Security

Root CA password

echalex
Builder

Hi,

I'm testing how to create a new root CA to enable SSL authentication. It seems that the default script for this, genRootCA.sh doesn't set a password for the certificate by default, but I can change this behaviour with -p.

However, when trying to generate server keys with 'splunk create-ssl server-cert', Splunk doesn't ask for the CA password and is consequently unable to load the CA private key. Is this expected behaviour or a bug? Is it somehow recommended not to protect the CA private key with a password?

0 Karma
1 Solution

echalex
Builder

Answering my own question: the genRootCA.sh script doesn't seem to be created for the purpose of creating more advanced CAs. If you really want to, you can edit the script and change the values of -passin and -passout.

For more generic usage, use your organization's root CA or use OpenSSL to create a new root CA to use with Splunk.

View solution in original post

0 Karma

echalex
Builder

Answering my own question: the genRootCA.sh script doesn't seem to be created for the purpose of creating more advanced CAs. If you really want to, you can edit the script and change the values of -passin and -passout.

For more generic usage, use your organization's root CA or use OpenSSL to create a new root CA to use with Splunk.

View solution in original post

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi echalex

your command splunk create-ssl server-cert gives me an error:

Command error: 'create-ssl' is not a valid command. Please run 'splunk help' to
see the valid commands.

but you can find here a perfect instruction from hexx on how to create a CA with splunk, hope this helps.

regards

echalex
Builder

MuS, a little late to answer. 🙂 Nope, I haven't. I'm not sure if it's a bug, since I get the feeling the script isn't meant to be used for creating more advanced CAs.

0 Karma

MuS
SplunkTrust
SplunkTrust

echalex, have you filed a bug report for that?

0 Karma

echalex
Builder

MuS, I have hard time believing we're all doing it wrong. Sadly, the createssl command isn't well documented at all.
The solution I came to was to disregard the helper scripts and just use the CA.pl-script that is included in $SPLUNK_HOME/openssl/misc. I believe it's a standard part of any openssl distribution.

0 Karma

MuS
SplunkTrust
SplunkTrust

okay same here and same for this guy http://splunk-base.splunk.com/answers/28342/self-signed-cert-creation-issues-with-422 maybe it's really a bug or we are doing it worng 🙂

0 Karma

MuS
SplunkTrust
SplunkTrust

Yes, using 4.2.3 as well and many other releases 😉 I will try it tomorrow and see what will happen. cheers

0 Karma

echalex
Builder

The link you sent doesn't mention anything about CA password, which is my main issue, really.

0 Karma

echalex
Builder

Thanks, MuS.

Are you using 4.2.3? I am. (Misspelled the command. It's actually createssl, without the hyphen.):

splunk@srv:/opt/splunk$ bin/genSignedServerCert.sh -d /tmp/ -n test

++python bin/genSignedServerCert.py -d /tmp/ -n test

NOTE: This script is deprecated. Instead, use "splunk createssl server-cert".

...

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.