Security

Install SSL certificate on Splunk Index cluster master web

Nilesh3110
Explorer

I need to install SSL certificate on splunk Index cluster master web. I created the csr and key on the server and got the certificate from the CA. the certificate provided is in .CRT format. I then got the .PEM format using the below.

cat server_name.csr server_name.key ca_provided_certificate.com.crt > certificate.com.pem

Have updated the web.config file in the local with the below settings .

[settings]
enableSplunkWebSSL = true
serverCert = /application/splunk/etc/auth/splunkweb/certificate.com.pem
    

After saving, when i try restarting the splunk . It stucks starting the web with the below error

Waiting for web server at https://10.0.1.1:8000 to be available...

can someone please help

0 Karma
1 Solution

nickhills
Ultra Champion

Is the provate key encrypted with a password?

Commonly you would set all three of these parameters:

privKeyPath = <path>
* The path to the file containing the web server SSL certificate private key.
* A relative path is interpreted relative to $SPLUNK_HOME and may not refer
  outside of $SPLUNK_HOME (e.g., no ../somewhere).
* You can also specify an absolute path to an external key.
* See also 'enableSplunkWebSSL' and 'serverCert'.
* No default.

serverCert = <path>
* Full path to the Privacy Enhanced Mail (PEM) format Splunk web server certificate file.
* The file may also contain root and intermediate certificates, if required.
  They should be listed sequentially in the order:
    [ Server SSL certificate ]
    [ One or more intermediate certificates, if required ]
    [ Root certificate, if required ]
* See also 'enableSplunkWebSSL' and 'privKeyPath'.
* Default: $SPLUNK_HOME/etc/auth/splunkweb/cert.pem

sslPassword = <password>
* Password that protects the private key specified by 'privKeyPath'.
* If encrypted private key is used, do not enable client-authentication
  on splunkd server. In [sslConfig] stanza of server.conf,
  'requireClientCert' must be 'false'.
* Optional.
* Default: The unencrypted private key.

servercert should contain the certificate issued for your server, followed by any intermediates. You should leave the private key in a seperate file. It should also NOT contain the csr.
You may need to convert the crt file to pem, in which case use this command:

openssl x509 -in ca_provided_certificate.com.cr -out certificate.pem

This means your config should look similar to the following

[settings]
enableSplunkWebSSL = true
serverCert = /application/splunk/etc/auth/splunkweb/certificate.pem
    
privKeyPath =/application/splunk/etc/auth/splunkweb/server_name.key
sslPassword = your PrivateKey  password
If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

Is the provate key encrypted with a password?

Commonly you would set all three of these parameters:

privKeyPath = <path>
* The path to the file containing the web server SSL certificate private key.
* A relative path is interpreted relative to $SPLUNK_HOME and may not refer
  outside of $SPLUNK_HOME (e.g., no ../somewhere).
* You can also specify an absolute path to an external key.
* See also 'enableSplunkWebSSL' and 'serverCert'.
* No default.

serverCert = <path>
* Full path to the Privacy Enhanced Mail (PEM) format Splunk web server certificate file.
* The file may also contain root and intermediate certificates, if required.
  They should be listed sequentially in the order:
    [ Server SSL certificate ]
    [ One or more intermediate certificates, if required ]
    [ Root certificate, if required ]
* See also 'enableSplunkWebSSL' and 'privKeyPath'.
* Default: $SPLUNK_HOME/etc/auth/splunkweb/cert.pem

sslPassword = <password>
* Password that protects the private key specified by 'privKeyPath'.
* If encrypted private key is used, do not enable client-authentication
  on splunkd server. In [sslConfig] stanza of server.conf,
  'requireClientCert' must be 'false'.
* Optional.
* Default: The unencrypted private key.

servercert should contain the certificate issued for your server, followed by any intermediates. You should leave the private key in a seperate file. It should also NOT contain the csr.
You may need to convert the crt file to pem, in which case use this command:

openssl x509 -in ca_provided_certificate.com.cr -out certificate.pem

This means your config should look similar to the following

[settings]
enableSplunkWebSSL = true
serverCert = /application/splunk/etc/auth/splunkweb/certificate.pem
    
privKeyPath =/application/splunk/etc/auth/splunkweb/server_name.key
sslPassword = your PrivateKey  password
If my comment helps, please give it a thumbs up!

swaroopbr
Engager

No Private key password was not provided.

  1. After using this command
    openssl x509 -in ca_provided_certificate.com.cr -out certificate.pem

  2. Mentioned the below setting in>>/application/splunk/etc/system/local/web.conf
    [settings]
    enableSplunkWebSSL = true
    serverCert = /application/splunk/etc/auth/splunkweb/certificate.pem


    privKeyPath =/application/splunk/etc/auth/splunkweb/server_name.key

  3. Then, I restarted the Splunk Service.

The issue was fixed.

Thank you for your help nickhillscpl

0 Karma

nickhills
Ultra Champion

Thats great news, I have converted my comment to an answer, Please accept it and ^ upvote it if you found it useful so that others in the community can see that it helepd.

If my comment helps, please give it a thumbs up!
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...