- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We use Splunk 6.2.0 and the server.pem certificate will be expired in 10 days:
openssl x509 -in /opt/splunk/etc/auth/server.pem -text -noout | grep "Not After"
Not After : Dec 16 12:11:46 2017 GMT
How can we renew this certificate with a third-party signed certificate ?
Thanks in advance !
Best regards,
Marc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![harsmarvania57 harsmarvania57](https://community.splunk.com/legacyfs/online/avatars/290085.jpg)
If you do not want to renew this certificate from 3rd party then you can use below command but if you are using SSL communication between Splunk server then you need to go through documentation/process properly.
# $SPLUNK_HOME/bin/splunk createssl server-cert -d $SPLUNK_HOME/etc/auth -n SplunkServerDefaultCert
# mv server.pem server.pem.orig
# mv SplunkServerDefaultCert.pem server.pem
# openssl x509 -in server.pem -text
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![esalesapns2 esalesapns2](https://community.splunk.com/legacyfs/online/avatars/542168.jpg)
Or (on Splunk 7.3.2) you could run these commands to create a cert with a new expiration date:
$ mv /opt/splunk/etc/auth/server.pem /opt/splunk/etc/auth/server.pem,expired
$ splunk createssl server-cert -d /opt/splunk/etc/auth -n server.pem
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![esalesapns2 esalesapns2](https://community.splunk.com/legacyfs/online/avatars/542168.jpg)
Apologies, this will create a file named server.pem.pem
that you will have to move to server.pem
. You can omit the ".pem" from the end of the second command to save having to do this step.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best way to fix the issue is:
1. Run the command: $SPLUNK_HOME\bin\openssl x509 -enddate -noout -in $SPLUNK_HOME/etc/auth/server.pem
2. Check the expiry date of output if expired then do the below steps:
3. Go to $SPLUNK_HOME\etc\auth\
4. Rename server.pem to server.pem_backup
5. Restart the splunk using command ./splunk restart
6. After restart you will be able to see a new server.pem file.
7. Check the expiry date of Certificate now using command: $SPLUNK_HOME\bin\openssl x509 -enddate -noout -in $SPLUNK_HOME/etc/auth/server.pem
8. The expiry date will be extended.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for this method, worked like a charm mate.
I had a heap of KV_STORE errors that no amount of cleaning was fixing. This though did the trick.
Anyone know if there is anything in the internal index that shows such expired internal certs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This was easy.
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wish I could upvote more than once. Worked great. I feel like this should be better monitored by Splunk and alerted upon when nearing expiration. Going to create our own alerting for these. Does the server.pem need to be renewed on universal forwarders also?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You did it! I appreciate the help, this post was the gold at the end of the rainbow.
Worth the search!
-HLF
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![rohitvjoshi rohitvjoshi](https://community.splunk.com/legacyfs/online/avatars/503511.jpg)
My Splunkweb certificates are expiring , Solution will be same or we have to change anything. I tried for server.pem it works .
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@rohitvjoshi
It will be same
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kamal_jagga
Please upvote the answer if it works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
worked like a charm
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@abhib89
Please upvote the answer if it works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![harsmarvania57 harsmarvania57](https://community.splunk.com/legacyfs/online/avatars/290085.jpg)
If you do not want to renew this certificate from 3rd party then you can use below command but if you are using SSL communication between Splunk server then you need to go through documentation/process properly.
# $SPLUNK_HOME/bin/splunk createssl server-cert -d $SPLUNK_HOME/etc/auth -n SplunkServerDefaultCert
# mv server.pem server.pem.orig
# mv SplunkServerDefaultCert.pem server.pem
# openssl x509 -in server.pem -text
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@harsmarvania57 I found your solution more relevant to my case.
I need to renew the RSA password; is it possible to change RSA password during server.pem renewal?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We use 3rd party certificate for https access however here we need to renew splunk internal certificate server.pem
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![harsmarvania57 harsmarvania57](https://community.splunk.com/legacyfs/online/avatars/290085.jpg)
If this is internal certificate then you can follow steps which I have provided above, if you still afraid to run those then you can test something like this which will create cerificate in /tmp/ directory
# cp $SPLUNK_HOME/etc/auth/ca.pem /tmp/
# cp $SPLUNK_HOME/etc/auth/cacert.pem /tmp/
# $SPLUNK_HOME/bin/splunk createssl server-cert -d /tmp/ -n SplunkServerDefaultCert
# openssl x509 -in /tmp/SplunkServerDefaultCert.pem -text
I already performed given steps in my lab environment because my server.pem was expired and due to that kvstore was complaining. But plus point was that, in my lab environment I am not using SSL communication between Splunk instances so I didn't looked into too much, renewed certificate and restarted splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![kannu kannu](https://community.splunk.com/legacyfs/online/avatars/474557.jpg)
@harsmarvania57 . Would that steps work for windows system as well .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![harsmarvania57 harsmarvania57](https://community.splunk.com/legacyfs/online/avatars/290085.jpg)
I never tried on windows but you can try on standalone test box. You need to replace bin/splunk
with bin/splunk.exe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you for your reply.
I could renew the server.pem like below :
$SPLUNK_HOME/bin/splunk createssl server-cert -d $SPLUNK_HOME/etc/auth -n server -c cn.domain.com -l 2048
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![nickhills nickhills](https://community.splunk.com/legacyfs/online/avatars/108467.jpg)
Great news!
Please be sure to accept the answer from @harsmarvania57 and upvote!
![](/skins/images/5D2DD17C284106BFBF80528D01D8AA1A/responsive_peak/images/icon_anonymous_message.png)