<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Splunk Forwarder SSL unsupported certificate purpose? in Security</title>
    <link>https://community.splunk.com/t5/Security/Splunk-Forwarder-SSL-unsupported-certificate-purpose/m-p/311707#M8164</link>
    <description>&lt;P&gt;I ran into this issue myself last night and found that the enhanced key usage on the cert needs to include:&lt;/P&gt;

&lt;P&gt;Server Authentication (1.3.6.1.5.5.7.3.1)&lt;BR /&gt;
Client Authentication (1.3.6.1.5.5.7.3.2)&lt;/P&gt;

&lt;P&gt;This doesn't appear to be explicitly stated anywhere in the documentation and should be added.&lt;/P&gt;</description>
    <pubDate>Sat, 18 Aug 2018 20:35:23 GMT</pubDate>
    <dc:creator>cbtadmin</dc:creator>
    <dc:date>2018-08-18T20:35:23Z</dc:date>
    <item>
      <title>Splunk Forwarder SSL unsupported certificate purpose?</title>
      <link>https://community.splunk.com/t5/Security/Splunk-Forwarder-SSL-unsupported-certificate-purpose/m-p/311706#M8163</link>
      <description>&lt;P&gt;Running Splunk 6.5.2 &amp;amp; 6.5.3,&lt;/P&gt;

&lt;P&gt;We just re-rolled our PKI using Microsoft's Certificate Services, with a RootCA, PolicyCA and Issuing CA. &lt;/P&gt;

&lt;P&gt;I've been having a hard time getting our heavy forwarders to communicate to our indexer when "requireClientCert = true".&lt;/P&gt;

&lt;P&gt;I've tried several things.&lt;BR /&gt;
Sent off the openssl csr's to the Issuing CA to get signed, came back as .der formated. Ran openssl -in cert.cer -inform der -out cert.pem&lt;BR /&gt;
Converted to pem format&lt;BR /&gt;
Concatenated the private key to the server certs: cat privkey-server.pem &amp;gt;&amp;gt; server.pem&lt;/P&gt;

&lt;P&gt;Now I've tried a couple of variations here, &lt;BR /&gt;
I've tried chaining the rootCA together such as the following:&lt;BR /&gt;
cat policyCA.pem &amp;gt;&amp;gt; issuingCA.pem&lt;BR /&gt;
cat rootCA.pem &amp;gt;&amp;gt; issuingCA.pem&lt;BR /&gt;
mv issuingCA.pem cacert.pem&lt;/P&gt;

&lt;P&gt;with the config:&lt;BR /&gt;
serverCert = /opt/splunk/etc/auth/testing/server.pem (the cert I mentioned above)&lt;BR /&gt;
sslRootCAPath = /opt/splunk/etc/auth/testing/cacert.pem&lt;/P&gt;

&lt;P&gt;I've run /opt/splunk/bin/splunk cmd openssl verify -CAfile cacert.pem server.pem &lt;BR /&gt;
verified the server cert is signed correctly&lt;/P&gt;

&lt;P&gt;Did this on both the forwarder and indexer and it failed.&lt;/P&gt;

&lt;P&gt;Next I came across some info that what I understood suggested adding the issuing CA and policy CA into the server.pem file and keeping the rootCA.pem alone as the specified sslRootCAPath.&lt;/P&gt;

&lt;P&gt;That didn't work either. I get:&lt;BR /&gt;
10-19-2017 10:38:15.493 -0400 ERROR X509Verify - X509 certificate (CN=ourCompanyCN) failed validation; error=26, reason="unsupported certificate purpose"&lt;BR /&gt;
10-19-2017 10:38:15.494 -0400 WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unsupported certificate'.&lt;BR /&gt;
10-19-2017 10:38:15.494 -0400 ERROR TcpInputProc - Error encountered for connection from src=:50477. error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed&lt;/P&gt;

&lt;P&gt;The Certs generated have the following:&lt;BR /&gt;
 X509v3 extensions:&lt;BR /&gt;
            X509v3 Key Usage: critical&lt;BR /&gt;
                Digital Signature, Key Encipherment&lt;/P&gt;

&lt;P&gt;and further down..&lt;BR /&gt;
 X509v3 Extended Key Usage:&lt;BR /&gt;
                TLS Web Server Authentication&lt;BR /&gt;
            1.3.6.1.4.1.311.21.10:&lt;BR /&gt;
                0.0&lt;/P&gt;

&lt;P&gt;Anyone have any ideas? I want to be able to turn on the "requireClientCert = true" setting... &lt;BR /&gt;
Please help&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 16:17:32 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Security/Splunk-Forwarder-SSL-unsupported-certificate-purpose/m-p/311706#M8163</guid>
      <dc:creator>windsurfer30</dc:creator>
      <dc:date>2020-09-29T16:17:32Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk Forwarder SSL unsupported certificate purpose?</title>
      <link>https://community.splunk.com/t5/Security/Splunk-Forwarder-SSL-unsupported-certificate-purpose/m-p/311707#M8164</link>
      <description>&lt;P&gt;I ran into this issue myself last night and found that the enhanced key usage on the cert needs to include:&lt;/P&gt;

&lt;P&gt;Server Authentication (1.3.6.1.5.5.7.3.1)&lt;BR /&gt;
Client Authentication (1.3.6.1.5.5.7.3.2)&lt;/P&gt;

&lt;P&gt;This doesn't appear to be explicitly stated anywhere in the documentation and should be added.&lt;/P&gt;</description>
      <pubDate>Sat, 18 Aug 2018 20:35:23 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Security/Splunk-Forwarder-SSL-unsupported-certificate-purpose/m-p/311707#M8164</guid>
      <dc:creator>cbtadmin</dc:creator>
      <dc:date>2018-08-18T20:35:23Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk Forwarder SSL unsupported certificate purpose?</title>
      <link>https://community.splunk.com/t5/Security/Splunk-Forwarder-SSL-unsupported-certificate-purpose/m-p/311708#M8165</link>
      <description>&lt;P&gt;This seems to be the only place where this information is to be found, thanks @cbtadmin!&lt;BR /&gt;
It can be checked like this:&lt;BR /&gt;
&lt;CODE&gt;/splunk cmd openssl x509 -text -in /opt/splunk/etc/auth/your_server_cert_and_key.pem&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;You should see a line like this:&lt;/P&gt;

&lt;P&gt;X509v3 Extended Key Usage:&lt;BR /&gt;
   TLS Web Server Authentication, TLS Web Client Authentication&lt;/P&gt;</description>
      <pubDate>Thu, 10 Jan 2019 15:15:15 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Security/Splunk-Forwarder-SSL-unsupported-certificate-purpose/m-p/311708#M8165</guid>
      <dc:creator>xpac</dc:creator>
      <dc:date>2019-01-10T15:15:15Z</dc:date>
    </item>
  </channel>
</rss>

