Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Web TLS from DigiCert PFX: restart hangs at “Waiting for web server …” and CA-bundle confusion

zksvc
Contributor
‎09-12-2025 02:04 AM

Hi all,

I’m trying to enable TLS on Splunk using a DigiCert certificate that I only have as a .pfx. I keep running into errors and I’m not fully sure whether my approach is correct. I’ve read several Splunk docs (server.conf/web.conf TLS settings, securing Splunk Web, certificate how-to’s), but the issue remains. I’d appreciate pointers to official, end-to-end guidance for the “I only have a PFX” scenario, and to hear if anyone has seen the same symptoms.

Environment

  • Splunk Enterprise: 9.x

  • OS: Linux (Ubuntu)

  • Goal: Use DigiCert certificate for Splunk Web (port 8000)

  • Inputs available: one .pfx file (exported from Windows/IIS)

Labels (4)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-12-2025 03:06 AM

PFX is a PKCS12 file which means you probably requested the CA to create privkey/cert bundle for you (which is not the best idea - it's more secure to create our own pkey and only submit a CSR to the CA but that's not the point here).

Splunk doesn't handle PKCS12. It needs PEM-formatted crypto material. You need to use an external tool to extract pkey and cert (and cert chain probably) from the pfx file into separate PEM files. You can use openssl bundled with Splunk for this purpose. You could try java's keytool but I find its use more confusing.

Anyway, there are a lot of howtos on the internet about converting pkcs12 to pem.

EDIT: Oh, I see you have a file exported from a server on which it's already used. That means that it's either a wildcard cert (which is often a bad idea unless you have a TLS-terminating device at the perimeter of your environment) or you're trying to reuse some other subject's certificate (which is almost never a good idea)

Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...