Running Splunk 6.5.2 & 6.5.3,
We just re-rolled our PKI using Microsoft's Certificate Services, with a RootCA, PolicyCA and Issuing CA.
I've been having a hard time getting our heavy forwarders to communicate to our indexer when "requireClientCert = true".
I've tried several things.
Sent off the openssl csr's to the Issuing CA to get signed, came back as .der formated. Ran openssl -in cert.cer -inform der -out cert.pem
Converted to pem format
Concatenated the private key to the server certs: cat privkey-server.pem >> server.pem
Now I've tried a couple of variations here,
I've tried chaining the rootCA together such as the following:
cat policyCA.pem >> issuingCA.pem
cat rootCA.pem >> issuingCA.pem
mv issuingCA.pem cacert.pem
with the config:
serverCert = /opt/splunk/etc/auth/testing/server.pem (the cert I mentioned above)
sslRootCAPath = /opt/splunk/etc/auth/testing/cacert.pem
I've run /opt/splunk/bin/splunk cmd openssl verify -CAfile cacert.pem server.pem
verified the server cert is signed correctly
Did this on both the forwarder and indexer and it failed.
Next I came across some info that what I understood suggested adding the issuing CA and policy CA into the server.pem file and keeping the rootCA.pem alone as the specified sslRootCAPath.
That didn't work either. I get:
10-19-2017 10:38:15.493 -0400 ERROR X509Verify - X509 certificate (CN=ourCompanyCN) failed validation; error=26, reason="unsupported certificate purpose"
10-19-2017 10:38:15.494 -0400 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unsupported certificate'.
10-19-2017 10:38:15.494 -0400 ERROR TcpInputProc - Error encountered for connection from src=:50477. error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
The Certs generated have the following:
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
and further down..
X509v3 Extended Key Usage:
TLS Web Server Authentication
1.3.6.1.4.1.311.21.10:
0.0
Anyone have any ideas? I want to be able to turn on the "requireClientCert = true" setting...
Please help
... View more