https://community.splunk.com/t5/Installation/Changing-default-certificate/m-p/292498#M8949 <P>I am trying to get my own CA cert for my instance of Splunk web.<BR /> I followed this:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/Getthird-partycertificatesforSplunkWeb">http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/Getthird-partycertificatesforSplunkWeb</A><BR /> this gives me 4 files in my home dir.<BR /> pk.pem : private key,<BR /> mycert.pem : My cert as given by CA<BR /> chain.pem : CA Root + intermediary<BR /> fullchain.pem: I made it as mycert.pem + chain.pem</P> <P>I verify with openssl than chain.pem and mycert.pen returns ok.</P> <P>then i went to <BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/SecureSplunkWebusingasignedcertificate">http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/SecureSplunkWebusingasignedcertificate</A><BR /> "mySplunkWebCertificate.pem" it does not say if that's just mycert or the fullchain.<BR /> which one should it be?<BR /> why are we asked to copy these files in auth/splunkweb while web.conf does not use them?<BR /> my web.conf looks like this:<BR /> [settings]<BR /> enableSplunkWebSSL = 1<BR /> httpport = 443<BR /> privKeyPath = [/home/foo/certs/pk.pem]<BR /> serverCert = [/home/foo/certs/fullchain.pem]</P> <P>(read [ ] as &lt;&gt; )<BR /> when I restart splunk it stays stuck on <BR /> Waiting for web server at <A href="https://127.0.0.1:443">https://127.0.0.1:443</A> to be available.</P> Thu, 09 Feb 2017 15:29:28 GMT pdevosceazure 2017-02-09T15:29:28Z https://community.splunk.com/t5/Installation/Changing-default-certificate/m-p/292498#M8949 <P>I am trying to get my own CA cert for my instance of Splunk web.<BR /> I followed this:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/Getthird-partycertificatesforSplunkWeb">http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/Getthird-partycertificatesforSplunkWeb</A><BR /> this gives me 4 files in my home dir.<BR /> pk.pem : private key,<BR /> mycert.pem : My cert as given by CA<BR /> chain.pem : CA Root + intermediary<BR /> fullchain.pem: I made it as mycert.pem + chain.pem</P> <P>I verify with openssl than chain.pem and mycert.pen returns ok.</P> <P>then i went to <BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/SecureSplunkWebusingasignedcertificate">http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/SecureSplunkWebusingasignedcertificate</A><BR /> "mySplunkWebCertificate.pem" it does not say if that's just mycert or the fullchain.<BR /> which one should it be?<BR /> why are we asked to copy these files in auth/splunkweb while web.conf does not use them?<BR /> my web.conf looks like this:<BR /> [settings]<BR /> enableSplunkWebSSL = 1<BR /> httpport = 443<BR /> privKeyPath = [/home/foo/certs/pk.pem]<BR /> serverCert = [/home/foo/certs/fullchain.pem]</P> <P>(read [ ] as &lt;&gt; )<BR /> when I restart splunk it stays stuck on <BR /> Waiting for web server at <A href="https://127.0.0.1:443">https://127.0.0.1:443</A> to be available.</P> Thu, 09 Feb 2017 15:29:28 GMT https://community.splunk.com/t5/Installation/Changing-default-certificate/m-p/292498#M8949 pdevosceazure 2017-02-09T15:29:28Z https://community.splunk.com/t5/Installation/Changing-default-certificate/m-p/292499#M8950 <P>Are you configuring this on 6.5 or later? The attributes for earlier versions are slightly different, so if you are by any chance working in an earlier version, the attributes above will not work.</P> <P>For serverCert, I would change the value to your mycert.pem file.</P> Thu, 09 Feb 2017 21:10:53 GMT https://community.splunk.com/t5/Installation/Changing-default-certificate/m-p/292499#M8950 jworthington_sp 2017-02-09T21:10:53Z https://community.splunk.com/t5/Installation/Changing-default-certificate/m-p/292500#M8951 <P>Yes I am on 6.5 but if I use mycert how does splunk know where the chain certificates are?<BR /> actually i tried all of them none work</P> Thu, 09 Feb 2017 21:16:48 GMT https://community.splunk.com/t5/Installation/Changing-default-certificate/m-p/292500#M8951 pdevosceazure 2017-02-09T21:16:48Z https://community.splunk.com/t5/Installation/Changing-default-certificate/m-p/292501#M8952 <P>Doh, I'm sorry, you are right. For CA-signed certificates you do need the chain. They need to be in the following order:</P> <P>[ server certificate]<BR /> [ intermediate certificate]<BR /> [ root certificate (if required) ]</P> <P>so maybe the issue is the order in the chain?</P> <P>I am thinking that if you have <BR /> "chain.pem : CA Root + intermediary<BR /> fullchain.pem: I made it as mycert.pem + chain.pem"</P> <P>Then I think this should give you an end result of <BR /> [ server certificate]<BR /> [ root certificate (if required) ]<BR /> [ intermediate certificate]</P> <P>So you might try troubleshooting by changing that order to the first example see if it helps. It seems odd that your certs would check out okay but not work, but SplunkWeb cert configs can be surprisingly touchy. (Oh, and also make sure you are using the version of OpenSSL provided with Splunk!)</P> <P>Hope this is a little more helpful.</P> <P>Cheers,<BR /> jen</P> Thu, 09 Feb 2017 21:37:36 GMT https://community.splunk.com/t5/Installation/Changing-default-certificate/m-p/292501#M8952 jworthington_sp 2017-02-09T21:37:36Z https://community.splunk.com/t5/Installation/Changing-default-certificate/m-p/292502#M8953 <P>Could not get it working. However replacing cert.pem and privkey.pem directly in /opt/splunk/etc/auth/splunkweb with my fullchain.pem and my private key, renamed as original work OK.</P> Sun, 12 Feb 2017 21:13:18 GMT https://community.splunk.com/t5/Installation/Changing-default-certificate/m-p/292502#M8953 pdevosceazure 2017-02-12T21:13:18Z