How to prepare TLS certificates for use with the Splunk platform
TLS certificates let you secure communication between Splunk Enterprise components from end to end. After you get the certificates, you need to prepare them for use with your deployment before you install them and configure your deployment to use them.
As part of preparing TLS certificates for use, you must combine them with the private keys that you either received or generated to create the certificates into a single certificate file that the Splunk platform can use.
All certificates and respective keys that you use on the Splunk platform must be concatenated in this manner. A certificate or key alone does not work, even if you configure it correctly. Regardless of the service or contact point you secure, they all must use combined certificates files.
Create a single combined certificate file
After you obtain certificates, several files are available depending on the method you used to get them. You will combine these files into one file. You must combine the files in the right order and the combined file must be in the correct format. If you don't combine them correctly, your Splunk platform instance won't be able to use the file to secure its communications with other instances.
If you got the certificate by purchasing them from a certificate authority, you'll have the following at a minimum:
- The private key file
- The server certificate file
- The certificate authority certificate file, which was used to create the server certificate
The certificate authority certificate is also known as the root certificate.
If you got the certificate by creating a certificate signing request and submitting that request to a CA, you will have the following:
- The private key file that you created and subsequently used to create the certificate signing request
- The certificate signing request file
- The server certificate file that you downloaded from the certificate authority after submitting your certificate signing request.
- The certificate authority certificate file that you downloaded from the certificate authority after downloading the server certificate.
If you created and signed a certificate yourself, you will have the following:
- The private key file that you used to create and sign the certificate authority certificate.
- The certificate authority certificate signing request file
- The root certificate file that you generated with the private key file and the certificate authority certificate signing request file
- The private key file that you created to create and sign the server certificate
- The server certificate signing request file
- The server certificate file. You created this file using the private key and the server certificate signing request file
Depending on the method you used, you must combine the server certificate, the private key, and the public certificate, in that order, into a single file. The combined file must be in privacy-enhanced mail (PEM) format.
*nix command | Windows command |
---|---|
cat <server certificate file> <server private key file> <certificate authority certificate file> > <combined server certificate file> |
type <server certificate file> <server private key file> <certificate authority certificate file> > <combined server certificate file> |
After you create the combined certificate file, review it using a text editor. Its contents must contain, in the following order:
- The server certificate
- The private key
- The certificate authority certificate
Following is an example of a properly concatenated certificate. Each certificate and key must include the "BEGIN" and "END" markers to be considered complete.
-----BEGIN CERTIFICATE----- MIICUTCCAboCCQCscBkn/xey1TANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJV ... <Server Certificate> ... 8/PZr3EuXYk1c+N5hgIQys5a/HIn -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,CFCECC7976725DE5 S+DPcQ0l2Z1bk71N3cBqr/nwEXPNDQ4uqtecCd3iGMV3B/WSOWAQxcWzhe9JnIsl ... <Server Private Key – Passphrase protected> ... -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIICUTCCAboCCQCscBkn/xey1TANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJV ... <Certificate Authority Public Key> ... 8/PZr3EuXYk1c+N5hgIQys5a/HIn -----END CERTIFICATE-----
How to configure a certificate chain
To use multiple certificates, place any intermediate certificates after the server certificate and before the root certificate. You can add as many intermediate certificates as you need, in decreasing order of hierarchy, up to the root certificate.
Concatenate multiple certificates in the following order:
[ server certificate] [ intermediate certificate] [ certificate authority certificate (if required) ]
The following is an example of a certificate chain:
-----BEGIN CERTIFICATE----- ... (certificate for your server)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the intermediate certificate)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the root certificate for the CA)... -----END CERTIFICATE-----
Valid certificate chains must contain the -----BEGIN CERTIFICATE----
and -----END CERTIFICATE-----
certificate markers to be valid. Do not remove these markers from the certificate file.
In another example, when you use Splunk forwarder to indexer certificates that contain a Private Key, the completed certificate file might look like the following:
-----BEGIN CERTIFICATE----- ... (certificate for your server)... -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- ...<Server Private Key – Passphrase protected> -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- ... (certificate for your server)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the intermediate certificate)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the certificate authority certificate)... -----END CERTIFICATE-----
Next steps
After you combine certificates into one file, you can then configure the Splunk platform to use the certificates.
- See Configure Splunk indexing and forwarding to use TLS certificates for instructions on configuring TLS certificates to secure communications between indexers and forwarders.
- See Configure TLS certificates for inter-Splunk communication for instructions on configuring TLS certificates to secure communications between Splunk platform instances.
- See Configure TLS certificates for Splunk Web for instructions on configuring TLS certificates to secure communications on Splunk Web.
How to create and sign your own TLS certificates | Configure Splunk indexing and forwarding to use TLS certificates |
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0
Feedback submitted, thanks!