Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Generate Splunk Cert with "bin/splunk createssl se...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Generate Splunk Cert with "bin/splunk createssl server-cert" including Server Alternative Name (SAN)
Hey,
i am trying to connect from EDGE Processor to my Splunk Server and iam getting the following error:
/opt/splunk-edge/bin/splunk-edge onboard
Error: Post "https://server:8089/servicesNS/nobody/splunk_pipeline_builders/tenant/agent-management/v1/agents/splunk-edge/ID/register": tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead
2025/08/28 11:07:47 Post "https://server:8089/servicesNS/nobody/splunk_pipeline_builders/tenant/agent-management/v1/agents/splunk-edge/ID/register": tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead
The Certificate is generated with the following command:
/opt/splunk/bin/splunk createssl server-cert -d etc/auth -n server -c <server-name>
The cnf file used by this command is:
/opt/splunk/share/openssl3/openssl.cnfDoes anyone know how to include the SAN in the default certs?
I am onPrem and using Splunk 10
Stefan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @stehsa
As far as I know there are no params to send to createssl to configure the SAN but you could edit the config file to do it, I haven’t tried this personally as I usually use OpenSSL but the following could work with a few tweaks to your org/dns etc.
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = State
L = City
O = Organization
OU = IT Department
CN = your-server-name
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = your-server-name
DNS.2 = server
DNS.3 = localhost
IP.1 = 192.168.1.100
IP.2 = 127.0.0.1
alternatively you could use OpenSSL commands directly:
# Generate private key
openssl genrsa -out /opt/splunk/etc/auth/server.key 2048
# Generate certificate with SAN in one command
openssl req -new -x509 -key /opt/splunk/etc/auth/server.key -out /opt/splunk/etc/auth/server.pem -days 365 -subj "/C=US/ST=State/L=City/O=Organization/CN=your-server-name" -addext "subjectAltName=DNS:your-server-name,DNS:server,DNS:localhost,IP:127.0.0.1"
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @livehybrid 🙂
I will try it next week.
A bit more context, i need this for the stanza [sslConfig] which is responsible for Splunk internal communication. And until now i did not manage to to make it work with other certs than the default generated one.
I will give it another try and get back to you.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
