Security
Highlighted

Renewing server.pem certificate

Explorer

Hello,

We use Splunk 6.2.0 and the server.pem certificate will be expired in 10 days:

openssl x509 -in /opt/splunk/etc/auth/server.pem -text -noout | grep "Not After"

        Not After : Dec 16 12:11:46 2017 GMT

How can we renew this certificate with a third-party signed certificate ?

Thanks in advance !

Best regards,
Marc

Labels (1)
0 Karma
Highlighted

Re: Renewing server.pem certificate

Motivator
0 Karma
Highlighted

Re: Renewing server.pem certificate

Splunk Employee
Splunk Employee

the 6.4.0 version of the docs has some renamed SSL attributes, so if you are still running 6.2, make sure to use that version of the manual, so:

http://docs.splunk.com/Documentation/Splunk/6.2.0/Security/Howtoself-signcertificates

Also, we wrote a Product Advisory specific to this issue for pre-6.3 versions of Splunk, you can find it in this Answers post along with some other possibly helpful bits of information:

https://answers.splunk.com/answers/395886/for-splunk-enterprise-splunk-light-and-hunk-pre-63.html

Hope that helps!

0 Karma
Highlighted

Re: Renewing server.pem certificate

Explorer

Thank you for your reply.
However, we need to renew the internal splunk certificate(server.pem), not the web certificate.
We had renewed other internal certificates(ca.pem, cacert.pem).

I've found out hat we have to use "s-renewcerts.sh" script to renew these certificates but it does not work beacuse cacert.pem is already valid.
http://download.splunk.com/products/certificates/renewcerts-2016-05-05.zip

How can I recreate the server.pem without any issue ?

I really appreciate your help!

0 Karma
Highlighted

Re: Renewing server.pem certificate

Splunk Employee
Splunk Employee

The second link i posted should really be the helpful one. The first one is a link to the docs, which may not be specific enough (but might be a good place to start exploring if you want to build and install your own certificates).

But the second link has the security advisory with good links and some scripts. I've posted it below. If that does not help, let me know and I'll do a little more digging. it's definitely a known issue.

PRODUCT ADVISORY: Pre 6.3, Splunk Enterprise, Splunk Light and HUNK default root certificates expire on July 21, 2016. <br/>(Updated: May 19, 2016)



SUMMARY


Instances of Splunk Enterprise, Splunk Light and HUNK that are older than 6.3 AND that are using the default certificates will no longer be able to communicate with each other after July 21, 2016 unless the certificates are replaced OR Splunk is upgraded to 6.3 or later.


Please note that for all Splunk Enterprise versions, the default root certificate that ships with Splunk is the same root certificate in every download.
That means that anyone who has downloaded Splunk has server certificates that have been signed by the same root certificate and would be able to authenticate to your certificates. To ensure that no one can easily snoop on your traffic or wrongfully send data to your indexers, we strongly recommend that you replace them with certificates signed by a reputable 3rd-party certificate authority.








IMPACT




Failure to replace expired certificates prior to this will result in the immediate cessation of network traffic for any connection which uses them.




Expiration of Splunk certificates does not affect:


1) Splunk instances that are in Splunk Cloud



  • SSL certificates used for Splunk Cloud instances are not the default Splunk certificates<br/>


  • Forwarder to Splunk Cloud traffic is not impacted, however, relay forwarders (forwarder to forwarder) can be impacted if you chose to use default Splunk certificates for this communication



2) Splunk instances that use certificates that are internally generated (self-signed) or obtained from an external Certificate Authority (CA).


3) Splunk instances in your configuration that are upgraded to 6.3 or above and use that version’s root certificates.


4) Splunk instances that do NOT use SSL - (This is the default configuration for forwarder to indexer communication)


Certificate expiration DOES affect Splunk deployments where:




Any or all Splunk instances in your deployment run a release prior to 6.3 and use Splunk default certificates. This includes



  • Search Heads<br/>


  • Indexers<br/>


  • License Masters<br/>


  • Cluster Masters<br/>


  • Deployers<br/>


  • Forwarders



    <br/>


RECOMMENDATIONS




There are several options that you can take to resolve certificate expiration. You must take action prior to July 21, 2016.




