Series: Splunk TLS - Securing Web

  • Laptop
    - Our Client System
  • Linux Server (i.e. an old converted desktop running RHEL 8):
    - Internal Certificate Authority (internalCA), Splunk host, and all around bash box.
  1. Access/SSH to your Splunk Instance, and elevate/become the splunk user
  2. Create a dated home directory for this work and navigate into it
    mkdir 2022–08–27_splunkWeb && cd 2022–08–27_splunkWeb
  3. Start by creating a req details file with all the particulars of your cert. It’ll be created with the search/search cluster in mind, but through the use of alt names, can extend to the other aforementioned systems.
    IMPORTANT - Splunk Version 9.x introduces a new facet to the ssl configuration, make sure you include a loopback address ( in your details IP section.
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = Country
ST = State/Region
L = City/Location
O = Organization
CN =

[ req_ext ]
subjectAltName = @alt_names

# Search
DNS.1 =
DNS.2 =
# Cluster Management
DNS.3 =
DNS.4 =
# Backup IP entries in case DNS fails
IP.1 =
IP.2 =
openssl req -new -sha256 -nodes -out server-domain.csr -newkey rsa:2048 -keyout splunkWeb.key -config details.txt
What you’ll have in your directory after the CSR command
# metadata/local.meta file
export = system
# local/app.conf file
# app generated for webTLS
# Example 1
cat server-domain.crt intermediate1.pem intermediate2.pem > webTLS/certs/splunkWeb.pem
# Example 2
cp server-domain.crt webTLS/certs/splunkWeb.pem
# web.conf file
startwebserver = 1
enableSplunkWebSSL = true
serverCert = $SPLUNK_HOME/etc/apps/webTLS/certs/splunkWeb.pem
privKeyPath = $SPLUNK_HOME/etc/apps/webTLS/certs/splunkWeb.key

Supplemental Section: Creating and Using your own Internal Certificate Authority

  1. SSH onto your Splunk system, and elevate to the root user
  2. Create an internalCA folder within /opt
    mkdir /opt/internalCA
  3. Change ownership of the internalCA to the Splunk user for convenience, and change to that user
    chown -R splunk. /opt/internalCA
    su - splunk
  4. Generate your new certificate authority key (save your password here)
    openssl genrsa -aes256 -out /opt/internalCA/rootCA.key 2048
  5. Create your certificate
openssl req -x509 -new -nodes -key /opt/internalCA/rootCA.key -sha256 -days 365 -out /opt/internalCA/rootCA.pem
Firefox → Settings → Search cert → View Certificates → Authorities Tab → Import → Select your transferred rootCA.pem → allow it to authenticate websites
openssl x509 -req -in server-domain.csr -CA /opt/internalCA/rootCA.pem -CAkey /opt/internalCA/rootCA.key -CAcreateserial -out splunkWeb.crt -days 360 -sha256 -extfile details.txt -extensions req_ext



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


A data loving dinosaur, usually found on Trust Cohort 2018,2019,2020,2021; Amateur Cook, (he/him)