Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Self-signed cert creation issues with 4.2.2
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Self-signed cert creation issues with 4.2.2
I'm having an issue with creating a new CA and then a self-signed server cert for use during forwarder to indexer communication. I have meticulously followed the various guides by Hexx, the Splunk docs, etc and I consistently get the same error.
Creation of the CA works fine but once I try and create the server cert and send it for signing it fails trying to open the CA private key for signing.
The command I run is:
splunk cmd python %SPLUNK_HOME%\bin\genSignedServerCert.py -d *path_to_my_certs* -n *servername* -c *server_common_name* -p
The error shows as follows:
Getting CA Private Key
unable to load CA Private Key
*stuff*:error:*stuff*:digital envelope routines: EVP_DecryptFinal_ex:bad decrypt:.\crypto\evp\evp_enc.c:330:
*stuff*:error:*stuff*:PEM routines:PEM_do_header:bad decrypt:.\crypto\pem\pem_lib.c:428:
Command failed (ret=1), exiting.
I have verified the password on the CA private key and the key itself using:
openssl rsa -text -check -in *my_keyfile*
The above command prompts for the password which I enter and it opens and checks the file just fine. The problem I think is that during the "genSignedServerCert.py" which has been deprecated and now simply runs:
splunk createssl server-cert -d *path_to_my_certs* -n *servername* -c *server_common_name* -p
The process NEVER asks me to enter the pass phrase to access the CA Private Key. It asks for me to enter a PEM pass phrase for the server private key but never prompts for CA private key pass.
Anyone else run into this? Was this genSignedServerCert.py script deprecation recent? I see no metnion to the new splunk createssl command in any of the docs. Am I doing something else completely wrong? I thought for a while that it was user error but I have verified the CA private key pass over and over again and it still fails every single time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
This is a fairly late answer, but I've run into similar issues. The problem with this seems to be that Splunk really doesn't prompt for the CA password, but assumes it is "password". If you have a look at bin/genRootCA.sh you'll notice that you can't even choose your own password when creating a CA with the scripts.
So, I'm assuming that you've used a different tool for creating the CA. This means that you also have to use another tool for creating the server certificates. Either you can use the openssl command directly or you can use a wrapper, such as TinyCA. Alternatively, you can set the CA password to "password", even though you created it yourself.
One thing that caught me is that some wrappers will specify the certificate purpose and the OpenSSL library may reject client certificates used as server certificates. So check your settings for this, as well. IIRC, you won't get a proper error message unless you start splunk with the --debug option.
HTH
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