1) Remain at your current Splunk version (pre- 6.3) and manually upgrade the current default root certificates with the provided shell script that is appropriate for your operating system. Note that the shell script only replaces the current default root certificate with a new (cloned) certificate with a future expiration date. The script does not replace a Splunk default certificate with your own certificate.


The script is available at:




http://download.splunk.com/products/certificates/renewcerts-2016-05-05.zip


Update: minor script changes to update messages and remove redirect of stderr to /dev/null when checking OpenSSL version


Please be sure to read the README.txt included in the zip file before running the script.




2) Upgrade all Splunk instances in your environment to 6.3 or above and use self-signed or CA-signed certificate. We strongly recommend this as the most secure option. Replace current default root certificates with your own certificates. Download the following document to learn about hardening your Splunk infrastructure:




Splunk Security: Hardening Standards




3) Remain at your current Splunk version (pre- 6.3) and use self-signed or CA-signed certificate. Replace current default root certificates with your own certificates. Download the following document to learn about hardening your Splunk infrastructure.


Splunk Security: Hardening Standards




4) Upgrade ALL Splunk instances to 6.3 or above and use those default root certificates.
Note: Prior to the upgrade, if in use please remove the existing Splunk default certificate copies of ca.pem and cacert.pem
Refer to: Upgrading my Splunk Enterprise 6.2.x to 6.3.x did not upgrade the expiration dates on my default SSL...

0 Karma
Highlighted

Re: Renewing server.pem certificate

Explorer

Hi,

Exactly, the second link explain how to renew the internal certificates but the script does not renew the certificate server.pem.
The certificates "ca.pem" and "cacert.pem" were renewed in 2016 and they sont valid until 2026 but the server.pem will be expire in one week.
Due to the cacert.pem is still valid, when I use the script, I do not receive any error but it does not renew the certificate.

openssl x509 -in /opt/splunk/etc/auth/cacert.pem -text -noout | grep "Not After"
Not After : Jul 3 10:06:15 2026 GMT
# openssl x509 -in /opt/splunk/etc/auth/server.pem -text -noout | grep "Not After"
Not After : Dec 15 11:35:27 2017 GMT*
0 Karma
Highlighted

Re: Renewing server.pem certificate

SplunkTrust
SplunkTrust

If you do not want to renew this certificate from 3rd party then you can use below command but if you are using SSL communication between Splunk server then you need to go through documentation/process properly.

# $SPLUNK_HOME/bin/splunk createssl server-cert -d $SPLUNK_HOME/etc/auth -n SplunkServerDefaultCert
# mv server.pem server.pem.orig
# mv SplunkServerDefaultCert.pem server.pem
# openssl x509 -in server.pem -text

View solution in original post

Highlighted

Re: Renewing server.pem certificate

Explorer

We use 3rd party certificate for https access however here we need to renew splunk internal certificate server.pem

0 Karma
Highlighted

Re: Renewing server.pem certificate

SplunkTrust
SplunkTrust

If this is internal certificate then you can follow steps which I have provided above, if you still afraid to run those then you can test something like this which will create cerificate in /tmp/ directory

# cp  $SPLUNK_HOME/etc/auth/ca.pem /tmp/
# cp  $SPLUNK_HOME/etc/auth/cacert.pem /tmp/
# $SPLUNK_HOME/bin/splunk createssl server-cert -d /tmp/ -n SplunkServerDefaultCert 
# openssl x509 -in /tmp/SplunkServerDefaultCert.pem -text

I already performed given steps in my lab environment because my server.pem was expired and due to that kvstore was complaining. But plus point was that, in my lab environment I am not using SSL communication between Splunk instances so I didn't looked into too much, renewed certificate and restarted splunk.

Highlighted

Re: Renewing server.pem certificate

Explorer

Hi,

Thank you for your reply.
I could renew the server.pem like below :
$SPLUNKHOME/bin/splunk createssl server-cert -d $SPLUNKHOME/etc/auth -n server -c cn.domain.com -l 2048