From the latest document,
http://docs.splunk.com/Documentation/Splunk/latest/Security/Self-signcertificatesforSplunkWeb
It stated that
Remove the password from your key. (Splunk Web does not support password-protected private keys.)
However, from the web.conf page (starting from 6.6.0),
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf
It stated that
sslPassword = <password>
* Password protecting the private key specified by 'privKeyPath'.
* Optional. Defaults to unencrypted private key.
* If encrypted private key is used, do not enable client-authentication
on splunkd server. In [sslConfig] stanza of server.conf,
'requireClientCert' must be 'false'.
The 2 parameter seem contradict to each others. Any idea why?
It certainly works with passwords in version 9
I would suggest to follow our older version practise not to set password to protect the web private key.
If password-protected private key is really needed in web.conf, don't set requireClientCert to true (default value is false) in server.conf
The documentation in version 9.0 and up is no longer asking to remove the password from the private key prior generating a CSR file.
Compare this documentation...
https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Getthird-partycertificatesforSplunkWeb
vs.
This one...
https://docs.splunk.com/Documentation/Splunk/8.2.9/Security/Getthird-partycertificatesforSplunkWeb
That says:
Remove the password from the private key. You must do this because Splunk Web does not support private key passwords.
In my case...
I am using Splunk version 9.0.2 and my private key (.key file) has password. I use it on web conf under sslPassword