Renew existing certificates
TLS certificates in a Splunk platform deployment secure your Splunk platform instances from potential outside attackers. Whether you generate your own certificates or obtain them from a third party, the certificates last for a certain period of time, typically 3 to 5 years, before they expire.
When a TLS certificate expires, it isn't valid anymore. It no longer provides the security it did when it was in force. This can have various ramifications depending on how you set up Splunk platform deployment and the types of Splunk platform instances that make the secure connections:
- Instances that use invalid certificates and the instances to which they connect log errors about the invalid certificates, increasing the size of log files on the instances
- Instances can have problems connecting to other instances because of the invalid certificates, which can result in data loss
- Malicious attackers can use machines to act as legitimate machines and intercept your data and communications, particularly if those instances are on the internet and not behind a firewall
To prevent problems like these, you must renew the TLS certificates on your instances before they expire.
If you use the Splunk Assist service, the Certificate Assist component provides a list of all of the certificates that it knows about and when they are due to expire. Splunk platform instances whose certificates expire within a month trigger a Warning status and instances whose certificates expire within a week trigger a Critical status.
How to renew TLS certificates
The process of renewing a certificate is the same as creating a new one.
- Obtain a signed certificate from a third party certificate authority, or generate and sign your own.
- Install the certificate on each instance, replacing the old certificate.
- Configure and use the certificate.
- Restart the instance so that it recognizes the updated certificate.
The exact process you perform to renew depends on several factors:
- The type of certificate you used to secure your deployment initially.
- The topology of your Splunk platform deployment. File management infrastructure helps deliver updated certificates faster.
If you have previously configured certificates for your infrastructure, the process can be as simple as updating the expiring or expired certificate with the new certificate and restarting the Splunk platform instance to recognize the certificate. If the new certificates have updated X.509 common names or subject alternate names, you might need to include those updated names in your configurations.
Get help on renewing your TLS certificates
If you need help with renewing your certificates, see the following suggestions:
- The Splunk Support team can help if you have an entitlement with Splunk.
- For larger, more complex deployments, you can use the Professional Services group for assistance.
- If you don't have a Splunk entitlement, you can post a question on the Splunk Answers community.
- The Splunk community in Slack is a good place to receive help.
Test and troubleshoot TLS connections
Configure TLS certificate host name validation
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4
Feedback submitted, thanks!