Splunk Enterprise Security

Why is splunkd expecting intermediate certs in the trust store?

vtalanki
Path Finder

Hi,

We are exposing our search heads' management port for API access to splunk and enabled mTLS. When our users are hitting the endpoint with certs with below chain format, splunk is throwing (SSL_ERROR_UNKNOWN_CA_ALERT) - Peer does not recognize and trust the CA that issued your certificate. error.

Our users' certs are in below format

 

<entity>
<intermediate 1>
<intermediate 2>

 

The Root CA cert that signed the <intermediate 2> cert is in our cacerts.pem file configured as below in server.conf

sslRootCAPath=/path/to/cacerts.pem

The expectation is splunk should establish the chain and since the Root CA that signed the last intermediate cert is present in its trust store, it should accept the client connection. This is not happening.

However, If we put the both above intermediate certs  also in the cacerts.pem file along with Root CA cert, that establishes a successful connection.

Why is this happening? Shouldn't splunk be able to build the chain with user provided cert and establish a connection without having intermediates in its truststore? Is there any parameter configuration to achieve this behaviour?

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...