Solved: Splunk not taking updated certificate server.pem

clacroixdurant · ‎05-27-2024

We noticed this morning that all the certificates for our Splunk servers are expired since a week (discovered whilst investigating why KVStore stopped this weekend).

I followed recommendation from other community ask by renaming server.pem to server.pem.old and restarting the Splunk service to create a new one.

It correctly creates a new server.pem with a valid expiration date, however it still displays the old cerficate in my browser.

I already checked with btool, and it seems fine (pointing to server.pem). I also already checked web.conf and tried to manually indicate the file path but it's still not working...

Am I missing something?

clacroixdurant · ‎05-27-2024

Well, I finally found what was missing.

There's another certificate for the web interface in /opt/splunk/etc/auth/splunkweb

I did the same as the other certificate (rename it to .old and restart the service) and it automatically recreated a new updated certificate.

View solution in original post

clacroixdurant · ‎05-27-2024

Well, I finally found what was missing.

There's another certificate for the web interface in /opt/splunk/etc/auth/splunkweb

I did the same as the other certificate (rename it to .old and restart the service) and it automatically recreated a new updated certificate.

Splunk not taking updated certificate server.pem

administration

configuration

troubleshooting

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector