Hi there. Thanks for posting that but that is actually what I've followed and I removed the passphrase from the key too. Are there any open ssl commands I can run to make sure the key and cert are all good and compatible with each other? The other thing I"m wondering about is the intermediate cert and if that's ok. I pasted it below the server cert as per instructions but not sure how to test it.

You did already mention removing the password in your original question.

You can validate the intermediate as you would any other certificate.

This behaviour, nothing happening when Splunk tries to reference the cert and key for Splunkweb and nothing in the logs, seems to be indicative of a problem with one or both of those from what I've read and people have advised. I went through the process from scratch; new key, new csr, new cert and loaded them up and all good.

Through this process I discovered some useful new tools, the csr checker to make sure all of your entries are correct and the matcher to check your new cert against the private key. This can be done in open ssl if you don't want to paste your private key onto the website, just search for 'verify cert and private key in openssl'.

https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp

https://www.sslchecker.com/matcher

Thanks for guiding me in the right direction. Splunk didn't even answer the case I raised.

You're very welcome. Glad you got it sorted. That's what the community is for. I'm surprised the support team were non-responsive though.

I think I'm edging toward the problem. I put my certs and key into a checker and it came back and said the certificate and private key do not match. Having followed the steps on the Splunk website what are the circumstances under which this could happen? Anything to do with the organisation name and things like that I entered into the CSR when building that?

That was what I was getting at when I suggested you check the fingerprint of the key and the certificate. OpenSSL provides a commandline tool for generating the fingerprint of both the certificate and the key, and they should match. (This is what your checker will have done.)

As to how this comes about, quite simply the key and the certificate have been muddled. Either the Key you now have is not the key which against which the original CSR was created, or the certificate you have was not generated from the CSR you provided. My previous role required managing SSL certificates for multiple hosts and services, so there were standard processes for generating keys, CSRs and resultant certificates externally. When certificates were altered for Splunk I replaced them and altered the configuration to match manually. I never used Splunk to create the initial request, so I'm not sure where the procedure is that you followed, but an error like this essentially derives from human error.

Although it is configuration dependent (i.e. the local administrator can alter the location in web.conf), the default location for your web certificates is:
~splunk/etc/auth/splunkweb/privkey.pem
~splunk/etc/auth/splunkweb/cert.pem

I would search the whole of ~splunk/etc/ for .pem files, and check timestamps. You might be able to locate a match that way, if you can remember the date of generating the original request. Otherwise you will just have to generate a new key (or use an existing key), create a new CSR from it, and request a new certificate to match the new key. There is no feasible way to work backward if you cannot find the matching key for your certificate. (If there was SSL would not be secure...)

For a crash course in openssl certificate handling tools you could do worse than look at this summary

Hi there. Sorry yes it's Linux and in this case I'm just doing a splunk restart as the splunk user. I changed the ownership of the key and cert files to be the splunk user and both files currently have rw r r permissions.

What was the ownership and permission on the prior cert/key pair.

Did you confirm that the key/cert fingerprints actually matched, and that someone hasn't goofed in the cert generation?

And of course, there's always the possibility that if your Splunk server is normally started as a service, it will have been a root-owned process, and some of its prior working files will be root only. That can cause it major headaches if you then try to start it as the unprivileged splunk user.

I can see the fingerprint in the cert but not sure what to check that against? The rights and processes should be fine because always careful about that and the service has been running fine for months, it only broke now when I apply these. There must be something wrong with the certs and key combo or something.. MIght have to log a case and see if I can get some more help.

Fingerprint the key, too. That's what you compare with the certificate fingerprint.

You're absolutely certain that you have never invoked Splunk as root, and that there is nothing with the wrong file ownerships that might be stalling it?

Don't get caught up on the assumption that just because it was running when you stopped it that it would have restarted cleanly, unless having stopped it you then restarted it just to check. (This is, exactly what I do when I'm implementing a change, because experience has taught me it is easy to waste a lot of time getting funneled down a blind canyon by your assumptions.) It is quite possible that your certificate being the only thing you know to have changed is the problem, but don't forget that something else could have happened before that which would stop the process starting, even if it was fine while still running. If simple checks of your certificate setup do not solve the problem, then I would strongly suggest that you need to go to more direct methods to determine the definite fault rather than fixing what you think might be wrong.