Related Answers
Download topic as PDF
About default certificate authentication
Splunk Enterprise 6.6 and higher comes with default certificates that are signed with Secure Hash Algorithm (SHA)-256 using a 2048-bit key. These certificates are part of a fresh installation.
When you upgrade from a previous release, Splunk Enterprise replaces the existing cacert.pem.default and ca.pem.default Privacy Enhanced Mail (PEM) files. Existing certificates, for example cacert.pem and ca.pem, are not affected.
Because of the new default PEM, you must upgrade all certificates and PEM files to SHA-256 using a 2048-bit key to avoid validation errors. For example, your indexers and forwarders might require updates to meet the same standards as your Splunk Enterprise instance. You might also want to check the certificate for your license manager. If all certificates and PEM files are not updated, Splunk Enterprise logs the following error in splunkd.log when it attempts to connect to another instance over SSL:
ERROR TcpOutputFd - Connection to host=10.140.130.102:9997 failed. sock_error = 0. SSL Error = error:04091077:rsaroutines:INT_RSA_VERIFY:wrong signature length
|
PREVIOUS Securing Splunk Enterprise with FIPS |
NEXT Harden your Windows installation |
This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.3.0
Feedback submitted, thanks!