Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to generate CSR files with SubjectAltNames (SANs) on Windows?

lmaclean
Path Finder
‎11-23-2016 09:23 PM

Hi,

Using Splunk (v6.5.0) on Windows Server 2008 R2 Datacenter, trying to generate CSR files using the built-in openssl via PowerShell following this documentation: http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/Getthird-partycertificatesforSplunkWeb#Cr...
The CSRs will then be used by the organisation's internal CA (Windows) to get the .cer file.

But it doesn't mention anything regarding adding in SANs, so that I can add in the multiple CNAMEs created for each of the servers in the deployment. Tried following some guides on Google for openssl e.g. http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html with the codes I was using being along these lines:

..\..\..\bin\openssl.exe genrsa -des3 -out <server>.key 2048 -config D:\Splunk\openssl.cnf  
..\..\..\bin\openssl.exe rsa -in <server>.key -out <server>.key 
..\..\..\bin\openssl.exe req -new -key <server>.key -sha512 -nodes -config D:\Splunk\openssl.cnf -subj '/C=<Country>/ST=<state>/L=<Location>/O=<Org>/OU=<Org Unit>/CN=<serverCN>/emailAddress=<Email>/subjectAltName=DNS.1=<serverCN>,DNS.2=<server>' > <server>.csr

The Splunk documentation doesn't really go into these depths, and speaking to the internal team for signing the CSRs, others usually use IIS or Windows Cert Wizard which just allows you to type these in. Can't seem to find out what the fieldname is behind the screens...

Thanks in Advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lmaclean
Path Finder
‎12-05-2016 09:50 PM

So @garethatiag unfortuantetly am unable to just install whatever software I need on these servers because of strict change controls, did try your alternate way but was only able to get one SAN to populate the field in the certificate. In the end I used the fields and process found at the following site: http://wiki.cacert.org/FAQ/subjectAltName

Which after reading this, then going into the config file "$SPLUNK_HOME\openssl.cnf" found that Splunk has the v3 req extentions turned off by default... (~Line 125)

#req_extensions = v3_req # The extensions to add to a certificate request

Then after uncommenting this, I moved to the stanaz "[ v3_req ]" (~Line 217) and added the below as per that wiki page:

subjectAltName = @alt_names

[alt_names]
DNS.1 = <server>
DNS.2 = <server.domain>
DNS.3 = Splunk-ES01

So the commands in the end that I used are the same because I made the changes in the .cnf file

View solution in original post

Reply
Solved! Jump to solution
Solution

lmaclean
Path Finder
‎12-05-2016 09:50 PM

So @garethatiag unfortuantetly am unable to just install whatever software I need on these servers because of strict change controls, did try your alternate way but was only able to get one SAN to populate the field in the certificate. In the end I used the fields and process found at the following site: http://wiki.cacert.org/FAQ/subjectAltName

Which after reading this, then going into the config file "$SPLUNK_HOME\openssl.cnf" found that Splunk has the v3 req extentions turned off by default... (~Line 125)

#req_extensions = v3_req # The extensions to add to a certificate request

Then after uncommenting this, I moved to the stanaz "[ v3_req ]" (~Line 217) and added the below as per that wiki page:

subjectAltName = @alt_names

[alt_names]
DNS.1 = <server>
DNS.2 = <server.domain>
DNS.3 = Splunk-ES01

So the commands in the end that I used are the same because I made the changes in the .cnf file

Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎12-05-2016 09:54 PM

Glad you got it working, in my environment req_extensions=v3_req was turned on....

openssl req -new -sha256 -key splunk.key -out splunk.csr -subj "/C=AU/..." -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
<(printf "req_extensions = v3_req\n[SAN]\nsubjectAltName=DNS:anotherdnsname,DNS:cnname")) -out splunk.csr

Would have worked (or should have worked).

Your answer looks good!

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎12-01-2016 06:43 PM

Hi @lmaclean - Did garethatiag's answer help solve your question? If yes, please click "Accept" below the answer to resolve your post. If no, please leave a comment with more information. Thanks!

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎11-23-2016 11:38 PM

If you have cygwin I would use:
openssl req -new -sha256 -key splunk.key -out splunk.csr -subj "/C=AU/..." -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
<(printf "req_extensions = v3_req\n[SAN]\nsubjectAltName=DNS:anotherdnsname,DNS:cnname")) -out splunk.csr

If not you might want to edit your openssl.cnf to include the line:
[SAN]
subjectAltName=DNS:anotherdnsname,DNS:cnname

And then run the :
openssl req -new -sha256 -key splunk.key -out splunk.csr -subj "/C=AU/..." -reqexts SAN -config D:\Splunk\openssl.cnf -out splunk.csr

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...