I've just reconfigured Splunk to use our own certificate for the web management, and it worked great. However, I also need that same cert for 8089. It seems like a different process. From the server.conf example...
[sslConfig]
enableSplunkdSSL = true
useClientSSLCompression = true
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
certCreateScript = genMyServerCert.sh
First off, web.conf asked for private key and server cert. Why in this case are the parameters different? Why can't I point to a privatekey file? And is certCreateScript mandatory? It seems like it's for auto generating certificates, but I'm providing my own.
You shouldnt use the same web cert for splunkd communications.
The web cert is not encrypted with a key, whereas the splunkd cert should be.
If you encrypt the web cert with a key, then the browser will have to present the key to splunk web in order to open splunk web (its not a very common configuration, although there are some institutions/regulations that may require the web cert to be encrypted - it doesnt sound like this is one of them because you say "I dont have an sslPassword")
A good place to start is review the April 2016 recording and pdf.
https://wiki.splunk.com/Virtual_.conf
April 2016
When: April 28th
Who: George Starcher and Duane Waddle, Defense Point Security
What: Avoid the SSLippery SSLope of Default SSL
Recording: https://splunk.webex.com/splunk/lsr.php?RCID=da90ccae281af46da9e4a3b46c076a0b
Slides: Media:SplunkTrustApril-SSLipperySlopeRevisited.pdf
This webex refers to a lot of deprecated properties. If you compare their sample vs 7.0.0, it's not even close.
Its true things have been deprecated but they're easy to map from the presentation to the new field names. The .spec files even show the correct setting:
sslKeysfilePassword = <password>
* DEPRECATED; use '**sslPassword**' instead.
In the end its the same concept for generating certs and securing the environment.
Yes, but I don't have an sslPassword. Do I just leave it empty?
Splunk Web certs don’t have passwords but backend connections do. So you’ll need to key encrypt the web Cert to use it on the backend...
openssl x509 -in /path/to/your/web/cert -out cert.pem -keyout cert.key