Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Generate Splunk Cert with "bin/splunk createssl server-cert" including Server Alternative Name (SAN)

stehsa
Engager
‎08-28-2025 02:12 AM

Hey,

i am trying to connect from EDGE Processor to my Splunk Server and iam getting the following error:

/opt/splunk-edge/bin/splunk-edge onboard

Error: Post "https://server:8089/servicesNS/nobody/splunk_pipeline_builders/tenant/agent-management/v1/agents/splunk-edge/ID/register": tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead
2025/08/28 11:07:47 Post "https://server:8089/servicesNS/nobody/splunk_pipeline_builders/tenant/agent-management/v1/agents/splunk-edge/ID/register": tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead

 

The Certificate is generated with the following command:

/opt/splunk/bin/splunk createssl server-cert -d etc/auth -n server -c <server-name>

 

The cnf file used by this command is:

/opt/splunk/share/openssl3/openssl.cnf

Does anyone know how to include the SAN in the default certs?

I am onPrem and using Splunk 10

 

Stefan

 

Labels (1)
Labels
Tags (3)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎08-28-2025 05:43 AM

Hi @stehsa 

As far as I know there are no params to send to createssl to configure the SAN but you could edit the config file to do it, I haven’t tried this personally as I usually use OpenSSL but the following could work with a few tweaks to your org/dns etc. 

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = US
ST = State
L = City
O = Organization
OU = IT Department
CN = your-server-name

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = your-server-name
DNS.2 = server
DNS.3 = localhost
IP.1 = 192.168.1.100
IP.2 = 127.0.0.1

 

alternatively you could use OpenSSL commands directly:

# Generate private key
openssl genrsa -out /opt/splunk/etc/auth/server.key 2048

# Generate certificate with SAN in one command
openssl req -new -x509 -key /opt/splunk/etc/auth/server.key -out /opt/splunk/etc/auth/server.pem -days 365 -subj "/C=US/ST=State/L=City/O=Organization/CN=your-server-name" -addext "subjectAltName=DNS:your-server-name,DNS:server,DNS:localhost,IP:127.0.0.1"

 

 

 

🌟 Did this answer help you? If so, please consider:

    • Adding karma to show it was useful
    • Marking it as the solution if it resolved your issue
    • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

Reply

stehsa
Engager
‎08-29-2025 02:42 AM

Thanks @livehybrid 🙂
I will try it next week.

A bit more context, i need this for the stanza [sslConfig] which is responsible for Splunk internal communication. And until now i did not manage to to make it work with other certs than the default generated one. 
I will give it another try and get back to you.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...