Security

How can we renew this certificate with a third-party signed certificate?

UnivLyon2
Explorer

Hello,

We use Splunk 6.2.0 and the server.pem certificate will be expired in 10 days:

openssl x509 -in /opt/splunk/etc/auth/server.pem -text -noout | grep "Not After"

        Not After : Dec 16 12:11:46 2017 GMT

How can we renew this certificate with a third-party signed certificate ?

Thanks in advance !

Best regards,
Marc

Labels (1)
0 Karma
1 Solution

harsmarvania57
Ultra Champion

If you do not want to renew this certificate from 3rd party then you can use below command but if you are using SSL communication between Splunk server then you need to go through documentation/process properly.

# $SPLUNK_HOME/bin/splunk createssl server-cert -d $SPLUNK_HOME/etc/auth -n SplunkServerDefaultCert
# mv server.pem server.pem.orig
# mv SplunkServerDefaultCert.pem server.pem
# openssl x509 -in server.pem -text

View solution in original post

esalesapns2
Communicator

Or (on Splunk 7.3.2) you could run these commands to create a cert with a new expiration date:

$ mv /opt/splunk/etc/auth/server.pem /opt/splunk/etc/auth/server.pem,expired
$ splunk createssl server-cert -d /opt/splunk/etc/auth -n server.pem
0 Karma

esalesapns2
Communicator

Apologies, this will create a file named server.pem.pem that you will have to move to server.pem. You can omit the ".pem" from the end of the second command to save having to do this step.

0 Karma

vishaltaneja070
Motivator

Best way to fix the issue is:
1. Run the command: $SPLUNK_HOME\bin\openssl x509 -enddate -noout -in $SPLUNK_HOME/etc/auth/server.pem
2. Check the expiry date of output if expired then do the below steps:
3. Go to $SPLUNK_HOME\etc\auth\
4. Rename server.pem to server.pem_backup
5. Restart the splunk using command ./splunk restart
6. After restart you will be able to see a new server.pem file.
7. Check the expiry date of Certificate now using command: $SPLUNK_HOME\bin\openssl x509 -enddate -noout -in $SPLUNK_HOME/etc/auth/server.pem
8. The expiry date will be extended.

deejeta
Engager

Thanks for this method, worked like a charm mate.

I had a heap of KV_STORE errors that no amount of cleaning was fixing. This though did the trick.

Anyone know if there is anything in the internal index that shows such expired internal certs?

0 Karma

kamal_jagga
Contributor

This was easy.
Thank you.

0 Karma

jbillings
Path Finder

I wish I could upvote more than once. Worked great. I feel like this should be better monitored by Splunk and alerted upon when nearing expiration. Going to create our own alerting for these. Does the server.pem need to be renewed on universal forwarders also?

0 Karma

hankfoss
Engager

You did it! I appreciate the help, this post was the gold at the end of the rainbow.

Worth the search!

-HLF

rohitvjoshi
Path Finder

My Splunkweb certificates are expiring , Solution will be same or we have to change anything. I tried for server.pem it works .

Thanks

vishaltaneja070
Motivator

@rohitvjoshi
It will be same

0 Karma

vishaltaneja070
Motivator

@kamal_jagga

Please upvote the answer if it works.

0 Karma

abhib89
Explorer

worked like a charm

0 Karma

vishaltaneja070
Motivator

@abhib89
Please upvote the answer if it works.

0 Karma

harsmarvania57
Ultra Champion

If you do not want to renew this certificate from 3rd party then you can use below command but if you are using SSL communication between Splunk server then you need to go through documentation/process properly.

# $SPLUNK_HOME/bin/splunk createssl server-cert -d $SPLUNK_HOME/etc/auth -n SplunkServerDefaultCert
# mv server.pem server.pem.orig
# mv SplunkServerDefaultCert.pem server.pem
# openssl x509 -in server.pem -text

bsezari
Engager

@harsmarvania57  I found your solution more relevant to my case.

I need to renew the RSA password; is it possible to change RSA password during server.pem renewal?

0 Karma

UnivLyon2
Explorer

We use 3rd party certificate for https access however here we need to renew splunk internal certificate server.pem

0 Karma

harsmarvania57
Ultra Champion

If this is internal certificate then you can follow steps which I have provided above, if you still afraid to run those then you can test something like this which will create cerificate in /tmp/ directory

# cp  $SPLUNK_HOME/etc/auth/ca.pem /tmp/
# cp  $SPLUNK_HOME/etc/auth/cacert.pem /tmp/
# $SPLUNK_HOME/bin/splunk createssl server-cert -d /tmp/ -n SplunkServerDefaultCert 
# openssl x509 -in /tmp/SplunkServerDefaultCert.pem -text

I already performed given steps in my lab environment because my server.pem was expired and due to that kvstore was complaining. But plus point was that, in my lab environment I am not using SSL communication between Splunk instances so I didn't looked into too much, renewed certificate and restarted splunk.

kannu
Communicator

@harsmarvania57 . Would that steps work for windows system as well .

0 Karma

harsmarvania57
Ultra Champion

I never tried on windows but you can try on standalone test box. You need to replace bin/splunk with bin/splunk.exe

0 Karma

UnivLyon2
Explorer

Hi,

Thank you for your reply.
I could renew the server.pem like below :
$SPLUNK_HOME/bin/splunk createssl server-cert -d $SPLUNK_HOME/etc/auth -n server -c cn.domain.com -l 2048

nickhills
Ultra Champion

Great news!
Please be sure to accept the answer from @harsmarvania57 and upvote!

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...