Deployment Architecture

Splunk server certificates are expired

Ruchi
Explorer

Hi ,

I am new to Splunk administation and getting KV store errors. After checking mongod.log, found that the SSL and server certificates are expired.

We have a clustered environment :

SHC -sh1 and sh2

IDXC -sh1 acting as idx1, idx2, idx3

Stand alone acting as DS and LM

One Cluster Master and one HF.

We using Solunk 6.3 version and I  not sure if ssl communication is enabled between splunk servers or not. 

Could you please help me with the below:

1) How to check if ssl communication is enabled between splunk servers

2) how to check if the existing certificates are default or self signed or third party generated 

3) How to renew server certificates on each splunk instance, to fix the kv store errors

Many thanks!! 

Labels (1)
Tags (2)
0 Karma
1 Solution

impurush
Contributor
0 Karma

impurush
Contributor

Follow this answer to find out the renewal of the SSL certificate.

https://community.splunk.com/t5/Security/How-do-I-renew-an-expired-Splunk-Certificate/m-p/389701

0 Karma

Ruchi
Explorer

Thank you @impurush . Another doubt now, is this process applicable irrespective of type of certificate (self signed or third party generated)?

 

0 Karma

impurush
Contributor

Hi @Ruchi, in the case of third-party certificates, it will be the same except for the renewal part. You need to renew the certificate with your employer or from which third-party certificate you got.

0 Karma

Ruchi
Explorer

Is there anyway to identify it is self signed or third party generated? This environment was built long back and there is no document to refer. 

0 Karma

impurush
Contributor

You can run the below command under the /etc/auth folder or where your certificate is placed.

openssl x509 -in server.pem -text -noout|grep -i CN

With the information, you can find out the certificate is Splunk default certificate or third party certificate.

Splunk uses the Splunk self signed certificate for the SSL communication by default.

Ruchi
Explorer

Thank you so much @impurush

I could see that the CN is SplunkServerDefaultCert. 

0 Karma

impurush
Contributor

Hi @Ruchi, Happy to help. Could you please accept the answer, so that this thread can be marked as closed. Thanks

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...