Deployment Architecture

Splunk server certificates are expired

Ruchi
Engager

Hi ,

I am new to Splunk administation and getting KV store errors. After checking mongod.log, found that the SSL and server certificates are expired.

We have a clustered environment :

SHC -sh1 and sh2

IDXC -sh1 acting as idx1, idx2, idx3

Stand alone acting as DS and LM

One Cluster Master and one HF.

We using Solunk 6.3 version and I  not sure if ssl communication is enabled between splunk servers or not. 

Could you please help me with the below:

1) How to check if ssl communication is enabled between splunk servers

2) how to check if the existing certificates are default or self signed or third party generated 

3) How to renew server certificates on each splunk instance, to fix the kv store errors

Many thanks!! 

Labels (1)
Tags (2)
0 Karma

impurush
Contributor

Follow this answer to find out the renewal of the SSL certificate.

https://community.splunk.com/t5/Security/How-do-I-renew-an-expired-Splunk-Certificate/m-p/389701

0 Karma

Ruchi
Engager

Thank you @impurush . Another doubt now, is this process applicable irrespective of type of certificate (self signed or third party generated)?

 

0 Karma

impurush
Contributor

Hi @Ruchi, in the case of third-party certificates, it will be the same except for the renewal part. You need to renew the certificate with your employer or from which third-party certificate you got.

0 Karma

Ruchi
Engager

Is there anyway to identify it is self signed or third party generated? This environment was built long back and there is no document to refer. 

0 Karma

impurush
Contributor

You can run the below command under the /etc/auth folder or where your certificate is placed.

openssl x509 -in server.pem -text -noout|grep -i CN

With the information, you can find out the certificate is Splunk default certificate or third party certificate.

Splunk uses the Splunk self signed certificate for the SSL communication by default.

Ruchi
Engager

Thank you so much @impurush

I could see that the CN is SplunkServerDefaultCert. 

0 Karma

impurush
Contributor

Hi @Ruchi, Happy to help. Could you please accept the answer, so that this thread can be marked as closed. Thanks

0 Karma