Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

As of version 6.4.0, the visual editor for classic playbooks is no longer part of Splunk SOAR. Before upgrading, convert your classic playbooks to modern mode. Your classic playbooks will continue to run and you can view and edit them in the SOAR Python code editor.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

certificate store overview

has a certificate store used to validate certificates when forming connections to other servers. The certificates in the store are trusted certificate authority (CA) certificates from mkcert.org and are updated periodically. In almost all cases, can use its certificate store to validate any certificate issued by a commercial certificate authority (CA).

The default certificate store cannot be used to validate self-signed certificates, or certificates issued by an internal CA. You must add these custom certificates to the certificate store.

Different types of certificates are stored in different certificate stores:

Certificate type Storage location Additional information
SOAR Certificates <$PHANTOM_HOME>/etc/certs/ Add certificates to the <$PHANTOM_HOME>/etc/cacerts.pem file using the import_cert.py tool, located in <$PHANTOM_HOME>/bin/. See Add or remove certificates from the certificate store.
SOAR HTTP Certificates <$PHANTOM_HOME>/etc/ssl/ For more information about how to change the TLS certificate on the platform, see Provide a valid SSL certificate for the connection between Splunk Phantom and Splunk Enterprise in the Use the Splunk Phantom App for Splunk to Forward Events documentation.
SOAR Encryption and SAML Certificates <$PHANTOM_HOME>/etc/keystore/ For more information about how to change the SAML certificate on the platform, see How to Rotate the Signing and/or Encryption Certs in Phantom for SAML.
SOAR NGINX SSH Certificates <$PHANTOM_HOME>/var/cache/nginx/.ssh This key is used for authenticating SSH sessions for Source Control and other SSH sessions that are initiated by the Splunk SOAR platform. For more information about how to find and configure SSH for Source Control, see

Configure a source control repository for your playbooks.

Last modified on 03 June, 2022
Add or remove a cluster node from Splunk SOAR (On-premises)   Add or remove certificates from the certificate store

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2


Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters