0

I am new to SSL certs and trying to self sign the certs from forwarder to indexers:

https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/HowtoprepareyoursignedcertificatesforSplunk

cat myServerCertificate.pem myServerPrivateKey.key myCACertificate.pem > myNewServerCertificate.pem

why will private keys go to a certificate. Per my understanding the only time private key is used is to sign the certs. During the handshake protocol, will the server send private key to client?

Thanks

LazyFatUglyShortQuestionMan
  • 1
  • 2
  • @schroeder: This question has nothing to do with the referred question [What is the use of private key of a SSL certificate?](https://security.stackexchange.com/questions/214455/what-is-the-use-of-private-key-of-a-ssl-certificate). The point is that Splunk documentation uses absolutely wrong wording. – mentallurg Apr 06 '21 at 17:57
  • 1
    "the only time private key is used is to sign the certs" and "will the server send private key to client" are answered in the duplicate, so, yes, this question does have something to do with the referred question. What you *really* want to know is what's going on with the Splunk documentation. You've created an XY Question. – schroeder Apr 06 '21 at 19:11
  • 1
    And you have misread (or misinterpreted) the documentation. That documentation is not about self-signing anything. – schroeder Apr 06 '21 at 19:13

1 Answers1

-1

TLDR

Private key is not a part of certificate. A certificate is a confirmation of some trusted party (CA) that particular public key belongs to particular party.

The documentation of Splunk that you refer uses wrong wording. The file that they create is not a certificate.

Details

Here the documentation says:

Combine your server certificate and public certificate, in that order, into a single PEM file.

This sentence is correct. The resulting file is just a PEM file. But it is not a certificate, it is not a certificate chain, it is just a PEM file that stores different cryptographic objects, in this case it is a private key and one or more certificates from the same certificate chain. There is no common term for this. (And no, a key store is also not a proper name for this store.) There are standard formats for that. For instance, PKCS allows to store bundles of private keys and related certificates (e.g. it could be used to store server certificate and corresponding private key), also it allows to store separate certificates (in case of Splunk this would be a certificate of the CA that issued this certificate, or the chain of CA certificates up to the root CA).

But because of some reason the developers of Splunk decided to use a home grown format. PEM is of course a standard, but the Splunk requirement that this file should contain, in the following order ... in decreasing order of hierarchy, up to the root can make it actually more fragile (in PKCS the order of adding certificates to the store has no meaning at all), can increase the number of configuration errors and thus increase the maintenance costs. On the other hand, if the number of objects in the PEM file is small, like 3-5, it is easy to work with it in any text editor, which maybe easier than dealing with PKCS.

Then the Splunk documentation says:

Here's an example of a properly concatenated certificate:

This sentence is wrong. What they show in documentation is not a certificate.

And this:

the completed certificate file might look like this:

Also this sentence is wrong. What they show in documentation is not a certificate.

The other page looks at the first glance fine. But when you read "Copy the server certificate" or "Absolute path to the certificate" and you remember the previous page, you may be in doubt: Do they mean a certificate file in the common sense, e.g. a file that contains a single certificate, or do they mean "certificate" in the Splunk special wording and actually they mean "a file containing a mix of private key and certificate chain"? From this documentation you cannot know it. Either you need to find better documentation, or try different files to find out what they actually mean.

mentallurg
  • 10,256
  • 5
  • 28
  • 44
  • Thanks. So, what is the correct thing they should have said? is that entire page wrong or some wordings are wrong? I refereed to the next steps of that page https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/ConfigureSplunkforwardingtousesignedcertificates and the private keys are no where mentioned there. – LazyFatUglyShortQuestionMan Apr 06 '21 at 16:40
  • @LazyFatUglyShortQuestionMan: I have updated the answer. – mentallurg Apr 06 '21 at 18:51
  • It never says that the resulting file is a certificate. All it says is that it is creating a PEM file ... You are making too much of the one phrase "Here's an example of a properly concatenated certificate". It's actually just fine since the certificates are concatenated in the file. And it is a file made up of certificates, so the phrase "the completed certificate file" is just fine. – schroeder Apr 06 '21 at 19:16
  • So there really is no issue here. The instructions are simply how to combine different files into one. The OP merely was interpreting the consequence of doing so incorrectly. – schroeder Apr 06 '21 at 19:18
  • I think as @mentallurg said it is not a certificate or a chain of certificates. dumb splunk documentation. I guess. I should probably read something else instead of following them. They do have have a script which creates default certificates. I am just lost with all SSL thing. I understood, you have a server certificate signed by intermediary, in turn signed by root. and each of their public keys can be used to decrypt the signatures of the following cert. Server send servercert and possibly intermediary as well. And we need to place the root cert at client end. is this correct? – LazyFatUglyShortQuestionMan Apr 06 '21 at 20:27
  • @schroeder: 1) *"It never says that the resulting file is a certificate."* - No. It does. And the best confirmation of the fact that the Splunk documentation is misleading is namely this question. 2) *"It's actually just fine since the certificates are concatenated in the file." - No. Because these are **not only certificates, but also a primary key**. You cannot call it certificate if it contains a primary key. – mentallurg Apr 06 '21 at 22:23
  • @schroeder: 3) *"The instructions are simply how to combine different files into one."* - No. Not "simply", because they use *wrong* words to describe what are they doing. This leads leads to misunderstanding like this question. 4) *"So there really is no issue here."* - No, actually there is an issue, and this question confirms that. The OP addresses the most important consequence of the wrong Splunk wording, which says that *certificate contains a private key*, which would be a nonsence. – mentallurg Apr 06 '21 at 22:23
  • @schroeder: This is not nitpicking, because this is the case when misleading wording leads to time wasting and to questions like this one. Compare it to [the Nginx documentation](https://nginx.org/en/docs/http/configuring_https_servers.html). When they describe similar configuration, they are **very precise**: *"The resulting file should be used in the ssl_certificate directive:"* They don't say "certificate", they say "resulting file", which is a huge difference, because in many cases applications expect that there is a directory where each file represents exactly *one* certificate. – mentallurg Apr 06 '21 at 22:24
  • @LazyFatUglyShortQuestionMan: *"They do have have a script..."* - Having script is good. But before applying it one should understand what will this script do. Applying the script without understanding it may lead to security problems. *"And we need to place the root cert at client end."* - It depends. If the root certificate in the chain belongs to a well-known CA, then there is a chance that it is pre-installed on the client (via OS install, via JRE, etc.) If the CA is not pre-installed, then yes, the root certificate needs to be installed on the client. – mentallurg Apr 06 '21 at 22:38
  • @LazyFatUglyShortQuestionMan: If the client is itself an non-interactiv application, then you have not many options, you need to install rot certificate. If the client interacts with user, then one more options can be (if it is acceptable for your users) to ask if they want to trust particular certificate. – mentallurg Apr 06 '21 at 22:39