Running Splunk 6.5.2 & 6.5.3,
We just re-rolled our PKI using Microsoft's Certificate Services, with a RootCA, PolicyCA and Issuing CA.
I've been having a hard time getting our heavy forwarders to communicate to our indexer when "requireClientCert = true".
I've tried several things.
Sent off the openssl csr's to the Issuing CA to get signed, came back as .der formated. Ran openssl -in cert.cer -inform der -out cert.pem
Converted to pem format
Concatenated the private key to the server certs: cat privkey-server.pem >> server.pem
Now I've tried a couple of variations here,
I've tried chaining the rootCA together such as the following:
cat policyCA.pem >> issuingCA.pem
cat rootCA.pem >> issuingCA.pem
mv issuingCA.pem cacert.pem
with the config:
serverCert = /opt/splunk/etc/auth/testing/server.pem (the cert I mentioned above)
sslRootCAPath = /opt/splunk/etc/auth/testing/cacert.pem
I've run /opt/splunk/bin/splunk cmd openssl verify -CAfile cacert.pem server.pem
verified the server cert is signed correctly
Did this on both the forwarder and indexer and it failed.
Next I came across some info that what I understood suggested adding the issuing CA and policy CA into the server.pem file and keeping the rootCA.pem alone as the specified sslRootCAPath.
That didn't work either. I get:
10-19-2017 10:38:15.493 -0400 ERROR X509Verify - X509 certificate (CN=ourCompanyCN) failed validation; error=26, reason="unsupported certificate purpose"
10-19-2017 10:38:15.494 -0400 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unsupported certificate'.
10-19-2017 10:38:15.494 -0400 ERROR TcpInputProc - Error encountered for connection from src=:50477. error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
The Certs generated have the following:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
and further down..
X509v3 Extended Key Usage:
TLS Web Server Authentication
Anyone have any ideas? I want to be able to turn on the "requireClientCert = true" setting...
I ran into this issue myself last night and found that the enhanced key usage on the cert needs to include:
Server Authentication (22.214.171.124.126.96.36.199.1)
Client Authentication (188.8.131.52.184.108.40.206.2)
This doesn't appear to be explicitly stated anywhere in the documentation and should be added.
This seems to be the only place where this information is to be found, thanks @cbtadmin!
It can be checked like this:
/splunk cmd openssl x509 -text -in /opt/splunk/etc/auth/your_server_cert_and_key.pem
You should see a line like this:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication