topic Re: Root CA password in Security

Root CA password

echalex — Wed, 31 Aug 2011 13:29:12 GMT

Hi,

I'm testing how to create a new root CA to enable SSL authentication. It seems that the default script for this, genRootCA.sh doesn't set a password for the certificate by default, but I can change this behaviour with -p.

However, when trying to generate server keys with 'splunk create-ssl server-cert', Splunk doesn't ask for the CA password and is consequently unable to load the CA private key. Is this expected behaviour or a bug? Is it somehow recommended not to protect the CA private key with a password?

Re: Root CA password

MuS — Wed, 31 Aug 2011 13:56:53 GMT

Hi echalex

your command splunk create-ssl server-cert gives me an error:

Command error: 'create-ssl' is not a valid command. Please run 'splunk help' to
see the valid commands.

but you can find here a perfect instruction from hexx on how to create a CA with splunk, hope this helps.

regards

Re: Root CA password

echalex — Wed, 31 Aug 2011 15:59:06 GMT

Thanks, MuS.

Are you using 4.2.3? I am. (Misspelled the command. It's actually createssl, without the hyphen.):

splunk@srv:/opt/splunk$ bin/genSignedServerCert.sh -d /tmp/ -n test

++python bin/genSignedServerCert.py -d /tmp/ -n test

NOTE: This script is deprecated. Instead, use "splunk createssl server-cert".

...

Re: Root CA password

echalex — Wed, 31 Aug 2011 16:49:01 GMT

The link you sent doesn't mention anything about CA password, which is my main issue, really.

Re: Root CA password

MuS — Wed, 31 Aug 2011 18:16:43 GMT

Yes, using 4.2.3 as well and many other releases 😉 I will try it tomorrow and see what will happen. cheers

Re: Root CA password

MuS — Thu, 01 Sep 2011 06:52:22 GMT

okay same here and same for this guy http://splunk-base.splunk.com/answers/28342/self-signed-cert-creation-issues-with-422 maybe it's really a bug or we are doing it worng 🙂

Re: Root CA password

echalex — Fri, 02 Sep 2011 07:42:57 GMT

MuS, I have hard time believing we're all doing it wrong. Sadly, the createssl command isn't well documented at all.
The solution I came to was to disregard the helper scripts and just use the CA.pl-script that is included in $SPLUNK_HOME/openssl/misc. I believe it's a standard part of any openssl distribution.

Re: Root CA password

MuS — Fri, 02 Sep 2011 11:57:02 GMT

echalex, have you filed a bug report for that?

Re: Root CA password

echalex — Mon, 06 Aug 2012 14:47:56 GMT

MuS, a little late to answer. 🙂 Nope, I haven't. I'm not sure if it's a bug, since I get the feeling the script isn't meant to be used for creating more advanced CAs.

Re: Root CA password

echalex — Mon, 06 Aug 2012 14:53:32 GMT

Answering my own question: the genRootCA.sh script doesn't seem to be created for the purpose of creating more advanced CAs. If you really want to, you can edit the script and change the values of -passin and -passout.

For more generic usage, use your organization's root CA or use OpenSSL to create a new root CA to use with Splunk.