Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

server_pkcs1.pem cert expired

bfrisan
Loves-to-Learn
‎11-27-2024 11:49 AM

Our Nessus vulnerability scanner is flagging that the server_pkcs1.pem certificate is expired.

I have verified that it is expired but unable to renew it.   Stopping service, renaming file and restarting service does not recreate it.  How do you renew this certificate?

0 Karma
Reply

usd0872
Path Finder
‎07-28-2025 11:36 PM

Found the same file mysteriously auto-created and after a bit of tinkering found what caused its creation, at least in my case:

splunk backup kvstore -pointInTime true -archiveName my_archive

The file vanishes again once the process finishes. But if for some reason it crashes/gets killed/whatever, the file is left in the filesystem.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-28-2024 11:40 AM

Splunk doesn't by default come with a cert file called server_pkcs1.pem. It must be a piece of configuration explicitly done in your deployment. So you have to find

1) Where (if anywhere) its use is defined ( @marnall 's hint can help but it doesn't have to contain all possible references to certs - some addons can have use their own cert settings).

2) Where this cert comes from. As far as I remember, only the default cert can be automatically (re)created.

0 Karma
Reply

marnall
Motivator
‎11-28-2024 11:04 AM

Can you run btool on the machine as the splunk user to make sure that the server_pkcs1.pem certificate is indeed the one used by splunk?

/opt/splunk/bin/splunk btool server list sslConfig

 Look for the serverCert variable

0 Karma
Reply

bfrisan
Loves-to-Learn
‎12-02-2024 01:16 PM

Sorry for delayed response, holidays got in the way.

I ran "splunk btool server list sslConfig" and it returned no data.  I tried it without sslconfig and searched for that cert name and nothing

When I run openssl.exe x509 -enddate -noout -text -in "c:\programs files\splunk\etc\auth\server_pkcs1.pem" it shows as the issuer being Splunk.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-03-2024 02:36 AM

Just because the issuer is "Splunk something", doesn't mean the file itself couldn't have been - for example - manually renamed from the original file which was created by some built-in scripts.

Unfortunately you're using windows so I won't give you a find | grep oneliner to find whether it's referenced anywhere. You have to check for yourself if any *.conf file calls out to it.

0 Karma
Reply

bfrisan
Loves-to-Learn
‎12-03-2024 08:23 AM

Yea no reference to server_pkcs1.pem in server.conf.  I already renamed file, and finding is gone.  Just watching/waiting now to make sure no issues.  Thanks!

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...