Replacing the Default Splunk Web SSL Certificate

This post  goes over how to sign a SplunkWeb Certificate Signing Request (CSR) using my Root CA in pfSense. I do not cover creating the Root CA.

Step 1: Create the directory for the certificates

Step 2: Generate the private key and temporary password

Step 3: Remove the password from the private key

SplunkWeb does not support private key passwords

Step 4: Generate the Certificate Signing Request (CSR)

Step 5: Copy and paste the output into the pfSense CSR data form field:

The CSR is usually created in a Base-64 based PEM format.

Step 6: Save and export the Server Certificate and the CA Public Key.

If you hover over the first green icon it will say “Export Certificate”. The certificates will have a .crt extension,  but you can change them to .pem

Step 7: Combine the Server Certificate and CA Public Certificate in that order

Before you continue validate that the SplunkWebCert.pem, CACert.pem, and CombinedCert.pem all have the same output.

If they all result in the same hash, continue to the next step. Otherwise you probably concatenated the public cert and CA cert in the wrong order.

Step 8: Modify $SPLUNK_HOME/etc/system/local/web.conf to reflect the new certificates

You can use relative or absolute paths. Below I have opted to use relative paths.

Step 9: Restart Splunk

Step 10: Browse to your Splunk Instance and verify it uses the newly created certificate.

If you don’t want to see the SSL warnings you will have to ensure that your Root CA and any Intermediates are installed in your browser(s).

Thanks for reading.

 



Categories: Home Lab, SIEM, System Administration, Uncategorized

Tags: , , , , , ,

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: