How to check status of all SSL certificates in Splunk?

OldManEd — Sun, 07 Jun 2020 19:57:48 GMT

All,

To start with, I am not good with SSL issues. Second, I inherited this instance of Splunk with no documentation of any kind so I'm reverse engineering everything.

That being said, another team in my company sent me the following notice from Hobbit;

SSL certificate for https://nn.nn.nn.nn:8000/ expires in 9 days

Server certificate:
    subject:/CN=<indexer name>/O=SplunkUser
    start date: 2011-08-09 20:55:35 GMT
    expire date:2014-08-08 20:55:35 GMT
    key size:1024
    issuer:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com

I don't know how they set this up or where they are getting this information. So I get on the server and follow a procedure that I received from Splunk support a while ago to regenerate certs;

If you were using the stock certificates, you can regenerate them with this method : 

- to recreate a new splunkweb certificate : 
delete (or move) the files $SPLUNK_HOME/etc/auth/splunkweb/cert.pem and privkey.pem 
and restart splunk 

- to recreate a new splunkd certificate 
delete (or move) the files $SPLUNK_HOME/etc/auth/server.pem 
and restart splunk

I did this but I'm still seeing the Hobbit message. So I run a grep for "[sslConfig]" to see if I can trace down the issue. What I find is this;

In "etc/system/local/server.conf":
    [sslConfig]
    sslKeysfilePassword = <secret code>

In "var/run/splunk/merged/server.conf":
    [sslConfig]
    caCertFile = cacert.pem
    caPath = $SPLUNK_HOME/etc/auth
    certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert
    cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
    enableSplunkdSSL = true
    sslKeysfile = server.pem
    sslKeysfilePassword = <sceret code>
    supportSSLV3Only = false
    useClientSSLCompression = true
    useSplunkdClientSSLCompression = true

I then look at the "$SPLUNK_HOME/etc/auth/cacert.pem" file and see that it is just over 3 years old. But I don't know if this is where my problem is or not.

What I need to know is how do I check in Splunk what the status is of all my certs, (how old are they etc.) Regenerating what I need will be another issue.

~Ed

Re: How to check status of all SSL certificates in Splunk?

OldManEd — Thu, 31 Jul 2014 14:42:17 GMT

I ran the procedure suggested by Splunk support a second time, and it worked. I don't know why. I guess I can blame it on Solar Flares. The message now reads;

SSL certificate for https://nn.nn.nn.nn:8000/ expires in 1095 days

Server certificate:
    subject:/CN=<indexer name>/O=SplunkUser
    start date: 2014-07-31 14:23:43 GMT
    expire date:2017-07-30 14:23:43 GMT
    key size:1024
    issuer:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com

Re: How to check status of all SSL certificates in Splunk?

chris — Thu, 19 Oct 2017 06:54:56 GMT

What procedure/command do you run to get this output?

Re: How to check status of all SSL certificates in Splunk?

dbturner18 — Wed, 25 Mar 2020 14:54:54 GMT

That output is produced from Hobbit, not Splunk. Hobbit is a variant of BigBrother. I just realized the date on your question. Well I hope this helps anyway. 😄

http://hobbit.math.cnrs.fr/hobbit/help/about.html

topic How to check status of all SSL certificates in Splunk? in Security

How to check status of all SSL certificates in Splunk?

Re: How to check status of all SSL certificates in Splunk?

Re: How to check status of all SSL certificates in Splunk?

Re: How to check status of all SSL certificates in Splunk?