Splunk Enterprise Security

Why is splunkd expecting intermediate certs in the trust store?

Path Finder


We are exposing our search heads' management port for API access to splunk and enabled mTLS. When our users are hitting the endpoint with certs with below chain format, splunk is throwing (SSL_ERROR_UNKNOWN_CA_ALERT) - Peer does not recognize and trust the CA that issued your certificate. error.

Our users' certs are in below format


<intermediate 1>
<intermediate 2>


The Root CA cert that signed the <intermediate 2> cert is in our cacerts.pem file configured as below in server.conf


The expectation is splunk should establish the chain and since the Root CA that signed the last intermediate cert is present in its trust store, it should accept the client connection. This is not happening.

However, If we put the both above intermediate certs  also in the cacerts.pem file along with Root CA cert, that establishes a successful connection.

Why is this happening? Shouldn't splunk be able to build the chain with user provided cert and establish a connection without having intermediates in its truststore? Is there any parameter configuration to achieve this behaviour?

Labels (1)
0 Karma