Getting Data In

How to generate CSR files with SubjectAltNames (SANs) on Windows?

Path Finder

Hi,

Using Splunk (v6.5.0) on Windows Server 2008 R2 Datacenter, trying to generate CSR files using the built-in openssl via PowerShell following this documentation: http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/Getthird-partycertificatesforSplunkWeb#Cr...
The CSRs will then be used by the organisation's internal CA (Windows) to get the .cer file.

But it doesn't mention anything regarding adding in SANs, so that I can add in the multiple CNAMEs created for each of the servers in the deployment. Tried following some guides on Google for openssl e.g. http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html with the codes I was using being along these lines:

..\..\..\bin\openssl.exe genrsa -des3 -out <server>.key 2048 -config D:\Splunk\openssl.cnf  
..\..\..\bin\openssl.exe rsa -in <server>.key -out <server>.key 
..\..\..\bin\openssl.exe req -new -key <server>.key -sha512 -nodes -config D:\Splunk\openssl.cnf -subj '/C=<Country>/ST=<state>/L=<Location>/O=<Org>/OU=<Org Unit>/CN=<serverCN>/emailAddress=<Email>/subjectAltName=DNS.1=<serverCN>,DNS.2=<server>' > <server>.csr

The Splunk documentation doesn't really go into these depths, and speaking to the internal team for signing the CSRs, others usually use IIS or Windows Cert Wizard which just allows you to type these in. Can't seem to find out what the fieldname is behind the screens...

Thanks in Advance

0 Karma
1 Solution

Path Finder

So @garethatiag unfortuantetly am unable to just install whatever software I need on these servers because of strict change controls, did try your alternate way but was only able to get one SAN to populate the field in the certificate. In the end I used the fields and process found at the following site: http://wiki.cacert.org/FAQ/subjectAltName

Which after reading this, then going into the config file "$SPLUNK_HOME\openssl.cnf" found that Splunk has the v3 req extentions turned off by default... (~Line 125)

#req_extensions = v3_req # The extensions to add to a certificate request

Then after uncommenting this, I moved to the stanaz "[ v3_req ]" (~Line 217) and added the below as per that wiki page:

subjectAltName = @alt_names

[alt_names]
DNS.1 = <server>
DNS.2 = <server.domain>
DNS.3 = Splunk-ES01

So the commands in the end that I used are the same because I made the changes in the .cnf file

View solution in original post

Path Finder

So @garethatiag unfortuantetly am unable to just install whatever software I need on these servers because of strict change controls, did try your alternate way but was only able to get one SAN to populate the field in the certificate. In the end I used the fields and process found at the following site: http://wiki.cacert.org/FAQ/subjectAltName

Which after reading this, then going into the config file "$SPLUNK_HOME\openssl.cnf" found that Splunk has the v3 req extentions turned off by default... (~Line 125)

#req_extensions = v3_req # The extensions to add to a certificate request

Then after uncommenting this, I moved to the stanaz "[ v3_req ]" (~Line 217) and added the below as per that wiki page:

subjectAltName = @alt_names

[alt_names]
DNS.1 = <server>
DNS.2 = <server.domain>
DNS.3 = Splunk-ES01

So the commands in the end that I used are the same because I made the changes in the .cnf file

View solution in original post

SplunkTrust
SplunkTrust

Glad you got it working, in my environment req_extensions=v3_req was turned on....

openssl req -new -sha256 -key splunk.key -out splunk.csr -subj "/C=AU/..." -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
<(printf "req_extensions = v3_req\n[SAN]\nsubjectAltName=DNS:anotherdnsname,DNS:cnname")) -out splunk.csr

Would have worked (or should have worked).

Your answer looks good!

0 Karma

Splunk Employee
Splunk Employee

Hi @lmaclean - Did garethatiag's answer help solve your question? If yes, please click "Accept" below the answer to resolve your post. If no, please leave a comment with more information. Thanks!

0 Karma

SplunkTrust
SplunkTrust

If you have cygwin I would use:
openssl req -new -sha256 -key splunk.key -out splunk.csr -subj "/C=AU/..." -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
<(printf "req_extensions = v3_req\n[SAN]\nsubjectAltName=DNS:anotherdnsname,DNS:cnname")) -out splunk.csr

If not you might want to edit your openssl.cnf to include the line:
[SAN]
subjectAltName=DNS:anotherdnsname,DNS:cnname

And then run the :
openssl req -new -sha256 -key splunk.key -out splunk.csr -subj "/C=AU/..." -reqexts SAN -config D:\Splunk\openssl.cnf -out splunk.csr