Installation

Why didn't upgrade from Splunk Enterprise 6.2.x to 6.3.x also upgrade the expiration dates on my default SSL certs?

weeb
Splunk Employee
Splunk Employee

I upgraded my instances as per https://answers.splunk.com/answers/395886/for-splunk-enterprise-splunk-light-and-hunk-pre-63.html#an... , however, my default SSL certs ca.pem and cacert.pem are still showing the older expiration dates. What am I doing wrong?

Labels (1)
1 Solution

weeb
Splunk Employee
Splunk Employee

For upgrades from an earlier version to 6.3.x, please remove existing copies of ca.pem and cacert.pem before upgrade.

Steps for Linux:

  1. Stop Splunk
  2. Remove $SPLUNK_HOME/etc/auth/ca.pem
  3. Remove $SPLUNK_HOME/etc/auth/cacert.pem
  4. Upgrade procedure as usual (untar tarball over Splunk home directory)
  5. Start Splunk (this will generate a new ca.pem and cacert.pem files)

Hope this helped anyone wondering why their upgrade did not work to change the expiration dates on their default certs.

Just in Case: If the customer generated certs and gave them the names used by Splunk (ca.pem, cacert.pem), this answer does not apply. This answer only applies to default certs provided out of the box by Splunk.

View solution in original post

weeb
Splunk Employee
Splunk Employee

For upgrades from an earlier version to 6.3.x, please remove existing copies of ca.pem and cacert.pem before upgrade.

Steps for Linux:

  1. Stop Splunk
  2. Remove $SPLUNK_HOME/etc/auth/ca.pem
  3. Remove $SPLUNK_HOME/etc/auth/cacert.pem
  4. Upgrade procedure as usual (untar tarball over Splunk home directory)
  5. Start Splunk (this will generate a new ca.pem and cacert.pem files)

Hope this helped anyone wondering why their upgrade did not work to change the expiration dates on their default certs.

Just in Case: If the customer generated certs and gave them the names used by Splunk (ca.pem, cacert.pem), this answer does not apply. This answer only applies to default certs provided out of the box by Splunk.

splunkreal
Motivator

Hello,

Thanks for these information.

Does upgrading Splunk 8 to Splunk 9 renews default Root CA like cacert.pem or should we use your procedure and delete them before upgrading? I think we can do this even after.

Kvstore could use Splunk default certificates (on instances not using third party certificates)

Best regards.

* If this helps, please upvote or accept solution 🙂 *
0 Karma

christeraustad
Explorer

But if you have already upgraded to 6.3. How do I regenerate new certificates with new dates?

0 Karma

cyndiback
Path Finder

Is this needed for upgrades to version 6.4.x?

0 Karma

jodros
Builder

Is this necessary for universal forwarders installed on WinOS?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...