Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Troubleshooting certificate issues

Even after importing the correct certificate, you might notice that the server still reports connectivity issues, which could be related to the certificate. In addition to the certificate being available for validation, it is important to remember some key points about certificate validation:

  • The OpenSSL library used must validate a full certificate chain. This means that you cannot just install the end certificate, such as the one on the web server. If it was signed by a parent certificate, then the parent certificate is the one that must be installed. Though, if it's a true self-signed certificate, where it is signed by itself, and has no other parent, then install that certificate.
  • Any required intermediate certificates must be present. Many CAs have a root certificate, and then one or more levels of intermediate, issuer, certificates, and then the actual server certificate. It's customary that the server be configured to serve both its own certificate as well as the intermediates, and that the client has the root to complete the chain. However, if the server is not configured to serve the intermediates, then the intermediates must also be installed in the certificate store.
  • Certificates must be within their date range. That is, it must be after the valid from date and before the expiration date in the certificate.
  • Certificates must use a valid Common Name (CN) or Subject Alternative Name (SAN) field and must be configured to use the resource by that name. Wildcard certificates will also work as expected. For example, you might have a server known as server.example.com at IP address 10.1.1.1. In order for the SSL/TLS connection to it to succeed, must be configured to use the full name, server.example.com. Using a short name of "server" or using the IP address 10.1.1.1 does not work.
Last modified on 29 June, 2023
Add or remove certificates from the certificate store   backup and restore overview

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters