- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Splunk Forwarder SSL unsupported certificate purpo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Forwarder SSL unsupported certificate purpose?
Running Splunk 6.5.2 & 6.5.3,
We just re-rolled our PKI using Microsoft's Certificate Services, with a RootCA, PolicyCA and Issuing CA.
I've been having a hard time getting our heavy forwarders to communicate to our indexer when "requireClientCert = true".
I've tried several things.
Sent off the openssl csr's to the Issuing CA to get signed, came back as .der formated. Ran openssl -in cert.cer -inform der -out cert.pem
Converted to pem format
Concatenated the private key to the server certs: cat privkey-server.pem >> server.pem
Now I've tried a couple of variations here,
I've tried chaining the rootCA together such as the following:
cat policyCA.pem >> issuingCA.pem
cat rootCA.pem >> issuingCA.pem
mv issuingCA.pem cacert.pem
with the config:
serverCert = /opt/splunk/etc/auth/testing/server.pem (the cert I mentioned above)
sslRootCAPath = /opt/splunk/etc/auth/testing/cacert.pem
I've run /opt/splunk/bin/splunk cmd openssl verify -CAfile cacert.pem server.pem
verified the server cert is signed correctly
Did this on both the forwarder and indexer and it failed.
Next I came across some info that what I understood suggested adding the issuing CA and policy CA into the server.pem file and keeping the rootCA.pem alone as the specified sslRootCAPath.
That didn't work either. I get:
10-19-2017 10:38:15.493 -0400 ERROR X509Verify - X509 certificate (CN=ourCompanyCN) failed validation; error=26, reason="unsupported certificate purpose"
10-19-2017 10:38:15.494 -0400 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unsupported certificate'.
10-19-2017 10:38:15.494 -0400 ERROR TcpInputProc - Error encountered for connection from src=:50477. error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
The Certs generated have the following:
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
and further down..
X509v3 Extended Key Usage:
TLS Web Server Authentication
1.3.6.1.4.1.311.21.10:
0.0
Anyone have any ideas? I want to be able to turn on the "requireClientCert = true" setting...
Please help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ran into this issue myself last night and found that the enhanced key usage on the cert needs to include:
Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)
This doesn't appear to be explicitly stated anywhere in the documentation and should be added.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This seems to be the only place where this information is to be found, thanks @cbtadmin!
It can be checked like this:
/splunk cmd openssl x509 -text -in /opt/splunk/etc/auth/your_server_cert_and_key.pem
You should see a line like this:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
