Security

Install SSL certificate on Splunk Index cluster master web

Nilesh3110
Explorer

I need to install SSL certificate on splunk Index cluster master web. I created the csr and key on the server and got the certificate from the CA. the certificate provided is in .CRT format. I then got the .PEM format using the below.

cat server_name.csr server_name.key ca_provided_certificate.com.crt > certificate.com.pem

Have updated the web.config file in the local with the below settings .

[settings]
enableSplunkWebSSL = true
serverCert = /application/splunk/etc/auth/splunkweb/certificate.com.pem
    

After saving, when i try restarting the splunk . It stucks starting the web with the below error

Waiting for web server at https://10.0.1.1:8000 to be available...

can someone please help

0 Karma
1 Solution

nickhills
Ultra Champion

Is the provate key encrypted with a password?

Commonly you would set all three of these parameters:

privKeyPath = <path>
* The path to the file containing the web server SSL certificate private key.
* A relative path is interpreted relative to $SPLUNK_HOME and may not refer
  outside of $SPLUNK_HOME (e.g., no ../somewhere).
* You can also specify an absolute path to an external key.
* See also 'enableSplunkWebSSL' and 'serverCert'.
* No default.

serverCert = <path>
* Full path to the Privacy Enhanced Mail (PEM) format Splunk web server certificate file.
* The file may also contain root and intermediate certificates, if required.
  They should be listed sequentially in the order:
    [ Server SSL certificate ]
    [ One or more intermediate certificates, if required ]
    [ Root certificate, if required ]
* See also 'enableSplunkWebSSL' and 'privKeyPath'.
* Default: $SPLUNK_HOME/etc/auth/splunkweb/cert.pem

sslPassword = <password>
* Password that protects the private key specified by 'privKeyPath'.
* If encrypted private key is used, do not enable client-authentication
  on splunkd server. In [sslConfig] stanza of server.conf,
  'requireClientCert' must be 'false'.
* Optional.
* Default: The unencrypted private key.

servercert should contain the certificate issued for your server, followed by any intermediates. You should leave the private key in a seperate file. It should also NOT contain the csr.
You may need to convert the crt file to pem, in which case use this command:

openssl x509 -in ca_provided_certificate.com.cr -out certificate.pem

This means your config should look similar to the following

[settings]
enableSplunkWebSSL = true
serverCert = /application/splunk/etc/auth/splunkweb/certificate.pem
    
privKeyPath =/application/splunk/etc/auth/splunkweb/server_name.key
sslPassword = your PrivateKey  password
If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

Is the provate key encrypted with a password?

Commonly you would set all three of these parameters:

privKeyPath = <path>
* The path to the file containing the web server SSL certificate private key.
* A relative path is interpreted relative to $SPLUNK_HOME and may not refer
  outside of $SPLUNK_HOME (e.g., no ../somewhere).
* You can also specify an absolute path to an external key.
* See also 'enableSplunkWebSSL' and 'serverCert'.
* No default.

serverCert = <path>
* Full path to the Privacy Enhanced Mail (PEM) format Splunk web server certificate file.
* The file may also contain root and intermediate certificates, if required.
  They should be listed sequentially in the order:
    [ Server SSL certificate ]
    [ One or more intermediate certificates, if required ]
    [ Root certificate, if required ]
* See also 'enableSplunkWebSSL' and 'privKeyPath'.
* Default: $SPLUNK_HOME/etc/auth/splunkweb/cert.pem

sslPassword = <password>
* Password that protects the private key specified by 'privKeyPath'.
* If encrypted private key is used, do not enable client-authentication
  on splunkd server. In [sslConfig] stanza of server.conf,
  'requireClientCert' must be 'false'.
* Optional.
* Default: The unencrypted private key.

servercert should contain the certificate issued for your server, followed by any intermediates. You should leave the private key in a seperate file. It should also NOT contain the csr.
You may need to convert the crt file to pem, in which case use this command:

openssl x509 -in ca_provided_certificate.com.cr -out certificate.pem

This means your config should look similar to the following

[settings]
enableSplunkWebSSL = true
serverCert = /application/splunk/etc/auth/splunkweb/certificate.pem
    
privKeyPath =/application/splunk/etc/auth/splunkweb/server_name.key
sslPassword = your PrivateKey  password
If my comment helps, please give it a thumbs up!

swaroopbr
Engager

No Private key password was not provided.

  1. After using this command
    openssl x509 -in ca_provided_certificate.com.cr -out certificate.pem

  2. Mentioned the below setting in>>/application/splunk/etc/system/local/web.conf
    [settings]
    enableSplunkWebSSL = true
    serverCert = /application/splunk/etc/auth/splunkweb/certificate.pem


    privKeyPath =/application/splunk/etc/auth/splunkweb/server_name.key

  3. Then, I restarted the Splunk Service.

The issue was fixed.

Thank you for your help nickhillscpl

0 Karma

nickhills
Ultra Champion

Thats great news, I have converted my comment to an answer, Please accept it and ^ upvote it if you found it useful so that others in the community can see that it helepd.

If my comment helps, please give it a thumbs up!
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...