- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- What is the impact to expire my server.pem?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the impact to expire my server.pem?
What is the impact to expire my server.pem?
Hi Splunk professional,
I would like to know any impacts when the server.pem in SHC are expired.
I have already understood what will happen to expire them in SHC.
- impossible to use 8089
- impossible to use kvstore
- not to work replication between SH
- not to work lookup and inputlookup command
I do make sure whether SHC are impossible to connect with indexer when expiring the server.pem, because the 8089 port is not work.
Is that correct?
Anyway, I would like to know another impact and concern.
I appreciate any opinion.
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
May Splunk not work anymore however if the ROOT CA expires?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Generally speaking, Splunk will not be adversely affected by an expired certificate, however, it is of course bad security practice.
SSL/TLS certificate management can be quite a daunting process in Splunk, however, this excellent presentation from .conf15 walks you through the process of generating your own certificates for your whole deployment - Its a great guide.
It also shows which services such as CA checking and CN checking are used by each component.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
As far as I know if you have sslVerifyServerCert = false in server.conf then it will not create any problem but KVStore will complain and might not work (I had tested expired server.pem in Splunk 6.3 or 6.4 and it was working fine in my lab in SHC and IDXC and I was not using kvstore)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When your SSL certificates expire your components (SH, IDX, Forwarder, etc...) will stop talking to each other.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is not correct in most cases. Splunk is very tolerant of expired certificates. It is certainly not the default failure mode
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
