Security

How to generate a server.pem key size of 2048?

rkilen
Explorer

I have a security finding that the server.pem key size is 1024, and needs to be 2048. In the question titled "How to check status of all SSL certificates in Splunk?" the file can be regenerated by moving/deleting it and restarting Splunkd, but this still generates a key size of 1024, which is expected according to the documentation.

I have been unable to find a setting that overrides the default key size. Is this possible, or is there a manual procedure using Splunk's openssl binary that will allow me to get a key size of 2048?

1 Solution

jwiedow
Communicator

You can also add the following lines to the files identified below before you start Splunk for the first time. This will ensure that it generates a 2048 bit key each time as necessary:

$SPLUNK_HOME/etc/system/local/server.conf
[sslConfig]
certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert, 2048

$SPLUNK_HOME/etc/system/local/distsearch.conf
[tokenExchKeys]
genKeyScript = $SPLUNK_HOME/bin/splunk, createssl, audit-keys, 2048

View solution in original post

jwiedow
Communicator

You can also add the following lines to the files identified below before you start Splunk for the first time. This will ensure that it generates a 2048 bit key each time as necessary:

$SPLUNK_HOME/etc/system/local/server.conf
[sslConfig]
certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert, 2048

$SPLUNK_HOME/etc/system/local/distsearch.conf
[tokenExchKeys]
genKeyScript = $SPLUNK_HOME/bin/splunk, createssl, audit-keys, 2048

BastianW
Path Finder

Thanks. I followed the steps above, then stopped the Splunk forwarder service and renamed server.pem to server.pem.OLD in the folder C:\Program Files\SplunkUniversalForwarder\etc\auth and started again the service which created a new server.pem. The new one is now 4KB in size and no longer 3 KB.

0 Karma

jwiedow
Communicator

@tmarlette, the steps identified above in the server.conf file is just for the auto generation of self-signed certificates. There are no options; to the best of my knowledge, that allow you to add a host name via this method.

Use the information at http://docs.splunk.com/Documentation/Splunk/latest/Security/SecureSplunkWebusingasignedcertificate for using your own certificates. You are able to configure your own host names and SAN names with the approach at the link provided.

0 Karma

tmarlette
Motivator

Thank you sir! I just wanted to make sure. I though I had to generate my own, but I was hoping for something easy like this.

0 Karma

tmarlette
Motivator

@rkilen, @jwiedow, is there a way to add the host name to this cert with this command?

0 Karma

rkilen
Explorer

Thank you, the entry in server.conf solves my problem.

0 Karma

jplumsdaine22
Influencer

To generate your own certificates using openssl, follow the instructions here:

http://docs.splunk.com/Documentation/Splunk/6.4.0/Security/Howtoself-signcertificates

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...