you want to use to get the third-party certificates.
  • Administrative access to the Splunk Enterprise instance on which you want to generate the files that you need to acquire the third party certificates.
  • An internet connection to upload files to the CA and download the certificates from the CA. It is not necessary that the Splunk Enterprise instance has direct Internet access.
  • Access to a shell prompt, command line, or Terminal window. You can only create certificate signing requests from the command line.

Steps to obtain a third-party certificate for Splunk Web

The process you use to get certificates from a third party depends on how you want to get the certificates, as described earlier in this topic.

Get certificates from a CA

This is the fastest option for obtaining third-party certificates, but almost always involves a cost, depending on the kind of certificate you need. Many certificate authorities let you purchase and download the certificate immediately.

  1. Visit the certificate authority where you want to get the certificate.
  2. Provide information about the domains that the certificate is to protect.
  3. Pay for the certificate.
  4. Download the certificate when it is available.
  5. Proceed to the Next Steps section in this topic for a link to instructions on how to install and configure the certificate.

Create a certificate signing request to send to a CA

You can create and sign a CSR to send to a CA to acquire a third-party certificate. The CSR is based on the private key and certificate signing request file that you create in the procedures that follow. The CA takes the CSR, generates your certificate, and signs it. Some CAs do not charge for this, but might limit the kinds of certificates they issue for free.

In general, submitting a CSR involves visiting the certificate authority website, filling out a form, possibly paying a fee, then sending or uploading the CSR file. Because each CA has their own process for accepting this information, there is no specific process for providing the necessary information to get a TLS certificate.

All of the certificates that you download must be in privacy-enhanced mail (PEM) format. If your certificate authority does not provide you with certificates in this format, you must convert them to PEM using the OpenSSL binary that comes with the Splunk platform installation. The program must be able to read the existing file format and write to PEM format. Consult the OpenSSL documentation for more information about converting certificate file formats.

  1. Open a command line interface, for example, a shell prompt, or a Terminal or PowerShell window.
  2. Connect to the Splunk platform instance where you want to generate the CSR.
  3. Create a new directory within the Splunk platform instance installation for the certificates.
    *nix command Windows command
    mkdir $SPLUNK_HOME/etc/auth/mycerts
    mkdir %SPLUNK_HOME%\etc\auth\mycerts
  4. Create a private key for your certificates. The following example uses Advanced Encryption Standard (AES) encryption and a 2048-bit key length.
    *nix command Windows command
    $SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out mySplunkWebPrivateKey.key 2048
    %SPLUNK_HOME%\bin\splunk cmd openssl genrsa -aes256 -out mySplunkWebPrivateKey.key 2048
  5. When the OpenSSL command prompts for a password, type in one. The OpenSSL command then creates a file myServerPrivateKey.key.
  6. (Optional) Remove the password from the private key.
    Unix command Windows command
    $SPLUNK_HOME/bin/splunk cmd openssl rsa -in mySplunkWebPrivateKey.key
     -out mySplunkWebPrivateKey.key
    $SPLUNK_HOME\bin\splunk cmd openssl rsa -in mySplunkWebPrivateKey.key
     -out mySplunkWebPrivateKey.key
  7. (Optional) If you removed the password from the private key, confirm that the password was successfully removed:
    # openssl rsa -in mySplunkWebPrivateKey.key -text
    

    If the password was successfully removed, you can view the certificate contents without providing a password.

    There is no requirement to remove the password from the private key. However, if you choose not to remove the password, you must configure the password in the web.conf configuration file when you configure Splunk Web to use certificates. If you don't, then Splunk Web can't read the private key for the certificate.

  8. Use the private key myServerPrivateKey.key to generate a CSR for your certificate:
    Unix command Windows command
    $SPLUNK_HOME/bin/splunk cmd openssl req -new 
    -key mySplunkWebPrivateKey.key -out mySplunkWebCertificate.csr
    $SPLUNK_HOME\bin\splunk cmd openssl req -new 
    -key mySplunkWebPrivateKey.key -out mySplunkWebCertificate.csr
  9. When prompted, type in the password you created for your private key myServerPrivateKey.key.
  10. The OpenSSL program asks for several different fields. At a minimum, provide values for the following:
    • Country Name
    • State or Province Name (full name)
    • Locality Name (eg, city)
    • Organization Name (eg, company)
    • Organizational Unit Name (eg, section)
    • Common Name (e.g. server FQDN or YOUR name)
    • Email Address


    If you want to specify a wildcard certificate, when the program asks for the Common Name, prepend a *. to the top-level domain name that you want the certificate to protect as the response. For example, if your top level domain name is mycompany.com, enter *.mycompany.com. The certificate protects any machine within that domain level, but not domains on different subdomain levels. For example splunkserver1.mycompany.com or splunkserver2.mycompany.com. It does not protect splunkserver1.eng.mycompany.com, you need a certificate with a Common Name of *.eng.mycompany.com for that.

    Additionally, you can provide one or more Subject Alternate Names which the certificate will also protect when you install and configure the Splunk platform to use it and check those Subject Alternate Names.

    After you enter the information, the OpenSSL program creates a new CSR file called myServerCertificate.csr.
  11. Visit the website of a certificate authority that can generate a certificate from a CSR.
  12. Provide information about the certificate, including the domains that the certificate is to protect.
  13. (Optional) If necessary, pay for the certificate.
  14. Upload the CSR file to the CA website.
  15. Download the certificate when it is available.
  16. Download the CA public certificate authority certificate.
  17. View the contents of the certificate to confirm it meets your needs.
    Unix command Windows command
    $SPLUNK_HOME/bin/splunk cmd openssl x509 -in mySplunkWebCertificate.pem -text
    %SPLUNK_HOME%/bin/splunk cmd openssl x509 -in mySplunkWebCertificate.pem -text
    1. The "Issuer" entry must refer to the information that the CA provides.
    2. The "Subject" entry must show the information that you entered when you created the CSR, including country name, organization name, Common Name, and so on.
  18. If you can successfully verify the certificate, proceed to the Next Steps section in this topic for a link to instructions on how to install and configure the certificate.

Next step

Now that you have certificates, you must prepare them, including appending any intermediate certificates. This step must happen before you can configure Splunk Enterprise to find and use the certificates.

Last modified on 15 February, 2023
How to obtain certificates from a third-party for inter-Splunk communication   How to create and sign your own TLS certificates

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters