Security

Renewing server.pem certificate

Explorer

Hello,

We use Splunk 6.2.0 and the server.pem certificate will be expired in 10 days:

openssl x509 -in /opt/splunk/etc/auth/server.pem -text -noout | grep "Not After"

        Not After : Dec 16 12:11:46 2017 GMT

How can we renew this certificate with a third-party signed certificate ?

Thanks in advance !

Best regards,
Marc

Labels (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

If you do not want to renew this certificate from 3rd party then you can use below command but if you are using SSL communication between Splunk server then you need to go through documentation/process properly.

# $SPLUNK_HOME/bin/splunk createssl server-cert -d $SPLUNK_HOME/etc/auth -n SplunkServerDefaultCert
# mv server.pem server.pem.orig
# mv SplunkServerDefaultCert.pem server.pem
# openssl x509 -in server.pem -text

View solution in original post

Path Finder

Or (on Splunk 7.3.2) you could run these commands to create a cert with a new expiration date:

$ mv /opt/splunk/etc/auth/server.pem /opt/splunk/etc/auth/server.pem,expired
$ splunk createssl server-cert -d /opt/splunk/etc/auth -n server.pem
0 Karma

Path Finder

Apologies, this will create a file named server.pem.pem that you will have to move to server.pem. You can omit the ".pem" from the end of the second command to save having to do this step.

0 Karma

Motivator

Best way to fix the issue is:
1. Run the command: $SPLUNKHOME\bin\openssl x509 -enddate -noout -in $SPLUNKHOME/etc/auth/server.pem
2. Check the expiry date of output if expired then do the below steps:
3. Go to $SPLUNKHOME\etc\auth\
4. Rename server.pem to server.pem
backup
5. Restart the splunk using command ./splunk restart
6. After restart you will be able to see a new server.pem file.
7. Check the expiry date of Certificate now using command: $SPLUNKHOME\bin\openssl x509 -enddate -noout -in $SPLUNKHOME/etc/auth/server.pem
8. The expiry date will be extended.

Engager

Thanks for this method, worked like a charm mate.

I had a heap of KV_STORE errors that no amount of cleaning was fixing. This though did the trick.

Anyone know if there is anything in the internal index that shows such expired internal certs?

0 Karma

Contributor

This was easy.
Thank you.

0 Karma

SplunkTrust
SplunkTrust

I wish I could upvote more than once. Worked great. I feel like this should be better monitored by Splunk and alerted upon when nearing expiration. Going to create our own alerting for these. Does the server.pem need to be renewed on universal forwarders also?

0 Karma

Engager

You did it! I appreciate the help, this post was the gold at the end of the rainbow.

Worth the search!

-HLF

Path Finder

My Splunkweb certificates are expiring , Solution will be same or we have to change anything. I tried for server.pem it works .

Thanks

Motivator

@rohitvjoshi
It will be same

0 Karma

Motivator

@kamal_jagga

Please upvote the answer if it works.

0 Karma

Explorer

worked like a charm

0 Karma

Motivator

@abhib89
Please upvote the answer if it works.

0 Karma

SplunkTrust
SplunkTrust

If you do not want to renew this certificate from 3rd party then you can use below command but if you are using SSL communication between Splunk server then you need to go through documentation/process properly.

# $SPLUNK_HOME/bin/splunk createssl server-cert -d $SPLUNK_HOME/etc/auth -n SplunkServerDefaultCert
# mv server.pem server.pem.orig
# mv SplunkServerDefaultCert.pem server.pem
# openssl x509 -in server.pem -text

View solution in original post

Explorer

We use 3rd party certificate for https access however here we need to renew splunk internal certificate server.pem

0 Karma

SplunkTrust
SplunkTrust

If this is internal certificate then you can follow steps which I have provided above, if you still afraid to run those then you can test something like this which will create cerificate in /tmp/ directory

# cp  $SPLUNK_HOME/etc/auth/ca.pem /tmp/
# cp  $SPLUNK_HOME/etc/auth/cacert.pem /tmp/
# $SPLUNK_HOME/bin/splunk createssl server-cert -d /tmp/ -n SplunkServerDefaultCert 
# openssl x509 -in /tmp/SplunkServerDefaultCert.pem -text

I already performed given steps in my lab environment because my server.pem was expired and due to that kvstore was complaining. But plus point was that, in my lab environment I am not using SSL communication between Splunk instances so I didn't looked into too much, renewed certificate and restarted splunk.

Path Finder

@harsmarvania57 . Would that steps work for windows system as well .

0 Karma

SplunkTrust
SplunkTrust

I never tried on windows but you can try on standalone test box. You need to replace bin/splunk with bin/splunk.exe

0 Karma

Explorer

Hi,

Thank you for your reply.
I could renew the server.pem like below :
$SPLUNKHOME/bin/splunk createssl server-cert -d $SPLUNKHOME/etc/auth -n server -c cn.domain.com -l 2048

Ultra Champion

Great news!
Please be sure to accept the answer from @harsmarvania57 and upvote!

0 Karma

Motivator
0 Karma