Security

Splunk Forwarder SSL unsupported certificate purpose?

windsurfer30
Explorer

Running Splunk 6.5.2 & 6.5.3,

We just re-rolled our PKI using Microsoft's Certificate Services, with a RootCA, PolicyCA and Issuing CA.

I've been having a hard time getting our heavy forwarders to communicate to our indexer when "requireClientCert = true".

I've tried several things.
Sent off the openssl csr's to the Issuing CA to get signed, came back as .der formated. Ran openssl -in cert.cer -inform der -out cert.pem
Converted to pem format
Concatenated the private key to the server certs: cat privkey-server.pem >> server.pem

Now I've tried a couple of variations here,
I've tried chaining the rootCA together such as the following:
cat policyCA.pem >> issuingCA.pem
cat rootCA.pem >> issuingCA.pem
mv issuingCA.pem cacert.pem

with the config:
serverCert = /opt/splunk/etc/auth/testing/server.pem (the cert I mentioned above)
sslRootCAPath = /opt/splunk/etc/auth/testing/cacert.pem

I've run /opt/splunk/bin/splunk cmd openssl verify -CAfile cacert.pem server.pem
verified the server cert is signed correctly

Did this on both the forwarder and indexer and it failed.

Next I came across some info that what I understood suggested adding the issuing CA and policy CA into the server.pem file and keeping the rootCA.pem alone as the specified sslRootCAPath.

That didn't work either. I get:
10-19-2017 10:38:15.493 -0400 ERROR X509Verify - X509 certificate (CN=ourCompanyCN) failed validation; error=26, reason="unsupported certificate purpose"
10-19-2017 10:38:15.494 -0400 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unsupported certificate'.
10-19-2017 10:38:15.494 -0400 ERROR TcpInputProc - Error encountered for connection from src=:50477. error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed

The Certs generated have the following:
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment

and further down..
X509v3 Extended Key Usage:
TLS Web Server Authentication
1.3.6.1.4.1.311.21.10:
0.0

Anyone have any ideas? I want to be able to turn on the "requireClientCert = true" setting...
Please help

0 Karma

cbtadmin
Engager

I ran into this issue myself last night and found that the enhanced key usage on the cert needs to include:

Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)

This doesn't appear to be explicitly stated anywhere in the documentation and should be added.

xpac
SplunkTrust
SplunkTrust

This seems to be the only place where this information is to be found, thanks @cbtadmin!
It can be checked like this:
/splunk cmd openssl x509 -text -in /opt/splunk/etc/auth/your_server_cert_and_key.pem

You should see a line like this:

X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...