does private key go to a ssl certificate?



  • I am new to SSL certs and trying to self sign the certs from forwarder to indexers:

    https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/HowtoprepareyoursignedcertificatesforSplunk

    cat myServerCertificate.pem myServerPrivateKey.key myCACertificate.pem > myNewServerCertificate.pem

    why will private keys go to a certificate. Per my understanding the only time private key is used is to sign the certs. During the handshake protocol, will the server send private key to client?

    Thanks



  • TLDR

    Private key is not a part of certificate. A certificate is a confirmation of some trusted party (CA) that particular public key belongs to particular party.

    The documentation of Splunk that you refer uses wrong wording. The file that they create is not a certificate.

    Details

    Here the documentation says:

    Combine your server certificate and public certificate, in that order, into a single PEM file.

    This sentence is correct. The resulting file is just a PEM file. But it is not a certificate, it is not a certificate chain, it is just a PEM file that stores different cryptographic objects, in this case it is a private key and one or more certificates from the same certificate chain. There is no common term for this. (And no, a key store is also not a proper name for this store.) There are standard formats for that. For instance, PKCS allows to store bundles of private keys and related certificates (e.g. it could be used to store server certificate and corresponding private key), also it allows to store separate certificates (in case of Splunk this would be a certificate of the CA that issued this certificate, or the chain of CA certificates up to the root CA).

    But because of some reason the developers of Splunk decided to use a home grown format. PEM is of course a standard, but the Splunk requirement that this file should contain, in the following order ... in decreasing order of hierarchy, up to the root can make it actually more fragile (in PKCS the order of adding certificates to the store has no meaning at all), can increase the number of configuration errors and thus increase the maintenance costs. On the other hand, if the number of objects in the PEM file is small, like 3-5, it is easy to work with it in any text editor, which maybe easier than dealing with PKCS.

    Then the Splunk documentation says:

    Here's an example of a properly concatenated certificate:

    This sentence is wrong. What they show in documentation is not a certificate.

    And this:

    the completed certificate file might look like this:

    Also this sentence is wrong. What they show in documentation is not a certificate.

    The other page looks at the first glance fine. But when you read "Copy the server certificate" or "Absolute path to the certificate" and you remember the previous page, you may be in doubt: Do they mean a certificate file in the common sense, e.g. a file that contains a single certificate, or do they mean "certificate" in the Splunk special wording and actually they mean "a file containing a mix of private key and certificate chain"? From this documentation you cannot know it. Either you need to find better documentation, or try different files to find out what they actually mean.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2