&*%$# Splunk’ing HTTPs
&*%$# Splunk’ing HTTPs
If it wasn’t for Google deprecating HTTP on browsers, we would probably still be accessing the majority of our Web sites with HTTP. In case you don’t know, HTTP on its own does not have any security on the transmitted data. But that is only part of it, as you cannot tell if you are connecting to a trusted web site. So, there are no excuses, companies need to get a certificate on the site, and migrate towards HTTPs is a default. And so setting up HTTPs was fine for my main Web site, but my Splunk training environment just didn’t want to boot into HTTPs. As we have a new MOOC coming up in Cyber&Data, I had to get HTTPs installed for Splunk, as it doesn’t look good to have a site which trains people about security and can’t even prove its identity.
Splunking HTTPs
You know when you get stuck on something, and it just won’t work? Well, I got stuck with installing a simple certificate on Splunk. So, just in case I get it again, or if someone else struggles with it, here my solution. The first thing I must say is that there are many tutorials which show the setup of a self-signed certificate in Splunk. Please just avoid this, as it has no real credibility these days, and many browsers will mark as a risk, as the server is not identifying itself properly. What we need is a certificate and private key which is signed by a trusted entity.
Basically it works by creating a private key and then generating an associated public key. This public key is sent to the trusted entity with a CSR (Code Signing Request), and they create a signed certificate to say that they have validated the public key. This certificate can then be checked by the client.
The first thing you — possibly — want is to let someone else handle the CSR (Code Signing Request), as you are dealing with a TCP port that certbots don’t quite like. So, for a free certificate, I plumped for ZeroSSL:
You basically go through the main validation steps, and add a .well-known folder into your Web server, along with a given text file:
06/24/2020 08:25 PM <DIR> pki-validation
You check that it can be accessed from your Web site, and then ask ZeroSSL to check. There’s another email validation step for the domain, and finally, a key pair is generated. This is then downloaded as a ZIP with a bundled cert, the public key certificate and the private key:
So, the two files we need are certificate.crt (which has the signed public key) and private.key (which has the RSA private key). Our private key looks like this:
— — -BEGIN RSA PRIVATE KEY — — -
MIIEowIBAAKCAQEAvZI/qMbubcHXNm+hiyL+6agETL+VlKqxWuanNsKi/ecNV3uw
wYD9+8WanEQWCQu798NsojPeB/Jr5wpjvcRfAjxzodSD1i/pvI+xFZKgVYGMXgDu
...
ky13jupH5YiTW0pWPXcczAtpCtB8j4JgTIss5z12lb95kuITMHd0sidT+DyOfNim
hHJVYjeUu1ULJt22PM/YubM/QKCsp5RsGErUIHhXRiA46lOQMIOg
— — -END RSA PRIVATE KEY — — -
and the certificate file:
— — -BEGIN CERTIFICATE — — -
MIIGiDCCBHCgAwIBAgIRAO41nKQZHsufVkpJgSHRLDIwDQYJKoZIhvcNAQEMBQAw
SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T
U0wgUlNBIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMDA2MjQwMDAwMDBaFw0y
MDA5MjIyMzU5NTlaMBwxGjAYBgNVBAMTEWFzZWN1cml0eXNpdGUuY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvZI/qMbubcHXNm+hiyL+6agETL+V
lKqxWuanNsKi/ecNV3uwwYD9+8WanEQWCQu798NsojPeB/Jr5wpjvcRfAjxzodSD
...
