Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Secure Splunk Web with your own certificate

This example assumes that you have already generated self-signed certificates or purchased third-party certificates. If you have not done this and are unsure how to proceed, we've provided some simple examples:

Note: Splunk Web does not currently support password-protected private keys. You should remove the password from your key before configuring Splunk Web for the certificate.

Before you begin: Copy your certificates to a new folder

Copy the server certificate to your own certificate repository in $SPLUNK_HOME/etc/auth.

In the following example our web certificate is called mySplunkWebCertificate.pem and our private key is called mySplunkWebPrivateKey.key:


# cp $SPLUNK_HOME/etc/auth/mycerts/mySplunkWebCertificate.pem $SPLUNK_HOME/etc/auth/mycerts/mySplunkWebPrivateKey.key $SPLUNK_HOME/etc/auth/splunkweb


copy $SPLUNK_HOME\etc\auth\mycerts\mySplunkWebCertificate.pem $SPLUNK_HOME\etc\auth\splunkweb\

copy $SPLUNK_HOME\etc\auth\mycerts\mySplunkWebPrivateKey.key $SPLUNK_HOME\etc\auth\splunkweb\

Configure Splunk Web to use the key and certificate files

Note: Splunk Web does not support passwords for private keys, so you must remove the password from the key before using the key to secure Splunk Web.

1. In $SPLUNK_HOME/etc/system/local/web.conf (or any other applicable location, if you are using a deployment server), make the following changes to the [settings] stanza:

The following is an example of an edited settings stanza:

enableSplunkWebSSL = true
privKeyPath = </home/user/certs/myprivatekey.pem> Absolute paths may be used. non-absolute paths are relative to $SPLUNK_HOME
serverCert = </home/user/certs/mycacert.pem> Absolute paths may be used. non-absolute paths are relative to $SPLUNK_HOME

2. Restart Splunk Web:

# $SPLUNK_HOME/bin/splunk restart splunkweb
Turn on encryption (https) using web.conf
Troubleshoot your Splunk Web authentication

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10


For Windows, restarting the splunkweb service via "splunk restart splunkweb" didn't recognize the new SSL cert. I rebooted the machine, and the new cert was recognized. Maybe I could have just restarted the splunkd.exe service...

November 9, 2017

Hello, I am seeing this error when trying to use the path to my server cert in web.conf
Invalid key in stanza [settings] in /opt/splunk/etc/system/local/web.conf, line 3: serverCert (value: /home/ryot/mycerts/mycacert.pem)

Web.conf -
enableSplunkWebSSL = true
serverCert = /home/ryot/mycerts/mycacert.pem
privKeyPath = /home/ryot/mycerts/myprivatekey.pem

April 11, 2017

I don't understand. In PrivKeyPath we have to referer a .key file or a .pem file ? And if it's pem file so wihich one ?

April 6, 2017

We are installing DoD certs, server.cert.pem and server.key.pem following the instructions above and the splunk service doesn't seem to restart. We copied the two pem files to the splunkweb folder as stated above, modifed web.conf file as above pointing to the location and files. Is there anything else I am missing.

March 27, 2017

Thanks for pointing that out, Hmallett. We've fixed the error.

Andrewb splunk, Splunker
January 25, 2017

The line:
serverCert = </home/user/certs/mycacert.pem.
should be:
serverCert = </home/user/certs/mycacert.pem>

January 25, 2017

Hey Byron,
Thank you so much for calling this to my attention. I've updated the docs accordingly.

Jworthington splunk, Splunker
October 12, 2016

The example in section 1.

"servercert = </home/user/certs/mycacert.pem. Absolute paths may be used. non-absolute paths are relative to $SPLUNK_HOME"

should be:
"serverCert = </home/user/certs/mycacert.pem. Absolute paths may be used. non-absolute paths are relative to $SPLUNK_HOME"

Note the capital C in serverCert.


October 12, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters