Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Generate self-signed certificate Windows is there any working docs?? (resolved)

123BLiN
Explorer
‎04-01-2015 06:25 AM

Hello I'm trying to generate self-signed CA for forwarding-indexer communications
I'm follow this doc - http://docs.splunk.com/Documentation/Splunk/latest/Security/Howtoself-signcertificates
With no any success. When I try to chek my new cert that is combined from three generated earlier with openssl.exe I get next message:

PS C:\Program Files\Splunk\bin> .\openssl.exe x509 -subject -issuer -dates -noout -in preparedServerCertificate.pem
WARNING: can't open config file: \openssl.cnf
unable to load certificate
1924:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

also when I try to use it in inputs.conf I get next message:

ERROR SSLCommon - Can't read key file C:\Program files\Splunk\etc\auth\self-signed-certs\preparedServerCertificate.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line.

Does somebody have the right manual to get it working on Windows 2012R2?
My powershell script based on docs lookus as follow (updated and works for me😞

#Splunk new self-signed certs generate
#more info - http://docs.splunk.com/Documentation/Splunk/latest/Security/Howtoself-signcertificates
$SPLUNK_HOME = "C:\Program files\Splunk"
$pass = "passForSplunk"
$CNroot = "splunk-staging"
$CNserver = "splunk-srv"
$CNforwarders = "splunk-forwarder"
$nl = [Environment]::NewLine 
$env:OPENSSL_CONF = "$SPLUNK_HOME\openssl.cnf"
$certDir = $SPLUNK_HOME+"/etc/auth/self-signed-certs"
$scriptDir = (Get-Item -Path ".\" -Verbose).FullName
$keyLength = 2048

mkdir $SPLUNK_HOME/etc/auth/self-signed-certs
cd $SPLUNK_HOME/bin
#generate root key srt and pem
.\openssl genrsa -des3 -passout pass:$pass -out $certDir/rootCAPrivateKey.key $keyLength 
.\openssl req -new -key $certDir/rootCAPrivateKey.key -passin pass:$pass -out $certDir/rootca.csr -subj "/C=US/ST=California/L=Berkley/O=Splunk/OU=Test-staging/CN=$CNroot" 
.\openssl x509 -req -in $certDir/rootca.csr -sha1 -signkey $certDir/rootCAPrivateKey.key -passin pass:$pass -CAcreateserial -out $certDir/rootca.pem -days 1095

#Generate and sign server certificate with root CA
.\openssl genrsa -des3 -passout pass:$pass -out $certDir/serverPrivateKey.key $keyLength 
.\openssl req -new -key $certDir/serverPrivateKey.key -passin pass:$pass -out $certDir/serverCertificate.csr -subj "/C=US/ST=California/L=Berkley/O=Splunk/OU=Test-staging/CN=$CNserver" 
.\openssl x509 -req -in $certDir/serverCertificate.csr -sha1 -CA $certDir/rootca.pem -CAkey $certDir/rootCAPrivateKey.key -CAcreateserial -out $certDir/serverCertificate.pem -days 1095 -passin pass:$pass

#Generate and sign forwarder certificate with root CA
.\openssl genrsa -des3 -passout pass:$pass -out $certDir/forwarderPrivateKey.key $keyLength 
.\openssl req -new -key $certDir/forwarderPrivateKey.key -passin pass:$pass -out $certDir/forwarderCertificate.csr -subj "/C=US/ST=California/L=Berkley/O=Splunk/OU=Test-staging/CN=$CNforwarders" 
.\openssl x509 -req -in $certDir/forwarderCertificate.csr -sha1 -CA $certDir/rootca.pem -CAkey $certDir/rootCAPrivateKey.key -CAcreateserial -out $certDir/forwarderCertificate.pem -days 1095 -passin pass:$pass

 #this is not working due to windows SR-LF symbol added at the end of each line:
    #get-content serverCertificate.pem, serverPrivateKey.key, rootCACertificate.pem | out-file preparedServerCertificate.pem
    #this works:
#Consolidate the signed server certificate, the server private key and the CA public key in a single PEM file
cd $certDir
CMD /C "type serverCertificate.pem serverPrivateKey.key rootCA.pem > server.pem"

#Consolidate the signed forwarder certificate, the forwarder private key and the CA public key in a single PEM file
cd $certDir
CMD /C "type forwarderCertificate.pem forwarderPrivateKey.key rootCA.pem > forwarder.pem"



#Updating Splunk inputs.cong to use new self signed certs
$text = "[SSL]"+$nl
$text += "rootCA = $SPLUNK_HOME\etc\auth\self-signed-certs\rootca.pem"+$nl
$text += "serverCert = $SPLUNK_HOME\etc\auth\self-signed-certs\server.pem"+$nl
$text += "password = $pass"+$nl+$nl

$text += "[splunktcp-ssl:9997]"+$nl
$text += "compressed = true"+$nl
Write-host $nl
Write-host "This should be added in $SPLUNK_HOME\etc\system\local\inputs.conf on Splunk indexer:"+nl$ -foregroundcolor yellow
Write-host $text
Write-host "Script ended. Please restart splunkd after updating inputs.conf (net stop splunkd&&net start splunkd)" -foregroundcolor yellow
cd $scriptDir

Howeveer those keyes is not working:
On Server:

error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

On client:

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
0 Karma
Reply

PPape
Contributor
‎04-02-2015 01:21 AM

Hi,

this one helped me and worked just fine!

Splunk-SSL-Presentation

but you need the openssl.cnf as mentioned in the threads before 🙂

Reply

123BLiN
Explorer
‎04-01-2015 11:31 PM

Gilberto Castillo big thanks for you help!

I've finally made this all work!
The problem was that I was trying to issue and sign server and forwarder certificates with the same CN as root CA,
when I changed them to other CNs all works as expected.

I've updated script in my question in case someone need it for purposes of automation like I need.
I also have trouble to silently install splunk forwarders but this is another thread 🙂

0 Karma
Reply

Gilberto_Castil
Splunk Employee
Splunk Employee
‎04-01-2015 07:50 AM

In Windows the command should be as follows:

>openssl req -new -key myCAPrivateKey.key -out myCACertificate.csr -config $SPLUNK_HOME\openssl.cnf

In my case:

>openssl req -new -key myCAPrivateKey.key -out myCACertificate.csr -config "C:\Program Files\Splunk\openssl.cnf"

Here is an example of the initial procedure.

YouTube

I hope this helps you.

-gc

1:

Reply

123BLiN
Explorer
‎04-01-2015 07:50 AM

It was windows SR-LF symbol issue when using cmdlet get-content | out-file

I try concatenate certs with DOS type - and test OK and error in splunk.log gone away.
However now I have another errors on splunk server:

04-01-2015 14:48:07.498 +0000 ERROR TcpInputProc - Error encountered for connection from src=10.8.0.77:51782. error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

On forwarder:

04-01-2015 14:48:42.053 +0000 ERROR TcpOutputFd - Connection to host=10.8.0.7:9997 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Please help me to get this staff work.

0 Karma
Reply

jonathan_cooper
Communicator
‎03-08-2016 10:48 AM

Did you find a solution to the "certificate verify failed"?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...