ZAuVB5Fv1MU1cV1kjJeC6lzBgdeYlzkCVSCqzL6aff4+btoGJfPioNZuQZoUee8t
vmeRWplYv++PkxT4OuWKlZneFDdYNFkIuf9xefeZmJOmbab/8q+w5l0kPmypMnpW
GyS4Sc9ON1a1hUA90cJoeprt1nM2UfGuP4KYqIjyugfzMicHYKo7W5t74B3fVg/T
fvaGWy0DipnHeI14gjEVqXpRnECv48iHCLn9/7Kix3T7go8O4CUM76cyTNIEcb5z
0XUpJPYckxV6mHmAL21eLns4u+S9tHB/5quij3b46zGm5TKqL6PbuGtQnDMxFCSg
0qi683tl9cwC4+WsDDlUY+IC2OFBO5AEB8NP9TfatXTK5vvQzKjZzF0GHf/+vdjz
GJ/tyTmx4pqgaIRQmJwyvCiSTK6811Q6PbpTTIKn36AW4cTAZiHx/ySk2PnxlS5X
v0zLiMKJd5eDC+5kZijnfbRGAhqhNCnvqzK5ABSMRjCzYXBD2cOvjIEp3fg=
— — -END CERTIFICATE — — -
To test they match, we determine the modulus (N) for each file:
C:\Program Files\Splunk> openssl rsa -noout -text -in private.key
Private-Key: (2048 bit)
modulus:
00:bd:92:3f:a8:c6:ee:6d:c1:d7:36:6f:a1:8b:22:
fe:e9:a8:04:4c:bf:95:94:aa:b1:5a:e6:a7:36:c2:
a2:fd:e7:0d:57:7b:b0:c1:80:fd:fb:c5:9a:9c:44:
16:09:0b:bb:f7:c3:6c:a2:33:de:07:f2:6b:e7:0a:
63:bd:c4:5f:02:3c:73:a1:d4:83:d6:2f:e9:bc:8f:
b1:15:92:a0:55:81:8c:5e:00:ee:ea:8e:2f:8d:0d:
5f:95:c0:ef:77:47:06:b8:f4:42:df:81:3f:01:0c:
74:ef:b7:4b:ae:ea:37:45:b4:a6:a9:98:62:cf:51:
82:56:c3:83:1c:68:50:e8:dc:36:c0:3e:b7:c1:04:
4e:b7:34:ca:dc:31:14:1c:b2:32:78:0a:1a:36:3b:
b8:94:72:05:08:6c:44:f2:ae:fc:30:3c:c3:13:5d:
ef:b7:bb:3f:d0:44:04:a0:b7:38:ea:c2:9d:15:2f:
bc:f0:bb:49:8b:7d:ef:91:de:74:66:17:86:4c:37:
de:76:e6:f2:4a:82:6c:1d:74:dd:fc:4a:e4:97:44:
bb:a4:cb:c5:69:1b:ac:bf:b4:66:10:99:99:47:93:
7b:fb:33:eb:ea:1e:96:0f:23:2c:62:47:10:05:f0:
01:5c:b0:dd:d9:06:43:cb:f2:86:54:ff:9c:8e:04:
96:e9
publicExponent: 65537 (0x10001)
privateExponent:
7b:90:be:..:a2:a9:ee:2c:1c:92:3a:b2:8e:
98:4b:60:07:b5:eb:37:96:77:2b:2f:83:4e:be:e4:
c9:82:b7:af:98:28:2f:6a:ec:d0:ce:0f:da:55:1c:
79
prime1:
00:e6:f3:68:..:4a:8d:41:78:7f:c5:94:f5:
80:80:eb:24:6f:62:fd:c8:4c:a9:31:1f:fe:eb:05:
dd:93:79:69:be:4c:8d:3a:bb
prime2:
00:d2:21:e5:...:33:70:5f:7f:73:8c:9a:90:
ad:ee:63:85:46:b5:2b:54:ab
exponent1:
00:82:53:..:0f:3a:bf:0d:16:36:9c:
55:c0:9e:18:4d:1a:37:ec:77
exponent2:
42:ed:bc:..:d1:dd:fc:65:ca:4d:4e:
b8:e1:45:ef:f1:80:6d:a5
coefficient:
12:87:f...:18:4a:d4:20:78:57:46:
20:38:ea:53:90:30:83:a0
We now need to convert the CRT file into a PEM format (not that the CRT file is already in a PEM format, so we could just rename it with a PEM extension):
C:\Program Files\Splunk> openssl x509 -in certificate.crt -out certificate.pem -outform PEM
In this case, we are using 2,048-bit RSA keys, and where we have two 1,024 bit numbers (prime1 and prime2). These primes numbers are secret and are used for the decryption process. Next, we test the modulus of the certificate:
C:\Program Files\Splunk> openssl x509 -noout -text -in certificate.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ee:35:9c:a4:19:1e:cb:9f:56:4a:49:81:21:d1:2c:32
Signature Algorithm: sha384WithRSAEncryption
Issuer: C=AT, O=ZeroSSL, CN=ZeroSSL RSA Domain Secure Site CA
Validity
Not Before: Jun 24 00:00:00 2020 GMT
Not After : Sep 22 23:59:59 2020 GMT
Subject: CN=asecuritysite.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bd:92:3f:a8:c6:ee:6d:c1:d7:36:6f:a1:8b:22:
fe:e9:a8:04:4c:bf:95:94:aa:b1:5a:e6:a7:36:c2:
a2:fd:e7:0d:57:7b:b0:c1:80:fd:fb:c5:9a:9c:44:
16:09:0b:bb:f7:c3:6c:a2:33:de:07:f2:6b:e7:0a:
63:bd:c4:5f:02:3c:73:a1:d4:83:d6:2f:e9:bc:8f:
b1:15:92:a0:55:81:8c:5e:00:ee:ea:8e:2f:8d:0d:
5f:95:c0:ef:77:47:06:b8:f4:42:df:81:3f:01:0c:
74:ef:b7:4b:ae:ea:37:45:b4:a6:a9:98:62:cf:51:
82:56:c3:83:1c:68:50:e8:dc:36:c0:3e:b7:c1:04:
4e:b7:34:ca:dc:31:14:1c:b2:32:78:0a:1a:36:3b:
b8:94:72:05:08:6c:44:f2:ae:fc:30:3c:c3:13:5d:
ef:b7:bb:3f:d0:44:04:a0:b7:38:ea:c2:9d:15:2f:
bc:f0:bb:49:8b:7d:ef:91:de:74:66:17:86:4c:37:
de:76:e6:f2:4a:82:6c:1d:74:dd:fc:4a:e4:97:44:
bb:a4:cb:c5:69:1b:ac:bf:b4:66:10:99:99:47:93:
7b:fb:33:eb:ea:1e:96:0f:23:2c:62:47:10:05:f0:
01:5c:b0:dd:d9:06:43:cb:f2:86:54:ff:9c:8e:04:
96:e9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:C8:D9:78:68:A2:D9:19:68:D5:3D:72:DE:5F:0A:3E:DC:B5:86:86:A
6
X509v3 Subject Key Identifier:
A8:6D:D3:03:4E:29:EF:81:5F:7F:3E:EB:6D:67:15:77:67:3F:07:3D
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.78
CPS: https://sectigo.com/CPS
Policy: 2.23.140.1.2.1
Authority Information Access:
CA Issuers - URI:http://zerossl.crt.sectigo.com/ZeroSSLRSADomain
SecureSiteCA.crt
OCSP - URI:http://zerossl.ocsp.sectigo.com
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1(0)
Log ID : 07:B7:5C:1B:E5:7D:68:FF:F1:B0:C6:1D:23:15:C7:BA:
E6:57:7C:57:94:B7:6A:EE:BC:61:3A:1A:69:D3:A2:1C
Timestamp : Jun 24 20:30:39.828 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:C0:BB:B6:9F:C0:B1:76:F2:98:0A:62:
E9:96:C4:3B:0E:54:6D:94:76:8E:41:5E:55:66:E9:D4:
AC:F7:4D:9A:85:02:20:19:D3:A0:B2:0D:4E:19:68:01:
43:C5:AE:27:C8:38:78:D8:10:AD:23:6B:ED:AF:87:DA:
74:17:C6:85:BB:EC:46
Signed Certificate Timestamp:
Version : v1(0)
Log ID : E7:12:F2:B0:37:7E:1A:62:FB:8E:C9:0C:61:84:F1:EA:
7B:37:CB:56:1D:11:26:5B:F3:E0:F3:4B:F2:41:54:6E
Timestamp : Jun 24 20:30:39.868 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:95:B8:88:CA:AD:FD:66:72:13:F2:CF:
88:D7:B8:5D:4B:96:45:68:C2:EE:87:EC:1E:8F:85:22:
1D:71:F9:6F:DC:02:20:51:31:E6:3A:D4:53:41:2A:A0:
16:10:FA:33:A5:ED:05:15:81:89:66:6A:8F:90:60:BC:
CE:4A:73:63:94:EA:E3
X509v3 Subject Alternative Name:
DNS:asecuritysite.com, DNS:www.asecuritysite.com
Signature Algorithm: sha384WithRSAEncryption
09:00:94:b7:38:e8:89:02:91:ab:ff:32:ab:78:30:8c:01:26:
f4:95:5f:34:50:2f:f5:27:04:b2:40:b7:23:0b:42:c7:20:4b:
9e:ce:8c:d8:72:c0:62:31:b2:f2:1f:38:e4:9d:e4:31:25:e2:
40:71:d2:ed:50:c0:1e:91:25:6f:9d:85:3d:c8:89:df:18:68:
31:ac:93:97:a6:9d:e3:e4:72:42:27:57:ac:fd:e6:33:33:f5:
54:b5:7c:a4:b5:17:eb:29:85:e2:2e:a3:f1:86:e1:e9:e4:b6:
6f:d3:8a:61:f7:56:6b:4b:67:1e:ab:8c:17:27:b6:c5:5a:bd:
21:bd:0b:0d:a2:d1:64:0b:95:07:91:6f:d4:c5:35:71:5d:64:
8c:97:82:ea:5c:c1:81:d7:98:97:39:02:55:20:aa:cc:be:9a:
7d:fe:3e:6e:da:06:25:f3:e2:a0:d6:6e:41:9a:14:79:ef:2d:
be:67:91:5a:99:58:bf:ef:8f:93:14:f8:3a:e5:8a:95:99:de:
14:37:58:34:59:08:b9:ff:71:79:f7:99:98:93:a6:6d:a6:ff:
f2:af:b0:e6:5d:24:3e:6c:a9:32:7a:56:1b:24:b8:49:cf:4e:
37:56:b5:85:40:3d:d1:c2:68:7a:9a:ed:d6:73:36:51:f1:ae:
3f:82:98:a8:88:f2:ba:07:f3:32:27:07:60:aa:3b:5b:9b:7b:
e0:1d:df:56:0f:d3:7e:f6:86:5b:2d:03:8a:99:c7:78:8d:78:
82:31:15:a9:7a:51:9c:40:af:e3:c8:87:08:b9:fd:ff:b2:a2:
c7:74:fb:82:8f:0e:e0:25:0c:ef:a7:32:4c:d2:04:71:be:73:
d1:75:29:24:f6:1c:93:15:7a:98:79:80:2f:6d:5e:2e:7b:38:
bb:e4:bd:b4:70:7f:e6:ab:a2:8f:76:f8:eb:31:a6:e5:32:aa:
2f:a3:db:b8:6b:50:9c:33:31:14:24:a0:d2:a8:ba:f3:7b:65:
f5:cc:02:e3:e5:ac:0c:39:54:63:e2:02:d8:e1:41:3b:90:04:
07:c3:4f:f5:37:da:b5:74:ca:e6:fb:d0:cc:a8:d9:cc:5d:06:
1d:ff:fe:bd:d8:f3:18:9f:ed:c9:39:b1:e2:9a:a0:68:84:50:
98:9c:32:bc:28:92:4c:ae:bc:d7:54:3a:3d:ba:53:4c:82:a7:
df:a0:16:e1:c4:c0:66:21:f1:ff:24:a4:d8:f9:f1:95:2e:57:
bf:4c:cb:88:c2:89:77:97:83:0b:ee:64:66:28:e7:7d:b4:46:
02:1a:a1:34:29:ef:ab:32:b9:00:14:8c:46:30:b3:61:70:43:
d9:c3:af:8c:81:29:dd:f8
And we see it matches the private key. In this case, a hash of the certificate is signed by the private key of ZeroSSL:
If ZeroSSL has a trusted chain back up to a root certificate, it will be acceptable for Splunk:
Then it was a simple task of placing them into the home Splunk folder and specifying the names of the files in web.conf (in \etc\system\local) and enabling SSL:
[settings]
enableSplunkWebSSL =true
httpport = 8000
privKeyPath = private.key
serverCert = certificate.pem
login_content=This is the Asecuritysite.com Splunk Site. <br/>Please contact [email protected] for a login.
And, after watching the errors in splunkd.log, it all worked after:
splunkd restart
And here it is here:
https://asecuritysite.com:8443/
If you are interested, here is Splunk in action:
Home][ Asecuritysite.com] This provides a foundation in using Splunk for cybersecurity log analysis. The key objectives…asecuritysite.com
And if you are interested in crypto, consider signing up for our distance-learning (part-time) MSc programme: