Observation

The Nessus scan detected few certificate errors on the Splunk ports 8089 (management port), 8000(web-UI) and  8191(MONGOD).  

The certificate errors are

         (1) SSL Self-Signed Certificate,

        (2) SSL Certificate Cannot Be Trusted

        (3) SSL Certificate Signed Using Weak Hashing Algorithm.

The error (1) and (2) are happened due to self signed certificate and the error (3) happened, due to singed with SHA1 algorithm.

Action Taken:

• For Web UI port 8000 :  We followed the procedure in the link and solved ‘SSL Certificate Singed Using Weak Hashing Algorithm’  https://docs.splunk.com/Documentation/Splunk/8.0.4/Security/Self-signcertificatesforSplunkWeb

Issue:

For 8089 and 8191,  seems it use the default certificate and keys present in the directory “/opt/splunk/etc/auth/”.

For splunk fresh installation, the default certificates and keys are generated with “sha256WithRSAEncryption”. This looks good.

But, the same splunk version installed few years back is singed with SHA1.  We removed /opt/splunk/etc/auth/server.pem and restarted splunkd. The new server.pem is generated with SHA256.

Questions:

(1) Other server.pem, the remaining various default certificate present in /opt/splunk/etc/auth/ directory are singed with SHA1.  How these can be converted to SHA256.  Can you please help us regarding the procedure for this ?

(2) Can you please clarify which certificate and keys are used for  8089 and 8191 ?

(3) We are Splunk licensed customer. Is splunk team is providing a way to sign and make the certificate trusted?