Splunk Enterprise

Generate self-signed certificate Windows is there any working docs?? (resolved)


Hello I'm trying to generate self-signed CA for forwarding-indexer communications
I'm follow this doc - http://docs.splunk.com/Documentation/Splunk/latest/Security/Howtoself-signcertificates
With no any success. When I try to chek my new cert that is combined from three generated earlier with openssl.exe I get next message:

PS C:\Program Files\Splunk\bin> .\openssl.exe x509 -subject -issuer -dates -noout -in preparedServerCertificate.pem
WARNING: can't open config file: \openssl.cnf
unable to load certificate
1924:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

also when I try to use it in inputs.conf I get next message:

ERROR SSLCommon - Can't read key file C:\Program files\Splunk\etc\auth\self-signed-certs\preparedServerCertificate.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line.

Does somebody have the right manual to get it working on Windows 2012R2?
My powershell script based on docs lookus as follow (updated and works for me😞

#Splunk new self-signed certs generate
#more info - http://docs.splunk.com/Documentation/Splunk/latest/Security/Howtoself-signcertificates
$SPLUNK_HOME = "C:\Program files\Splunk"
$pass = "passForSplunk"
$CNroot = "splunk-staging"
$CNserver = "splunk-srv"
$CNforwarders = "splunk-forwarder"
$nl = [Environment]::NewLine 
$env:OPENSSL_CONF = "$SPLUNK_HOME\openssl.cnf"
$certDir = $SPLUNK_HOME+"/etc/auth/self-signed-certs"
$scriptDir = (Get-Item -Path ".\" -Verbose).FullName
$keyLength = 2048

mkdir $SPLUNK_HOME/etc/auth/self-signed-certs
#generate root key srt and pem
.\openssl genrsa -des3 -passout pass:$pass -out $certDir/rootCAPrivateKey.key $keyLength 
.\openssl req -new -key $certDir/rootCAPrivateKey.key -passin pass:$pass -out $certDir/rootca.csr -subj "/C=US/ST=California/L=Berkley/O=Splunk/OU=Test-staging/CN=$CNroot" 
.\openssl x509 -req -in $certDir/rootca.csr -sha1 -signkey $certDir/rootCAPrivateKey.key -passin pass:$pass -CAcreateserial -out $certDir/rootca.pem -days 1095

#Generate and sign server certificate with root CA
.\openssl genrsa -des3 -passout pass:$pass -out $certDir/serverPrivateKey.key $keyLength 
.\openssl req -new -key $certDir/serverPrivateKey.key -passin pass:$pass -out $certDir/serverCertificate.csr -subj "/C=US/ST=California/L=Berkley/O=Splunk/OU=Test-staging/CN=$CNserver" 
.\openssl x509 -req -in $certDir/serverCertificate.csr -sha1 -CA $certDir/rootca.pem -CAkey $certDir/rootCAPrivateKey.key -CAcreateserial -out $certDir/serverCertificate.pem -days 1095 -passin pass:$pass

#Generate and sign forwarder certificate with root CA
.\openssl genrsa -des3 -passout pass:$pass -out $certDir/forwarderPrivateKey.key $keyLength 
.\openssl req -new -key $certDir/forwarderPrivateKey.key -passin pass:$pass -out $certDir/forwarderCertificate.csr -subj "/C=US/ST=California/L=Berkley/O=Splunk/OU=Test-staging/CN=$CNforwarders" 
.\openssl x509 -req -in $certDir/forwarderCertificate.csr -sha1 -CA $certDir/rootca.pem -CAkey $certDir/rootCAPrivateKey.key -CAcreateserial -out $certDir/forwarderCertificate.pem -days 1095 -passin pass:$pass

 #this is not working due to windows SR-LF symbol added at the end of each line:
    #get-content serverCertificate.pem, serverPrivateKey.key, rootCACertificate.pem | out-file preparedServerCertificate.pem
    #this works:
#Consolidate the signed server certificate, the server private key and the CA public key in a single PEM file
cd $certDir
CMD /C "type serverCertificate.pem serverPrivateKey.key rootCA.pem > server.pem"

#Consolidate the signed forwarder certificate, the forwarder private key and the CA public key in a single PEM file
cd $certDir
CMD /C "type forwarderCertificate.pem forwarderPrivateKey.key rootCA.pem > forwarder.pem"

#Updating Splunk inputs.cong to use new self signed certs
$text = "[SSL]"+$nl
$text += "rootCA = $SPLUNK_HOME\etc\auth\self-signed-certs\rootca.pem"+$nl
$text += "serverCert = $SPLUNK_HOME\etc\auth\self-signed-certs\server.pem"+$nl
$text += "password = $pass"+$nl+$nl

$text += "[splunktcp-ssl:9997]"+$nl
$text += "compressed = true"+$nl
Write-host $nl
Write-host "This should be added in $SPLUNK_HOME\etc\system\local\inputs.conf on Splunk indexer:"+nl$ -foregroundcolor yellow
Write-host $text
Write-host "Script ended. Please restart splunkd after updating inputs.conf (net stop splunkd&&net start splunkd)" -foregroundcolor yellow
cd $scriptDir

Howeveer those keyes is not working:
On Server:

error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

On client:

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
0 Karma



this one helped me and worked just fine!


but you need the openssl.cnf as mentioned in the threads before 🙂


Gilberto Castillo big thanks for you help!

I've finally made this all work!
The problem was that I was trying to issue and sign server and forwarder certificates with the same CN as root CA,
when I changed them to other CNs all works as expected.

I've updated script in my question in case someone need it for purposes of automation like I need.
I also have trouble to silently install splunk forwarders but this is another thread 🙂

0 Karma

Splunk Employee
Splunk Employee

In Windows the command should be as follows:

>openssl req -new -key myCAPrivateKey.key -out myCACertificate.csr -config $SPLUNK_HOME\openssl.cnf

In my case:

>openssl req -new -key myCAPrivateKey.key -out myCACertificate.csr -config "C:\Program Files\Splunk\openssl.cnf"

Here is an example of the initial procedure.


I hope this helps you.




It was windows SR-LF symbol issue when using cmdlet get-content | out-file

I try concatenate certs with DOS type - and test OK and error in splunk.log gone away.
However now I have another errors on splunk server:

04-01-2015 14:48:07.498 +0000 ERROR TcpInputProc - Error encountered for connection from src= error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

On forwarder:

04-01-2015 14:48:42.053 +0000 ERROR TcpOutputFd - Connection to host= failed. sock_error = 0. SSL Error = error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Please help me to get this staff work.

0 Karma


Did you find a solution to the "certificate verify failed"?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!