All Apps and Add-ons

Splunk Universal Forwarder SSL Error


We have a few very old machines running UF version 6.2.X. [No, upgrading the UF/OS cannot happen] The certificate just recently expired and we are attempting to rectify the issue. My question is: does the certificate only have to be reissued to the indexers (I have read this in previous answers)? Or do I need to reissue certs to all the expired UFs, as well? 

If the latter question is the answer, what is the best way to go about it? Ship the certs with a new outputs.conf pointing to the new certs resident in that app? Or use SCCM and our in-house CA to issue new certs and set outputs.conf to point to that cert?

I appreciate any help!

Labels (3)
0 Karma



It depends on your current configuration. In general, UF & Indexers have their own certs. So, you need to figure out which cert is expired?

Assuming both are expired, you can follow one of the below mentioned configurations

1) You can request one cert for all UFs & one for all indexers (with the same sslCommonName). 

2) You can request one cert for all UFs & one for each indexer (with unique sslCommonName). 

Please refer splunk documentation for more details.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...