Splunk Search

How do I change the Common Name (CN) = SplunkServerDefaultCert to the hostname?

SandzVG
Explorer

Hello,

Splunk cert shows up in our vulnerability report,

The Subject Common Name (CN) found in the X.509 cert doesn't seem to match scan target xx.xx.xx.xx (IP)

More details
Subject CN SplunkServerDefaultCert doesnt match the node name XX.XX.XX.XX (IP)
Subject CN SplunkServerDefaultCert doesnt match the DNS name
Subject CN SplunkServerDefaultCert could not be resolved to an IP address via DNS Lookup.

I'm new to splunk, so requesting admins here on how I could change the CN = SplunkServerDefaultCert to the hostname?

Any help is highly appreciated.

Regards,
Venu

1 Solution

SandzVG
Explorer

Hello Guys,

Regenrate self-signed certs if your comp has no CA present , follow the below procedure..

Please take a backup of c:\Program Files\SplunkUniversalForwarder\etc\auth Folder in Windows.
Below commands should be executed from the path c:\Program Files\SplunkUniversalForwarder\etc\auth
When prompted to enter the details in the CERT. during creation.

C=US
ST=SF
L=WD
O=Splunk
OU=SPLUNK
CN=<FQDN of the server> # this is the critical value that has to be the hostname on which the cert is being generated,rest can be anything.
Password : changeme2
emailAddress=<user>@<comp>.com

Generate a New CA key and Cert

            openssl ecparam -out ca-key.pem -genkey -name prime256v1
            openssl req -x509 -new -key ca-key.pem -out ca-cert.pem

Next we generate a CSR to sign the CERT/KEYs

            openssl ecparam -out server-key.pem -genkey -name prime256v1 -noout
            openssl req -new -key server-key.pem -out server-csr.pem

Finally using our CSR we generate a Cert. Here we use the CA we previously generated

10 years

            openssl x509 -req -days 3650 -in server-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

Convert cert and key to PEM format

Using Cygwin Bash Shell

            cat server-cert.pem server-key.pem &gt; server.pem

Renamed the below certs as per the call from outputs.conf in splunk.

            ca-cert.pem to cacert.pem
            ca-key.pem to ca.key

Restart the SplunkForwarder and verify the splunkd.log for any CA related errors. If no errors we are good.

NOTE: These are self-signed certs with CN = (hostname FQDN)

i think this is the long story short, good luck

Regards,
Venu

View solution in original post

SandzVG
Explorer

Hello Guys,

Regenrate self-signed certs if your comp has no CA present , follow the below procedure..

Please take a backup of c:\Program Files\SplunkUniversalForwarder\etc\auth Folder in Windows.
Below commands should be executed from the path c:\Program Files\SplunkUniversalForwarder\etc\auth
When prompted to enter the details in the CERT. during creation.

C=US
ST=SF
L=WD
O=Splunk
OU=SPLUNK
CN=<FQDN of the server> # this is the critical value that has to be the hostname on which the cert is being generated,rest can be anything.
Password : changeme2
emailAddress=<user>@<comp>.com

Generate a New CA key and Cert

            openssl ecparam -out ca-key.pem -genkey -name prime256v1
            openssl req -x509 -new -key ca-key.pem -out ca-cert.pem

Next we generate a CSR to sign the CERT/KEYs

            openssl ecparam -out server-key.pem -genkey -name prime256v1 -noout
            openssl req -new -key server-key.pem -out server-csr.pem

Finally using our CSR we generate a Cert. Here we use the CA we previously generated

10 years

            openssl x509 -req -days 3650 -in server-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

Convert cert and key to PEM format

Using Cygwin Bash Shell

            cat server-cert.pem server-key.pem &gt; server.pem

Renamed the below certs as per the call from outputs.conf in splunk.

            ca-cert.pem to cacert.pem
            ca-key.pem to ca.key

Restart the SplunkForwarder and verify the splunkd.log for any CA related errors. If no errors we are good.

NOTE: These are self-signed certs with CN = (hostname FQDN)

i think this is the long story short, good luck

Regards,
Venu

SandzVG
Explorer

Ok, then.. after parsing all the .pem files, i found this

the

C:\Program Files\SplunkUniversalForwarder\etc\auth\server.pem

contains the Subject: CN=SplunkServerDefaultCert, O=SplunkUser

Now i need to re-generate keeping intact the other certs that ship along... any ideas?

Regards,
Venu

0 Karma

SandzVG
Explorer

Hello Admins,

Could you please provide a way to raise a support case with you guys for investigation. I think this is getting no where.

Regards,

0 Karma

SandzVG
Explorer

Hello Admins,

Can you help us on how to use the self-signed certs, so that i think we could see this issue in depth,
I believe the problem occurs with the default Installation package which has the default certs, (i am not sure).

Any help in providing the installation guide for the linux setup with certs would certainly help me to start with this..

Thank you in advance.

Regards,
Venu

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...