How Can I Create a Self-Signed SLL Certificate for TLS (Splunk)


Follow the steps below to generate a self-signed certificate for the Splunk SIEM system.


Prerequisites

1. Log in to the Splunk server.

2. Change to directory to the $SPLUNK_HOME\etc\auth Splunk installation directory, by using the following command:

cd /opt/splunk/etc/auth/

3. Make a call to the myCerts directory, by using following the command:

mkdir myCerts

4. Change to directory to the myCerts directory:

cd myCerts


Create a Root Certificate Authority

1. Create a Certificate Authority Private Key, by using the following command:

openssl genrsa -aes256 -passout pass:1234 -out myCAPrivateKey.key 2048

NOTE: Replace “1234” in the “pass” parameter with your password.

2. Remove the key phrase from the private key, by using the following command:

openssl rsa -passin pass:1234 -in myCAPrivateKey.key -out myCAPrivateKey.key


3. Create a root certificate request, by using the following command:

openssl req -new -key myServerPrivateKey.key -out myServerCertificate.csr

4. Enter your data into the corresponding fields:

5. Sign the certificate request, by using the following command:

openssl x509 -req -in myCACertificate.csr -sha512 -signkey myCAPrivateKey.key -CAcreateserial -out myCACertificate.pem -days 1095


Create a Server Certificate

1. Create a server private key, by using the following command:

openssl genrsa -aes256 -passout pass:1234 -out myServerPrivateKey.key 2048


2. Remove the key phrase from the private key, by using the following command:

openssl rsa -passin pass:1234 -in myServerPrivateKey.key -out myServerPrivateKey.key


3. Create a server certificate request, by using the following command:

openssl req -new -key myServerPrivateKey.key -out myServerCertificate.csr

4. Enter your data values into the corresponding fields:

5. Sign the server certificate request, by using the following command:

openssl x509 -req -in myServerCertificate.csr -sha256 -CA myCACertificate.pem -CAkey myCAPrivateKey.key -CAcreateserial -out myServerCertificate.pem -days 1095


Import the Response

1. Import the response, by using the following command:

cat myServerCertificate.pem myServerPrivateKey.key myCACertificate.pem   mySplukServerCertificate.pem


Update the Splunk Configuration

The following certificate files should now exist in the myCerts directory:

Root CA Files

myCACertificate.csr

myCACertificate.pem

myCACertificate.srl

myCAPrivateKey.key

Server Certificate Files

myServerCertificate.csr

myServerCertificate.pem

myServerPrivateKey.key

mySplukServerCertificate.pem


Update the Splunk SSL Settings

1. Open the /opt/splunk/etc/system/local directory, by using the following command:

cd /opt/splunk/etc/system/local


2. Open the inputs.conf file:

3. Replace the information in the file with the following:

[default]
host = splunk

[tcp-ssl:9996]
sourcetype = LEEF
disabled = 0

[SSL]
sslVersions = tls1.2
serverCert = $SPLUNK_HOME/etc/auth/myCerts/mySplukServerCertificate.pem
password = 1234
rootCA = $SPLUNK_HOME/etc/auth/myCerts/myCACertificate.pem
requireClientCert = false

NOTE: The password "1234" indicated above is a simple example for illustrative purposes only. After rebooting the machine, the password will be encrypted automatically.

4. Save the changes and close the file.

5. Restart the machine on which Splunk is installed.

6. Check that the configuration is correct, by entering the following command after restarting the machine:

netstat -tulpn

7. If all the parameters in the config file are set correctly, then port 9996 will be displayed.


Import the Certificate

This certificate will be needed for the Management Tool to configure the SIEM integration with Splunk. To import the certificate, do the following:

1. Change to directory to the $SPLUNK_HOME\etc\auth directory, by using the following command:

cd /opt/splunk/etc/auth/

2. Open the myCerts directory, and convert the mySplukServerCertificate.pem certificate to mySplukServerCertificate.cer, by using the following command:

openssl x509 -outform der -in mySplukServerCertificate.pem -out mySplukServerCertificate.cer

3. Copy the mySplukServerCertificate.cer certificate over to a computer on which the Management Tool is installed.