This will create new web-keys with the same default names (privkey.pem and cert.pem) in the directory you want to run it. I simply CD’d into /etc/auth/splunkweb/ and ran it. This way you don’t need to move anything or change anything in web.conf.
# /opt/splunk/bin/splunk createssl web-cert 3072
Other options are:
# /opt/splunk/bin/splunk restart
To use a shiny new fancy issued cert, simply drop it in the /etc/auth/splunkweb/ directory and make sure web.conf points to the right names. Restart.