The pem files are generated for each Splunk instance on first start, so they aren't portable.
Basically that message is saying that splunkd can't decrypt something already encrypted with the certs it has. It's almost certainly the sequence number used for audit signing. If you don't have the originals and need to get audit signing working again, you can remove the encrypted sequence number in persistent storage:
$SPLUNK_HOME/var/lib/splunk/persistentstorage/seqno_db
and a new one will be created on startup, using the new certs. (Shut down to do this.) Once the original certs are gone, you won't be able to verify any of the old audit events however.
For the moment, this decryption failure results in an assert and splunkd terminates rather ungracefully. I'm looking at some ways to make that more friendly. But it only happens if something has gone wrong with the certs themselves.
... View more