Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Renew IdP certificates

Identity provider (IdP) certificates are automatically created when you install and have an an expiry date of two years from the time they were created. To renew IdP certificates, follow these steps:

  1. Connect to your Splunk SOAR (On-premises) deployment using SSH.
  2. Navigate to the /<PHANTOM_HOME>/keystore directory and create a folder and name it cert.save.
  3. Copy all existing certificates listed in the /<PHANTOM_HOME>/keystore directory to the cert.save folder.
  4. Delete all pem or der files in the /<PHANTOM_HOME>/keystore directory except private_key.pem. private_key.pem is used to decrypt the password and will not be updated.
  5. Change directory to /<PHANTOM_HOME>/bin.
  6. Update the current certificate files by running the following command: 
    phenv python /opt/phantom/bin/initialize.py --set-auth-keys --force

The new IdP certificates are generated under the /<PHANTOM_HOME>/keystore directory and are valid for 2 years. If necessary, you can then copy the relevant public signing key to your IdP.

  • If you use SAML, copy public_sig_saml2.pem to your IdP.
  • If you use OIDC, copy public_sig_oidc.der to your IdP.
Last modified on 24 April, 2023
Update or renew SSL certificates for Nginx, RabbitMQ, or Consul   backup and restore overview

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters