<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Using existing Splunkweb certificate to secure an addtional port in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Using-existing-Splunkweb-certificate-to-secure-an-addtional-port/m-p/712861#M117724</link>
    <description>&lt;P&gt;We have an existing Splunk 9.1.3 Enterprise environment and run Splunkweb at port 8000 using an outside CA signed certificate for https.&amp;nbsp; A partner wants to stream syslog data to our Splunk using a secure connection.&amp;nbsp; I added the following to inputs.conf located in system/local.&lt;/P&gt;&lt;P&gt;[tcp-ssl:6514]&lt;BR /&gt;sourcetype = syslog&lt;BR /&gt;index=syslog&lt;BR /&gt;disabled = 0&lt;/P&gt;&lt;P&gt;[SSL]&lt;BR /&gt;privKeyPath = /opt/splunk/etc/auth/splunkweb/2024/splprkey.key&lt;BR /&gt;serverCert = /opt/splunk/etc/auth/splunkweb/2024/prcert.pem&lt;BR /&gt;requireClientCert = false&lt;/P&gt;&lt;P&gt;After a restart ,I used openssl to test the connection.&amp;nbsp; Port 8000 worked normally as expected; the certificate was returned and I could see the TLS negotiation in Wireshark&amp;nbsp; &amp;nbsp;The openssl&amp;nbsp; connection to port 6154 did not work .&amp;nbsp; A connection was made and openssl did send a "Client Hello" which was visible in Wireshark,&amp;nbsp; but other than an ACK the Splunk server never sent anything further.&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ptrsnk_0-1740766717435.png" style="width: 603px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/34755i97F46C696513FFC2/image-dimensions/603x74?v=v2" width="603" height="74" role="button" title="ptrsnk_0-1740766717435.png" alt="ptrsnk_0-1740766717435.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;Based on an article I read, I also copied the certificate path to the server.conf file, but that didn't change anything.&amp;nbsp; What am I missing? Is it incorrect to assume the same cert could be used for different ports?&lt;/P&gt;&lt;P&gt;Any assistance appreciated!&lt;/P&gt;&lt;P&gt;Thanks,&lt;/P&gt;</description>
    <pubDate>Fri, 28 Feb 2025 19:24:32 GMT</pubDate>
    <dc:creator>ptrsnk</dc:creator>
    <dc:date>2025-02-28T19:24:32Z</dc:date>
    <item>
      <title>Using existing Splunkweb certificate to secure an addtional port</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-existing-Splunkweb-certificate-to-secure-an-addtional-port/m-p/712861#M117724</link>
      <description>&lt;P&gt;We have an existing Splunk 9.1.3 Enterprise environment and run Splunkweb at port 8000 using an outside CA signed certificate for https.&amp;nbsp; A partner wants to stream syslog data to our Splunk using a secure connection.&amp;nbsp; I added the following to inputs.conf located in system/local.&lt;/P&gt;&lt;P&gt;[tcp-ssl:6514]&lt;BR /&gt;sourcetype = syslog&lt;BR /&gt;index=syslog&lt;BR /&gt;disabled = 0&lt;/P&gt;&lt;P&gt;[SSL]&lt;BR /&gt;privKeyPath = /opt/splunk/etc/auth/splunkweb/2024/splprkey.key&lt;BR /&gt;serverCert = /opt/splunk/etc/auth/splunkweb/2024/prcert.pem&lt;BR /&gt;requireClientCert = false&lt;/P&gt;&lt;P&gt;After a restart ,I used openssl to test the connection.&amp;nbsp; Port 8000 worked normally as expected; the certificate was returned and I could see the TLS negotiation in Wireshark&amp;nbsp; &amp;nbsp;The openssl&amp;nbsp; connection to port 6154 did not work .&amp;nbsp; A connection was made and openssl did send a "Client Hello" which was visible in Wireshark,&amp;nbsp; but other than an ACK the Splunk server never sent anything further.&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ptrsnk_0-1740766717435.png" style="width: 603px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/34755i97F46C696513FFC2/image-dimensions/603x74?v=v2" width="603" height="74" role="button" title="ptrsnk_0-1740766717435.png" alt="ptrsnk_0-1740766717435.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;Based on an article I read, I also copied the certificate path to the server.conf file, but that didn't change anything.&amp;nbsp; What am I missing? Is it incorrect to assume the same cert could be used for different ports?&lt;/P&gt;&lt;P&gt;Any assistance appreciated!&lt;/P&gt;&lt;P&gt;Thanks,&lt;/P&gt;</description>
      <pubDate>Fri, 28 Feb 2025 19:24:32 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-existing-Splunkweb-certificate-to-secure-an-addtional-port/m-p/712861#M117724</guid>
      <dc:creator>ptrsnk</dc:creator>
      <dc:date>2025-02-28T19:24:32Z</dc:date>
    </item>
    <item>
      <title>Re: Using existing Splunkweb certificate to secure an addtional port</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-existing-Splunkweb-certificate-to-secure-an-addtional-port/m-p/712862#M117725</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/265544"&gt;@ptrsnk&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;First of all, I dont think the "privKeyPath" key is a valid key in inputs.conf. Infact you should just be using&amp;nbsp;serverCert and giving the path to your full certificate chain (in PEM format), including key and CA.&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;&lt;U&gt;yourCert.pem&lt;/U&gt;&lt;/STRONG&gt;&lt;BR /&gt;&amp;lt;YourSSLCert&amp;gt;&lt;BR /&gt;&amp;lt;YourPrivateKey&amp;gt;&lt;BR /&gt;&amp;lt;YourCertCA&amp;gt;&lt;/P&gt;&lt;P&gt;You will also need to specify sslPassword if you are using an encrypted private key for your cert.&lt;/P&gt;&lt;P&gt;For more information check out the inputs.conf spec page at&amp;nbsp;&lt;A href="https://docs.splunk.com/Documentation/Splunk/9.4.0/Admin/Inputsconf" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/9.4.0/Admin/Inputsconf&lt;/A&gt;&lt;/P&gt;&lt;P&gt;There is also another useful answer at&amp;nbsp;&lt;A href="https://community.splunk.com/t5/Security/TCP-Data-Input-and-SSL/m-p/483077" target="_blank"&gt;https://community.splunk.com/t5/Security/TCP-Data-Input-and-SSL/m-p/483077&lt;/A&gt;&amp;nbsp;with more context and suggestions.&lt;/P&gt;&lt;P&gt;Please let me know how you get on and consider adding karma to this or any other answer if it has helped.&lt;BR /&gt;Regards&lt;/P&gt;&lt;P&gt;Will&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 28 Feb 2025 20:14:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-existing-Splunkweb-certificate-to-secure-an-addtional-port/m-p/712862#M117725</guid>
      <dc:creator>livehybrid</dc:creator>
      <dc:date>2025-02-28T20:14:44Z</dc:date>
    </item>
    <item>
      <title>Re: Using existing Splunkweb certificate to secure an addtional port</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-existing-Splunkweb-certificate-to-secure-an-addtional-port/m-p/712864#M117726</link>
      <description>&lt;P&gt;Hi&lt;/P&gt;&lt;P&gt;there are different cert types which contains different options. Basically it depends which kind of web server certificate you have, can you use it also for server’s management cert. If it’s pure client certificate (web can be that) then it didn’t work as server needs server certificate. You can read more e.g. from&amp;nbsp;&lt;A href="https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Securing_the_Splunk_platform_with_TLS" target="_blank" rel="noopener"&gt;https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Securing_the_Splunk_platform_with_TLS&lt;/A&gt;&lt;/P&gt;&lt;P&gt;——&lt;/P&gt;&lt;H3&gt;Leaf (client/server) certificates&lt;/H3&gt;&lt;P&gt;Leaf means that the certificate is unable to sign any additional certificates. They are often referred to as client or server certificates because that’s generally what they represent, but these are not technical TLS terms.&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Splunk platform systems use server certificates, meaning the certificate should represent the system(s) in the Subject Alternative Name (SAN) line and Common Name (CN) value. Splunk platform allows wildcard CN/SANs to be used. You can also put multiple hosts in the SAN, but this can become difficult to manage or update compared to a wildcard.&lt;/LI&gt;&lt;LI&gt;Universal forwarders (or web browsers, if desired) use client certificates. These are called client certificates because they don’t need to represent (the CN/SAN) the system they’re installed on. They only need to be signed by an issuer that the Splunk platform server trusts. You might hear these referred to as forwarder certificates in the Splunk ecosystem.&lt;/LI&gt;&lt;LI&gt;You’ll also often hear the term “(full) certificate chain” when reading about TLS. A certificate chain is a leaf certificate that has the proper issuer certificates under it in a single file. In Splunk we automatically create the chain by using the client/serverCert and sslRootCAPath values automatically, so you should not create a "full chain certificate". You should place the server/client certificate and private key in one file, and all of your issuer certificates in another file.&lt;BR /&gt;&lt;BR /&gt;&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;r. Ismo&lt;/P&gt;</description>
      <pubDate>Fri, 28 Feb 2025 20:24:38 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-existing-Splunkweb-certificate-to-secure-an-addtional-port/m-p/712864#M117726</guid>
      <dc:creator>isoutamo</dc:creator>
      <dc:date>2025-02-28T20:24:38Z</dc:date>
    </item>
    <item>
      <title>Re: Using existing Splunkweb certificate to secure an addtional port</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-existing-Splunkweb-certificate-to-secure-an-addtional-port/m-p/712865#M117727</link>
      <description>&lt;P&gt;Thank you&amp;nbsp; livehybrid,&lt;/P&gt;&lt;P&gt;I will tryout your suggestions and respond back to you.&lt;/P&gt;</description>
      <pubDate>Fri, 28 Feb 2025 20:33:05 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-existing-Splunkweb-certificate-to-secure-an-addtional-port/m-p/712865#M117727</guid>
      <dc:creator>ptrsnk</dc:creator>
      <dc:date>2025-02-28T20:33:05Z</dc:date>
    </item>
    <item>
      <title>Re: Using existing Splunkweb certificate to secure an addtional port</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-existing-Splunkweb-certificate-to-secure-an-addtional-port/m-p/712868#M117728</link>
      <description>&lt;P&gt;Its also worth mentioning that the client might need additional configuration to validate the commonName if the DNS name you are connecting with is not the same as the common name on the certificate.&lt;/P&gt;&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410"&gt;@isoutamo&lt;/a&gt;&amp;nbsp;The lantern page (&lt;A href="https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Securing_the_Splunk_platform_with_TLS" target="_blank"&gt;https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Securing_the_Splunk_platform_with_TLS&lt;/A&gt;) is very useful, Ive got that bookmarked now, thanks &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;&lt;P&gt;The leaf cert that is being used for the web SSL should be sufficient for the TCP Input cert as it is pretty much serving the same purpose (a server cert). Interestingly I have definitely been able to use a server cert in the past as a client certificate, although technically speaking I dont think that should be possible as the server should be checking for&amp;nbsp;"Client Authentication" (OID 1.3.6.1.5.5.7.3.2) attributes.&lt;/P&gt;&lt;P&gt;Anyway,&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/265544"&gt;@ptrsnk&lt;/a&gt;&amp;nbsp;please keep us posted &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Will&lt;/P&gt;</description>
      <pubDate>Fri, 28 Feb 2025 21:03:58 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-existing-Splunkweb-certificate-to-secure-an-addtional-port/m-p/712868#M117728</guid>
      <dc:creator>livehybrid</dc:creator>
      <dc:date>2025-02-28T21:03:58Z</dc:date>
    </item>
    <item>
      <title>Re: Using existing Splunkweb certificate to secure an addtional port</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-existing-Splunkweb-certificate-to-secure-an-addtional-port/m-p/712869#M117729</link>
      <description>&lt;P&gt;You could create combined server/client cert and use it in both environments. Another excellent conf presentation about tls cert&amp;nbsp;&lt;A href="https://conf.splunk.com/files/2023/slides/SEC1936B.pdf" target="_blank"&gt;https://conf.splunk.com/files/2023/slides/SEC1936B.pdf&lt;/A&gt;&lt;/P&gt;&lt;P&gt;Also this is nice tool for manage certs&amp;nbsp;&lt;A href="https://easy-rsa.readthedocs.io/en/latest/" target="_blank"&gt;https://easy-rsa.readthedocs.io/en/latest/&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Fri, 28 Feb 2025 22:27:29 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-existing-Splunkweb-certificate-to-secure-an-addtional-port/m-p/712869#M117729</guid>
      <dc:creator>isoutamo</dc:creator>
      <dc:date>2025-02-28T22:27:29Z</dc:date>
