Series: Splunk TLS - Securing Web

  • Laptop
    - Our Client System
  • Linux Server (i.e. an old converted desktop running RHEL 8):
    - Internal Certificate Authority (internalCA), Splunk host, and all around bash box.
  1. Access/SSH to your Splunk Instance, and elevate/become the splunk user
  2. Create a dated home directory for this work and navigate into it
    mkdir 2022–08–27_splunkWeb && cd 2022–08–27_splunkWeb
  3. Start by creating a req details file with all the particulars of your cert. It’ll be created with the search/search cluster in mind, but through the use of alt names, can extend to the other aforementioned systems.
    IMPORTANT - Splunk Version 9.x introduces a new facet to the ssl configuration, make sure you include a loopback address (127.0.0.1) in your details IP section.
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = Country
ST = State/Region
L = City/Location
O = Organization
CN = commonname.org.com

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
# Search
DNS.1 = commonname.org.com
DNS.2 = splunk-es.org.com
# Cluster Management
DNS.3 = cm.splunk.org.com
DNS.4 = deployment.splunk.org.com
# Backup IP entries in case DNS fails
IP.1 = 10.10.10.10
IP.2 = 127.0.0.1
openssl req -new -sha256 -nodes -out server-domain.csr -newkey rsa:2048 -keyout splunkWeb.key -config details.txt
What you’ll have in your directory after the CSR command
# metadata/local.meta file
[]
export = system
# local/app.conf file
# app generated for webTLS
# Example 1
cat server-domain.crt intermediate1.pem intermediate2.pem > webTLS/certs/splunkWeb.pem
# Example 2
cp server-domain.crt webTLS/certs/splunkWeb.pem
# web.conf file
[settings]
startwebserver = 1
enableSplunkWebSSL = true
serverCert = $SPLUNK_HOME/etc/apps/webTLS/certs/splunkWeb.pem
privKeyPath = $SPLUNK_HOME/etc/apps/webTLS/certs/splunkWeb.key

Supplemental Section: Creating and Using your own Internal Certificate Authority

  1. SSH onto your Splunk system, and elevate to the root user
  2. Create an internalCA folder within /opt
    mkdir /opt/internalCA
  3. Change ownership of the internalCA to the Splunk user for convenience, and change to that user
    chown -R splunk. /opt/internalCA
    su - splunk
  4. Generate your new certificate authority key (save your password here)
    openssl genrsa -aes256 -out /opt/internalCA/rootCA.key 2048
  5. Create your certificate
openssl req -x509 -new -nodes -key /opt/internalCA/rootCA.key -sha256 -days 365 -out /opt/internalCA/rootCA.pem
Firefox → Settings → Search cert → View Certificates → Authorities Tab → Import → Select your transferred rootCA.pem → allow it to authenticate websites
openssl x509 -req -in server-domain.csr -CA /opt/internalCA/rootCA.pem -CAkey /opt/internalCA/rootCA.key -CAcreateserial -out splunkWeb.crt -days 360 -sha256 -extfile details.txt -extensions req_ext

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
T-Rex

T-Rex

A data loving dinosaur, usually found on http://splk.it/slack Trust Cohort 2018,2019,2020,2021; Amateur Cook, (he/him)