Security

How to generate a server.pem key size of 2048?

Explorer

I have a security finding that the server.pem key size is 1024, and needs to be 2048. In the question titled "How to check status of all SSL certificates in Splunk?" the file can be regenerated by moving/deleting it and restarting Splunkd, but this still generates a key size of 1024, which is expected according to the documentation.

I have been unable to find a setting that overrides the default key size. Is this possible, or is there a manual procedure using Splunk's openssl binary that will allow me to get a key size of 2048?

1 Solution

Communicator

You can also add the following lines to the files identified below before you start Splunk for the first time. This will ensure that it generates a 2048 bit key each time as necessary:

$SPLUNKHOME/etc/system/local/server.conf
[sslConfig]
certCreateScript = $SPLUNK
HOME/bin/splunk, createssl, server-cert, 2048

$SPLUNKHOME/etc/system/local/distsearch.conf
[tokenExchKeys]
genKeyScript = $SPLUNK
HOME/bin/splunk, createssl, audit-keys, 2048

View solution in original post

Communicator

You can also add the following lines to the files identified below before you start Splunk for the first time. This will ensure that it generates a 2048 bit key each time as necessary:

$SPLUNKHOME/etc/system/local/server.conf
[sslConfig]
certCreateScript = $SPLUNK
HOME/bin/splunk, createssl, server-cert, 2048

$SPLUNKHOME/etc/system/local/distsearch.conf
[tokenExchKeys]
genKeyScript = $SPLUNK
HOME/bin/splunk, createssl, audit-keys, 2048

View solution in original post

Path Finder

Thanks. I followed the steps above, then stopped the Splunk forwarder service and renamed server.pem to server.pem.OLD in the folder C:\Program Files\SplunkUniversalForwarder\etc\auth and started again the service which created a new server.pem. The new one is now 4KB in size and no longer 3 KB.

0 Karma

Communicator

@tmarlette, the steps identified above in the server.conf file is just for the auto generation of self-signed certificates. There are no options; to the best of my knowledge, that allow you to add a host name via this method.

Use the information at http://docs.splunk.com/Documentation/Splunk/latest/Security/SecureSplunkWebusingasignedcertificate for using your own certificates. You are able to configure your own host names and SAN names with the approach at the link provided.

0 Karma

Motivator

Thank you sir! I just wanted to make sure. I though I had to generate my own, but I was hoping for something easy like this.

0 Karma

Motivator

@rkilen, @jwiedow, is there a way to add the host name to this cert with this command?

0 Karma

Explorer

Thank you, the entry in server.conf solves my problem.

0 Karma

Influencer

To generate your own certificates using openssl, follow the instructions here:

http://docs.splunk.com/Documentation/Splunk/6.4.0/Security/Howtoself-signcertificates

0 Karma