    </item>
    <item>
      <title>Re: Using existing Splunkweb certificate to secure an addtional port</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-existing-Splunkweb-certificate-to-secure-an-addtional-port/m-p/740829#M117762</link>
      <description>&lt;P&gt;I took a look at our existing servercert .pem file in vi. It did not contain the private key; it did include the root and intermediate certs&amp;nbsp; &amp;nbsp;I copied the contents of our private key .pem file to the location you suggested.&lt;/P&gt;&lt;P&gt;mainCert/&lt;STRONG&gt;private ke&lt;/STRONG&gt;y/intermediate cert/root cert&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;&lt;P&gt;I saved the new .pem file with a new name and put it in a new location under /opt/splunk/etc/auth/newssl and updated the inputs.conf file (below) at system/local.&lt;/P&gt;&lt;P&gt;disabled = false&lt;BR /&gt;connection_host=ip&lt;BR /&gt;index =main&lt;/P&gt;&lt;P&gt;[tcp:514]&lt;BR /&gt;disabled = false&lt;BR /&gt;connection_host=ip&lt;BR /&gt;index =main&lt;/P&gt;&lt;P&gt;[udp://514]&lt;BR /&gt;index = main&lt;BR /&gt;sourcetype=syslog&lt;BR /&gt;disabled = no&lt;/P&gt;&lt;P&gt;[tcp-ssl:6514]&lt;BR /&gt;sourcetype = syslog&lt;BR /&gt;index=syslog&lt;BR /&gt;disabled = 0&lt;/P&gt;&lt;P&gt;[sslConfig]&lt;BR /&gt;sslPassword = $7$pZd1k8bLJzFgGDno3jU7PQ4lAIFBoUbdhOAaFDZojyT1H6DGb5RdRA==&lt;BR /&gt;serverCert = /opt/splunk/etc/auth/newssl/prcertkey.pem&lt;BR /&gt;requireClientCert = false&lt;/P&gt;&lt;P&gt;However, when testing the connection with openssl,&amp;nbsp; I get the same behavior, a tcp connection is made, but no certificate activity.&amp;nbsp; I get a&amp;nbsp;CONNECTED(00000148) message which hasn't led me to anything specific.&lt;/P&gt;&lt;P&gt;I'm still missing something.&lt;/P&gt;&lt;P&gt;peter&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 04 Mar 2025 19:38:18 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-existing-Splunkweb-certificate-to-secure-an-addtional-port/m-p/740829#M117762</guid>
      <dc:creator>ptrsnk</dc:creator>
      <dc:date>2025-03-04T19:38:18Z</dc:date>
    </item>
    <item>
      <title>Re: Using existing Splunkweb certificate to secure an addtional port</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-existing-Splunkweb-certificate-to-secure-an-addtional-port/m-p/740858#M117765</link>
      <description>&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;It looks like the certificate is good for either client or server authentication.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ptrsnk_1-1741125908527.png" style="width: 400px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/38011iBFDBAA5277AECF90/image-size/medium?v=v2&amp;amp;px=400" role="button" title="ptrsnk_1-1741125908527.png" alt="ptrsnk_1-1741125908527.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ptrsnk_0-1741125782035.png" style="width: 400px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/38010iA4C4B396346F3996/image-size/medium?v=v2&amp;amp;px=400" role="button" title="ptrsnk_0-1741125782035.png" alt="ptrsnk_0-1741125782035.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 04 Mar 2025 22:07:27 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-existing-Splunkweb-certificate-to-secure-an-addtional-port/m-p/740858#M117765</guid>
      <dc:creator>ptrsnk</dc:creator>
      <dc:date>2025-03-04T22:07:27Z</dc:date>
    </item>
    <item>
      <title>Re: Using existing Splunkweb certificate to secure an addtional port</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-existing-Splunkweb-certificate-to-secure-an-addtional-port/m-p/740868#M117770</link>
      <description>&lt;P&gt;Hello isoutamo;&amp;nbsp; Thank you for the links; a lot of useful info. I am not an expert in the area of PKI Certificates etc.&amp;nbsp; I&amp;nbsp; have a basic understanding only.&amp;nbsp; The term leaf certificate was new to me.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Ptrsnk&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 04 Mar 2025 23:55:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-existing-Splunkweb-certificate-to-secure-an-addtional-port/m-p/740868#M117770</guid>
      <dc:creator>ptrsnk</dc:creator>
      <dc:date>2025-03-04T23:55:34Z</dc:date>
    </item>
  </channel>
</rss>

