openssl x509 -in /opt/splunk/etc/auth/server.pem -text -noout | grep "Not After"

UnivLyon2 · ‎12-05-2017

Hello,

We use Splunk 6.2.0 and the server.pem certificate will be expired in 10 days:

openssl x509 -in /opt/splunk/etc/auth/server.pem -text -noout | grep "Not After"

        Not After : Dec 16 12:11:46 2017 GMT

How can we renew this certificate with a third-party signed certificate ?

Thanks in advance !

Best regards,
Marc

harsmarvania57 · ‎12-07-2017

If you do not want to renew this certificate from 3rd party then you can use below command but if you are using SSL communication between Splunk server then you need to go through documentation/process properly.

# $SPLUNK_HOME/bin/splunk createssl server-cert -d $SPLUNK_HOME/etc/auth -n SplunkServerDefaultCert
# mv server.pem server.pem.orig
# mv SplunkServerDefaultCert.pem server.pem
# openssl x509 -in server.pem -text

View solution in original post

esalesapns2 · ‎12-30-2019

Or (on Splunk 7.3.2) you could run these commands to create a cert with a new expiration date:

$ mv /opt/splunk/etc/auth/server.pem /opt/splunk/etc/auth/server.pem,expired
$ splunk createssl server-cert -d /opt/splunk/etc/auth -n server.pem

esalesapns2 · ‎12-30-2019

Apologies, this will create a file named server.pem.pem that you will have to move to server.pem. You can omit the ".pem" from the end of the second command to save having to do this step.

vishaltaneja070 · ‎01-08-2019

Best way to fix the issue is:
1. Run the command: $SPLUNK_HOME\bin\openssl x509 -enddate -noout -in $SPLUNK_HOME/etc/auth/server.pem
2. Check the expiry date of output if expired then do the below steps:
3. Go to $SPLUNK_HOME\etc\auth\
4. Rename server.pem to server.pem_backup
5. Restart the splunk using command ./splunk restart
6. After restart you will be able to see a new server.pem file.
7. Check the expiry date of Certificate now using command: $SPLUNK_HOME\bin\openssl x509 -enddate -noout -in $SPLUNK_HOME/etc/auth/server.pem
8. The expiry date will be extended.

deejeta · ‎05-06-2020

Thanks for this method, worked like a charm mate.

I had a heap of KV_STORE errors that no amount of cleaning was fixing. This though did the trick.

Anyone know if there is anything in the internal index that shows such expired internal certs?

kamal_jagga · ‎02-06-2019

This was easy.
Thank you.

jbillings · ‎02-12-2020

I wish I could upvote more than once. Worked great. I feel like this should be better monitored by Splunk and alerted upon when nearing expiration. Going to create our own alerting for these. Does the server.pem need to be renewed on universal forwarders also?

hankfoss · ‎04-11-2019

You did it! I appreciate the help, this post was the gold at the end of the rainbow.

Worth the search!

-HLF

rohitvjoshi · ‎03-11-2019

My Splunkweb certificates are expiring , Solution will be same or we have to change anything. I tried for server.pem it works .

Thanks

vishaltaneja070 · ‎03-28-2019

@rohitvjoshi
It will be same

vishaltaneja070 · ‎02-18-2019

@kamal_jagga

Please upvote the answer if it works.

abhib89 · ‎02-18-2019

worked like a charm

vishaltaneja070 · ‎02-18-2019

@abhib89
Please upvote the answer if it works.

harsmarvania57 · ‎12-07-2017

If you do not want to renew this certificate from 3rd party then you can use below command but if you are using SSL communication between Splunk server then you need to go through documentation/process properly.

# $SPLUNK_HOME/bin/splunk createssl server-cert -d $SPLUNK_HOME/etc/auth -n SplunkServerDefaultCert
# mv server.pem server.pem.orig
# mv SplunkServerDefaultCert.pem server.pem
# openssl x509 -in server.pem -text

bsezari · ‎06-30-2022

@harsmarvania57 I found your solution more relevant to my case.

I need to renew the RSA password; is it possible to change RSA password during server.pem renewal?

UnivLyon2 · ‎12-07-2017

We use 3rd party certificate for https access however here we need to renew splunk internal certificate server.pem

harsmarvania57 · ‎12-07-2017

If this is internal certificate then you can follow steps which I have provided above, if you still afraid to run those then you can test something like this which will create cerificate in /tmp/ directory

# cp  $SPLUNK_HOME/etc/auth/ca.pem /tmp/
# cp  $SPLUNK_HOME/etc/auth/cacert.pem /tmp/
# $SPLUNK_HOME/bin/splunk createssl server-cert -d /tmp/ -n SplunkServerDefaultCert 
# openssl x509 -in /tmp/SplunkServerDefaultCert.pem -text

I already performed given steps in my lab environment because my server.pem was expired and due to that kvstore was complaining. But plus point was that, in my lab environment I am not using SSL communication between Splunk instances so I didn't looked into too much, renewed certificate and restarted splunk.

kannu · ‎11-26-2018

@harsmarvania57 . Would that steps work for windows system as well .

harsmarvania57 · ‎11-29-2018

I never tried on windows but you can try on standalone test box. You need to replace bin/splunk with bin/splunk.exe

UnivLyon2 · ‎12-11-2017

Hi,

Thank you for your reply.
I could renew the server.pem like below :
$SPLUNK_HOME/bin/splunk createssl server-cert -d $SPLUNK_HOME/etc/auth -n server -c cn.domain.com -l 2048

nickhills · ‎12-11-2017

Great news!
Please be sure to accept the answer from @harsmarvania57 and upvote!

If my comment helps, please give it a thumbs up!

How can we renew this certificate with a third-party signed certificate?

openssl x509 -in /opt/splunk/etc/auth/server.pem -text -noout | grep "Not After"

SSL

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)