Hello,
Splunk cert shows up in our vulnerability report,
The Subject Common Name (CN) found in the X.509 cert doesn't seem to match scan target xx.xx.xx.xx (IP)
More details
Subject CN SplunkServerDefaultCert doesnt match the node name XX.XX.XX.XX (IP)
Subject CN SplunkServerDefaultCert doesnt match the DNS name
Subject CN SplunkServerDefaultCert could not be resolved to an IP address via DNS Lookup.
I'm new to splunk, so requesting admins here on how I could change the CN = SplunkServerDefaultCert to the hostname?
Any help is highly appreciated.
Regards,
Venu
Hello Guys,
Regenrate self-signed certs if your comp has no CA present , follow the below procedure..
Please take a backup of c:\Program Files\SplunkUniversalForwarder\etc\auth
Folder in Windows.
Below commands should be executed from the path c:\Program Files\SplunkUniversalForwarder\etc\auth
When prompted to enter the details in the CERT. during creation.
C=US
ST=SF
L=WD
O=Splunk
OU=SPLUNK
CN=<FQDN of the server> # this is the critical value that has to be the hostname on which the cert is being generated,rest can be anything.
Password : changeme2
emailAddress=<user>@<comp>.com
Generate a New CA key and Cert
openssl ecparam -out ca-key.pem -genkey -name prime256v1
openssl req -x509 -new -key ca-key.pem -out ca-cert.pem
Next we generate a CSR to sign the CERT/KEYs
openssl ecparam -out server-key.pem -genkey -name prime256v1 -noout
openssl req -new -key server-key.pem -out server-csr.pem
Finally using our CSR we generate a Cert. Here we use the CA we previously generated
openssl x509 -req -days 3650 -in server-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
Convert cert and key to PEM format
cat server-cert.pem server-key.pem > server.pem
Renamed the below certs as per the call from outputs.conf in splunk.
ca-cert.pem to cacert.pem
ca-key.pem to ca.key
Restart the SplunkForwarder and verify the splunkd.log for any CA related errors. If no errors we are good.
NOTE: These are self-signed certs with CN = (hostname FQDN)
i think this is the long story short, good luck
Regards,
Venu
Hello Guys,
Regenrate self-signed certs if your comp has no CA present , follow the below procedure..
Please take a backup of c:\Program Files\SplunkUniversalForwarder\etc\auth
Folder in Windows.
Below commands should be executed from the path c:\Program Files\SplunkUniversalForwarder\etc\auth
When prompted to enter the details in the CERT. during creation.
C=US
ST=SF
L=WD
O=Splunk
OU=SPLUNK
CN=<FQDN of the server> # this is the critical value that has to be the hostname on which the cert is being generated,rest can be anything.
Password : changeme2
emailAddress=<user>@<comp>.com
Generate a New CA key and Cert
openssl ecparam -out ca-key.pem -genkey -name prime256v1
openssl req -x509 -new -key ca-key.pem -out ca-cert.pem
Next we generate a CSR to sign the CERT/KEYs
openssl ecparam -out server-key.pem -genkey -name prime256v1 -noout
openssl req -new -key server-key.pem -out server-csr.pem
Finally using our CSR we generate a Cert. Here we use the CA we previously generated
openssl x509 -req -days 3650 -in server-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
Convert cert and key to PEM format
cat server-cert.pem server-key.pem > server.pem
Renamed the below certs as per the call from outputs.conf in splunk.
ca-cert.pem to cacert.pem
ca-key.pem to ca.key
Restart the SplunkForwarder and verify the splunkd.log for any CA related errors. If no errors we are good.
NOTE: These are self-signed certs with CN = (hostname FQDN)
i think this is the long story short, good luck
Regards,
Venu
Ok, then.. after parsing all the .pem files, i found this
the
C:\Program Files\SplunkUniversalForwarder\etc\auth\server.pem
contains the Subject: CN=SplunkServerDefaultCert, O=SplunkUser
Now i need to re-generate keeping intact the other certs that ship along... any ideas?
Regards,
Venu
Hello Admins,
Could you please provide a way to raise a support case with you guys for investigation. I think this is getting no where.
Regards,
Hello Admins,
Can you help us on how to use the self-signed certs, so that i think we could see this issue in depth,
I believe the problem occurs with the default Installation package which has the default certs, (i am not sure).
Any help in providing the installation guide for the linux setup with certs would certainly help me to start with this..
Thank you in advance.
Regards,
Venu