Splunk Forwarder SSL unsupported certificate purpose?


Running Splunk 6.5.2 & 6.5.3,

We just re-rolled our PKI using Microsoft's Certificate Services, with a RootCA, PolicyCA and Issuing CA.

I've been having a hard time getting our heavy forwarders to communicate to our indexer when "requireClientCert = true".

I've tried several things.
Sent off the openssl csr's to the Issuing CA to get signed, came back as .der formated. Ran openssl -in cert.cer -inform der -out cert.pem
Converted to pem format
Concatenated the private key to the server certs: cat privkey-server.pem >> server.pem

Now I've tried a couple of variations here,
I've tried chaining the rootCA together such as the following:
cat policyCA.pem >> issuingCA.pem
cat rootCA.pem >> issuingCA.pem
mv issuingCA.pem cacert.pem

with the config:
serverCert = /opt/splunk/etc/auth/testing/server.pem (the cert I mentioned above)
sslRootCAPath = /opt/splunk/etc/auth/testing/cacert.pem

I've run /opt/splunk/bin/splunk cmd openssl verify -CAfile cacert.pem server.pem
verified the server cert is signed correctly

Did this on both the forwarder and indexer and it failed.

Next I came across some info that what I understood suggested adding the issuing CA and policy CA into the server.pem file and keeping the rootCA.pem alone as the specified sslRootCAPath.

That didn't work either. I get:
10-19-2017 10:38:15.493 -0400 ERROR X509Verify - X509 certificate (CN=ourCompanyCN) failed validation; error=26, reason="unsupported certificate purpose"
10-19-2017 10:38:15.494 -0400 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unsupported certificate'.
10-19-2017 10:38:15.494 -0400 ERROR TcpInputProc - Error encountered for connection from src=:50477. error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed

The Certs generated have the following:
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment

and further down..
X509v3 Extended Key Usage:
TLS Web Server Authentication

Anyone have any ideas? I want to be able to turn on the "requireClientCert = true" setting...
Please help

0 Karma


I ran into this issue myself last night and found that the enhanced key usage on the cert needs to include:

Server Authentication (
Client Authentication (

This doesn't appear to be explicitly stated anywhere in the documentation and should be added.


This seems to be the only place where this information is to be found, thanks @cbtadmin!
It can be checked like this:
/splunk cmd openssl x509 -text -in /opt/splunk/etc/auth/your_server_cert_and_key.pem

You should see a line like this:

X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication

0 Karma
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...