I'm having an issue with creating a new CA and then a self-signed server cert for use during forwarder to indexer communication. I have meticulously followed the various guides by Hexx, the Splunk docs, etc and I consistently get the same error.
Creation of the CA works fine but once I try and create the server cert and send it for signing it fails trying to open the CA private key for signing.
The command I run is:
splunk cmd python %SPLUNK_HOME%\bin\genSignedServerCert.py -d *path_to_my_certs* -n *servername* -c *server_common_name* -p
The error shows as follows:
Getting CA Private Key
unable to load CA Private Key
*stuff*:error:*stuff*:digital envelope routines: EVP_DecryptFinal_ex:bad decrypt:.\crypto\evp\evp_enc.c:330:
*stuff*:error:*stuff*:PEM routines:PEM_do_header:bad decrypt:.\crypto\pem\pem_lib.c:428:
Command failed (ret=1), exiting.
I have verified the password on the CA private key and the key itself using:
openssl rsa -text -check -in *my_keyfile*
The above command prompts for the password which I enter and it opens and checks the file just fine. The problem I think is that during the "genSignedServerCert.py" which has been deprecated and now simply runs:
splunk createssl server-cert -d *path_to_my_certs* -n *servername* -c *server_common_name* -p
The process NEVER asks me to enter the pass phrase to access the CA Private Key. It asks for me to enter a PEM pass phrase for the server private key but never prompts for CA private key pass.
Anyone else run into this? Was this genSignedServerCert.py script deprecation recent? I see no metnion to the new splunk createssl command in any of the docs. Am I doing something else completely wrong? I thought for a while that it was user error but I have verified the CA private key pass over and over again and it still fails every single time.
... View more