Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I change the Common Name (CN) = SplunkServerDefaultCert to the hostname?

SandzVG
Explorer
‎04-26-2015 10:14 PM

Hello,

Splunk cert shows up in our vulnerability report,

The Subject Common Name (CN) found in the X.509 cert doesn't seem to match scan target xx.xx.xx.xx (IP)

More details
Subject CN SplunkServerDefaultCert doesnt match the node name XX.XX.XX.XX (IP)
Subject CN SplunkServerDefaultCert doesnt match the DNS name
Subject CN SplunkServerDefaultCert could not be resolved to an IP address via DNS Lookup.

I'm new to splunk, so requesting admins here on how I could change the CN = SplunkServerDefaultCert to the hostname?

Any help is highly appreciated.

Regards,
Venu

Reply
1 Solution
Solved! Jump to solution
Solution

SandzVG
Explorer
‎05-13-2015 02:11 AM

Hello Guys,

Regenrate self-signed certs if your comp has no CA present , follow the below procedure..

Please take a backup of c:\Program Files\SplunkUniversalForwarder\etc\auth Folder in Windows.
Below commands should be executed from the path c:\Program Files\SplunkUniversalForwarder\etc\auth
When prompted to enter the details in the CERT. during creation.

C=US
ST=SF
L=WD
O=Splunk
OU=SPLUNK
CN=<FQDN of the server> # this is the critical value that has to be the hostname on which the cert is being generated,rest can be anything.
Password : changeme2
emailAddress=<user>@<comp>.com

Generate a New CA key and Cert

            openssl ecparam -out ca-key.pem -genkey -name prime256v1
            openssl req -x509 -new -key ca-key.pem -out ca-cert.pem

Next we generate a CSR to sign the CERT/KEYs

            openssl ecparam -out server-key.pem -genkey -name prime256v1 -noout
            openssl req -new -key server-key.pem -out server-csr.pem

Finally using our CSR we generate a Cert. Here we use the CA we previously generated

10 years

            openssl x509 -req -days 3650 -in server-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

Convert cert and key to PEM format

Using Cygwin Bash Shell

            cat server-cert.pem server-key.pem &gt; server.pem

Renamed the below certs as per the call from outputs.conf in splunk.

            ca-cert.pem to cacert.pem
            ca-key.pem to ca.key

Restart the SplunkForwarder and verify the splunkd.log for any CA related errors. If no errors we are good.

NOTE: These are self-signed certs with CN = (hostname FQDN)

i think this is the long story short, good luck

Regards,
Venu

View solution in original post

Reply
Solved! Jump to solution
Solution

SandzVG
Explorer
‎05-13-2015 02:11 AM

Hello Guys,

Regenrate self-signed certs if your comp has no CA present , follow the below procedure..

Please take a backup of c:\Program Files\SplunkUniversalForwarder\etc\auth Folder in Windows.
Below commands should be executed from the path c:\Program Files\SplunkUniversalForwarder\etc\auth
When prompted to enter the details in the CERT. during creation.

C=US
ST=SF
L=WD
O=Splunk
OU=SPLUNK
CN=<FQDN of the server> # this is the critical value that has to be the hostname on which the cert is being generated,rest can be anything.
Password : changeme2
emailAddress=<user>@<comp>.com

Generate a New CA key and Cert

            openssl ecparam -out ca-key.pem -genkey -name prime256v1
            openssl req -x509 -new -key ca-key.pem -out ca-cert.pem

Next we generate a CSR to sign the CERT/KEYs

            openssl ecparam -out server-key.pem -genkey -name prime256v1 -noout
            openssl req -new -key server-key.pem -out server-csr.pem

Finally using our CSR we generate a Cert. Here we use the CA we previously generated

10 years

            openssl x509 -req -days 3650 -in server-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

Convert cert and key to PEM format

Using Cygwin Bash Shell

            cat server-cert.pem server-key.pem &gt; server.pem

Renamed the below certs as per the call from outputs.conf in splunk.

            ca-cert.pem to cacert.pem
            ca-key.pem to ca.key

Restart the SplunkForwarder and verify the splunkd.log for any CA related errors. If no errors we are good.

NOTE: These are self-signed certs with CN = (hostname FQDN)

i think this is the long story short, good luck

Regards,
Venu

Reply
Solved! Jump to solution

SandzVG
Explorer
‎05-05-2015 04:28 AM

Ok, then.. after parsing all the .pem files, i found this

the 

C:\Program Files\SplunkUniversalForwarder\etc\auth\server.pem

contains the Subject: CN=SplunkServerDefaultCert, O=SplunkUser

Now i need to re-generate keeping intact the other certs that ship along... any ideas?

Regards,
Venu

0 Karma
Reply
Solved! Jump to solution

SandzVG
Explorer
‎05-04-2015 10:43 PM

Hello Admins,

Could you please provide a way to raise a support case with you guys for investigation. I think this is getting no where.

Regards,

0 Karma
Reply
Solved! Jump to solution

SandzVG
Explorer
‎04-27-2015 11:40 PM

Hello Admins,

Can you help us on how to use the self-signed certs, so that i think we could see this issue in depth,
I believe the problem occurs with the default Installation package which has the default certs, (i am not sure).

Any help in providing the installation guide for the linux setup with certs would certainly help me to start with this..

Thank you in advance.

Regards,
Venu

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...