Why is splunkd expecting intermediate certs in the...

vtalanki · ‎01-16-2021

Hi,

We are exposing our search heads' management port for API access to splunk and enabled mTLS. When our users are hitting the endpoint with certs with below chain format, splunk is throwing (SSL_ERROR_UNKNOWN_CA_ALERT) - Peer does not recognize and trust the CA that issued your certificate. error.

Our users' certs are in below format

<entity>
<intermediate 1>
<intermediate 2>

The Root CA cert that signed the <intermediate 2> cert is in our cacerts.pem file configured as below in server.conf

sslRootCAPath=/path/to/cacerts.pem

The expectation is splunk should establish the chain and since the Root CA that signed the last intermediate cert is present in its trust store, it should accept the client connection. This is not happening.

However, If we put the both above intermediate certs also in the cacerts.pem file along with Root CA cert, that establishes a successful connection.

Why is this happening? Shouldn't splunk be able to build the chain with user provided cert and establish a connection without having intermediates in its truststore? Is there any parameter configuration to achieve this behaviour?

Why is splunkd expecting intermediate certs in the trust store?

using Enterprise Security

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Are you a member of the Splunk Community?

Why is splunkd expecting intermediate certs in the trust store?

using Enterprise Security

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!