About default certificate authentication
Splunk Enterprise 6.6 and higher comes with default certificates that are signed with Secure Hash Algorithm (SHA)-256 using a 2048-bit key. These certificates are part of a fresh installation.
When you upgrade from a previous release, Splunk Enterprise replaces the existing
ca.pem.default Privacy Enhanced Mail (PEM) files. Existing certificates, for example
ca.pem, are not affected.
Because of the new default PEM, you must upgrade all certificates and PEM files to SHA-256 using a 2048-bit key to avoid validation errors. For example, your indexers and forwarders might require updates to meet the same standards as your Splunk Enterprise instance. You might also want to check the certificate for your license manager. If all certificates and PEM files are not updated, Splunk Enterprise logs the following error in
splunkd.log when it attempts to connect to another instance over SSL:
ERROR TcpOutputFd - Connection to host=10.140.130.102:9997 failed. sock_error = 0. SSL Error = error:04091077:rsaroutines:INT_RSA_VERIFY:wrong signature length
Securing Splunk Enterprise with FIPS
Secure Splunk Enterprise on your network
This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2.0