Security

How do I configure an SSL cert for Splunk Web on a Windows server?

cdavidy
Explorer

I have a Windows 2008 server running Splunkweb and I need to configure it to work with the certificate I've obtained through my organization. I was able to generate the CSR with some instructions I found on the web but cannot seem to convert it for use with Splunk. The docs do not appear to have anything specific to Windows and refer to shell scripts on Linux. Any help would be appreciated.

Tags (1)

feichinger
Explorer

I'm bad with certificates and using the guides that are out there always made me end up with errors in Firefox and Chrome, possibly because of the way our AD CA is configured.

Anyway, the following process finally worked out great:
We have a standard process to request certs from our AD CA, out of the regular Windows certificate MMC. With that I end up with a CER file I install in Windows.
Then again from the certificate MMC, I export that to a PFX file, check to include the private key, check to include all certs and give it a password.
Then downloading OpenSSL and run the following commands to convert the PFX to a PEM and then export the KEY from the PEM

Openssl pkcs12 -in export.pfx -out  cacert.pem
Openssl rsa -in cacert.pem -out servername.key

Put the cacert.pem and servername.key in \Splunk\etc\auth\mycerts
Edit the web.conf under \Splunk\etc\system\local

[settings]
enableSplunkWebSSL = 1
httpport = 443
privKeyPath = C:\Program Files\Splunk\etc\auth\mycerts\servername.key
serverCert = C:\Program Files\Splunk\etc\auth\mycerts\cacert.pem

restart Splunk

ilirb
Path Finder

moktarino
Engager

These instructions are far from clear. Would it be possible to create an instruction set that begins with an exported PFX (PKCS#12) from the Microsoft Certificate Management Console?

Also, is it possible to use the Microsoft-provided Key Storage Provider, or am I expected to put the web server's private key - passwordless - into my server's filesystem? What if my corporate policies prevent me from exporting the private key? What if I wanted to use a HSM or TPM as my Key Storage Provider?

FunPolice
Path Finder

Thanks to Ed Fisher:
To convert the Windows CER file to PEM, run C:\Program Files\Splunk\bin>openssl x509 -in certnew.cer -inform DER -out cert.pem -outform PEM

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

If you're trying to use a certificate that is issued by your own organization, then the process has basically nothing to do with Splunk. While you could use the instructions provided by Splunk (which is simply using openssl) to generate the certificate request, you don't have to. You should follow whatever the standard procedures are for your organization to request a certificate.

The process of generating the certificate request should also generate a private key, and submitting the request to be signed by your organization's certificate authority will get you a public key. You should also be able to obtain your CA's public key (and any other public keys in the chain above it as needed until you get to an authority that is trusted by your browser, e.g., one of the trusted Root CA's, or one that your organization provides for you to import).

These three items should be all you need. The keys should be in PEM format certificates for use with Splunk. If they are not, you can easily convert them with the openssl command-line tool that is provided with Splunk. The private key must also have no password. If it has one, openssl can remove it.

If you update this question with details of what you have obtained, we can offer more specific help.

sandeep_r
Engager

I am having issue with configuring cert on windows for Splunk web. What is the openssl command to have .pem and .key from PFX (PKCS#12), to accommodate in web.conf for parameters privKeyPath and caCertPath.

Cdavidy - Did you had any luck ?

ftk
Motivator

cdavidy, make sure your private key doesn't have a password, otherwise web will not respond...

cdavidy
Explorer

I've received a cert from my provider. However, I receive an error message when trying to convert it from DEB format to PEM. I obtained a PKCS7 format version of the cert and converted it normally. However the Splunk web does not respond when I try to log in. Am I missing something?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!