Hello I'm trying to generate self-signed CA for forwarding-indexer communications
I'm follow this doc - http://docs.splunk.com/Documentation/Splunk/latest/Security/Howtoself-signcertificates
With no any success. When I try to chek my new cert that is combined from three generated earlier with openssl.exe I get next message:
PS C:\Program Files\Splunk\bin> .\openssl.exe x509 -subject -issuer -dates -noout -in preparedServerCertificate.pem WARNING: can't open config file: \openssl.cnf unable to load certificate 1924:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
also when I try to use it in inputs.conf I get next message:
ERROR SSLCommon - Can't read key file C:\Program files\Splunk\etc\auth\self-signed-certs\preparedServerCertificate.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line.
Does somebody have the right manual to get it working on Windows 2012R2?
My powershell script based on docs lookus as follow (updated and works for me😞
#Splunk new self-signed certs generate #more info - http://docs.splunk.com/Documentation/Splunk/latest/Security/Howtoself-signcertificates $SPLUNK_HOME = "C:\Program files\Splunk" $pass = "passForSplunk" $CNroot = "splunk-staging" $CNserver = "splunk-srv" $CNforwarders = "splunk-forwarder" $nl = [Environment]::NewLine $env:OPENSSL_CONF = "$SPLUNK_HOME\openssl.cnf" $certDir = $SPLUNK_HOME+"/etc/auth/self-signed-certs" $scriptDir = (Get-Item -Path ".\" -Verbose).FullName $keyLength = 2048 mkdir $SPLUNK_HOME/etc/auth/self-signed-certs cd $SPLUNK_HOME/bin #generate root key srt and pem .\openssl genrsa -des3 -passout pass:$pass -out $certDir/rootCAPrivateKey.key $keyLength .\openssl req -new -key $certDir/rootCAPrivateKey.key -passin pass:$pass -out $certDir/rootca.csr -subj "/C=US/ST=California/L=Berkley/O=Splunk/OU=Test-staging/CN=$CNroot" .\openssl x509 -req -in $certDir/rootca.csr -sha1 -signkey $certDir/rootCAPrivateKey.key -passin pass:$pass -CAcreateserial -out $certDir/rootca.pem -days 1095 #Generate and sign server certificate with root CA .\openssl genrsa -des3 -passout pass:$pass -out $certDir/serverPrivateKey.key $keyLength .\openssl req -new -key $certDir/serverPrivateKey.key -passin pass:$pass -out $certDir/serverCertificate.csr -subj "/C=US/ST=California/L=Berkley/O=Splunk/OU=Test-staging/CN=$CNserver" .\openssl x509 -req -in $certDir/serverCertificate.csr -sha1 -CA $certDir/rootca.pem -CAkey $certDir/rootCAPrivateKey.key -CAcreateserial -out $certDir/serverCertificate.pem -days 1095 -passin pass:$pass #Generate and sign forwarder certificate with root CA .\openssl genrsa -des3 -passout pass:$pass -out $certDir/forwarderPrivateKey.key $keyLength .\openssl req -new -key $certDir/forwarderPrivateKey.key -passin pass:$pass -out $certDir/forwarderCertificate.csr -subj "/C=US/ST=California/L=Berkley/O=Splunk/OU=Test-staging/CN=$CNforwarders" .\openssl x509 -req -in $certDir/forwarderCertificate.csr -sha1 -CA $certDir/rootca.pem -CAkey $certDir/rootCAPrivateKey.key -CAcreateserial -out $certDir/forwarderCertificate.pem -days 1095 -passin pass:$pass #this is not working due to windows SR-LF symbol added at the end of each line: #get-content serverCertificate.pem, serverPrivateKey.key, rootCACertificate.pem | out-file preparedServerCertificate.pem #this works: #Consolidate the signed server certificate, the server private key and the CA public key in a single PEM file cd $certDir CMD /C "type serverCertificate.pem serverPrivateKey.key rootCA.pem > server.pem" #Consolidate the signed forwarder certificate, the forwarder private key and the CA public key in a single PEM file cd $certDir CMD /C "type forwarderCertificate.pem forwarderPrivateKey.key rootCA.pem > forwarder.pem" #Updating Splunk inputs.cong to use new self signed certs $text = "[SSL]"+$nl $text += "rootCA = $SPLUNK_HOME\etc\auth\self-signed-certs\rootca.pem"+$nl $text += "serverCert = $SPLUNK_HOME\etc\auth\self-signed-certs\server.pem"+$nl $text += "password = $pass"+$nl+$nl $text += "[splunktcp-ssl:9997]"+$nl $text += "compressed = true"+$nl Write-host $nl Write-host "This should be added in $SPLUNK_HOME\etc\system\local\inputs.conf on Splunk indexer:"+nl$ -foregroundcolor yellow Write-host $text Write-host "Script ended. Please restart splunkd after updating inputs.conf (net stop splunkd&&net start splunkd)" -foregroundcolor yellow cd $scriptDir
Howeveer those keyes is not working:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
In Windows the command should be as follows:
>openssl req -new -key myCAPrivateKey.key -out myCACertificate.csr -config $SPLUNK_HOME\openssl.cnf
In my case:
>openssl req -new -key myCAPrivateKey.key -out myCACertificate.csr -config "C:\Program Files\Splunk\openssl.cnf"
Here is an example of the initial procedure.
I hope this helps you.
It was windows SR-LF symbol issue when using cmdlet get-content | out-file
I try concatenate certs with DOS type - and test OK and error in splunk.log gone away.
However now I have another errors on splunk server:
04-01-2015 14:48:07.498 +0000 ERROR TcpInputProc - Error encountered for connection from src=10.8.0.77:51782. error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
04-01-2015 14:48:42.053 +0000 ERROR TcpOutputFd - Connection to host=10.8.0.7:9997 failed. sockerror = 0. SSL Error = error:14090086:SSL routines:SSL3GETSERVERCERTIFICATE:certificate verify failed
Please help me to get this staff work.
Gilberto Castillo big thanks for you help!
I've finally made this all work!
The problem was that I was trying to issue and sign server and forwarder certificates with the same CN as root CA,
when I changed them to other CNs all works as expected.
I've updated script in my question in case someone need it for purposes of automation like I need.
I also have trouble to silently install splunk forwarders but this is another thread 🙂