Solved: Root CA password

echalex · ‎08-31-2011

Hi,

I'm testing how to create a new root CA to enable SSL authentication. It seems that the default script for this, genRootCA.sh doesn't set a password for the certificate by default, but I can change this behaviour with -p.

However, when trying to generate server keys with 'splunk create-ssl server-cert', Splunk doesn't ask for the CA password and is consequently unable to load the CA private key. Is this expected behaviour or a bug? Is it somehow recommended not to protect the CA private key with a password?

echalex · ‎08-06-2012

Answering my own question: the genRootCA.sh script doesn't seem to be created for the purpose of creating more advanced CAs. If you really want to, you can edit the script and change the values of -passin and -passout.

For more generic usage, use your organization's root CA or use OpenSSL to create a new root CA to use with Splunk.

View solution in original post

echalex · ‎08-06-2012

Answering my own question: the genRootCA.sh script doesn't seem to be created for the purpose of creating more advanced CAs. If you really want to, you can edit the script and change the values of -passin and -passout.

For more generic usage, use your organization's root CA or use OpenSSL to create a new root CA to use with Splunk.

MuS · ‎08-31-2011

Hi echalex

your command splunk create-ssl server-cert gives me an error:

Command error: 'create-ssl' is not a valid command. Please run 'splunk help' to
see the valid commands.

but you can find here a perfect instruction from hexx on how to create a CA with splunk, hope this helps.

regards

echalex · ‎08-06-2012

MuS, a little late to answer. 🙂 Nope, I haven't. I'm not sure if it's a bug, since I get the feeling the script isn't meant to be used for creating more advanced CAs.

MuS · ‎09-02-2011

echalex, have you filed a bug report for that?

echalex · ‎09-02-2011

MuS, I have hard time believing we're all doing it wrong. Sadly, the createssl command isn't well documented at all.
The solution I came to was to disregard the helper scripts and just use the CA.pl-script that is included in $SPLUNK_HOME/openssl/misc. I believe it's a standard part of any openssl distribution.

MuS · ‎08-31-2011

okay same here and same for this guy http://splunk-base.splunk.com/answers/28342/self-signed-cert-creation-issues-with-422 maybe it's really a bug or we are doing it worng 🙂

MuS · ‎08-31-2011

Yes, using 4.2.3 as well and many other releases 😉 I will try it tomorrow and see what will happen. cheers

echalex · ‎08-31-2011

The link you sent doesn't mention anything about CA password, which is my main issue, really.

echalex · ‎08-31-2011

Thanks, MuS.

Are you using 4.2.3? I am. (Misspelled the command. It's actually createssl, without the hyphen.):

splunk@srv:/opt/splunk$ bin/genSignedServerCert.sh -d /tmp/ -n test

++python bin/genSignedServerCert.py -d /tmp/ -n test

NOTE: This script is deprecated. Instead, use "splunk createssl server-cert".

...

Root CA password

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?