Security

Self-signed certificate without warnings?

Path Finder

Has anybody figured out how to use a self-signed certificate without getting a warning that it's invalid?
I can access Splunk anyway and it does in fact use my certificate, but for the long haul I would want there to be no annoying warnings.
I followed these instructions exactly:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/Self-signcertificatesforSplunkWeb
https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/SecureSplunkWebusingasignedcertificate
I imported the myCACertificate.pem into Chrome by the way.
It's also a testing environment with no live feeds.

0 Karma

Path Finder

As a workaround, Firefox accepts the certificate with a green lock icon.

0 Karma

Path Finder

Chrome is telling me the certificate is invalid because it doesn't specify Subject Alternative Names.
I tried following instructions from these two links:
https://answers.splunk.com/answers/476596/how-to-generate-csr-files-with-subjectaltnames-san.html
https://www.hurricanelabs.com/splunk-tutorials/splunk-certificates-master-guide
Basically, editing the file $SPLUNKHOME/openssl/openssl.cnf to uncomment the line "reqextensions = v3req" and included this under the stanza [v3req]: subjectAltName=DNS:splunk.a.b.c.d, DNS:splunk, IP:127.0.0.1
Obviously, a.b.c.d is replaced with the real domain. For info, I access splunk web using the internal URL https://splunk:8000

0 Karma

New Member

Did you ever manage to add SAN into the pem? I have it in the csr, but not in the final pem.
I assume it should be seen from the myCACertificate.pem file after this? Looks like it is not.

/opt/splunk/bin/splunk cmd openssl x509 -req -in myCACertificate.csr -sha256 -signkey myCAPrivateKey.key -CAcreateserial -out myCACertificate.pem -days 3650

0 Karma