Splunk® Enterprise

Securing Splunk Enterprise

Renew existing TLS certificates

TLS certificates in a Splunk platform deployment secure your Splunk platform instances from potential outside attackers. Whether you generate your own certificates or obtain them from a third party, the certificates last for a certain period of time, typically 1 to 3 years, before they expire. Some certificates have shorter or longer validity periods.

What happens when a TLS certificate expires

When a TLS certificate expires, it isn't valid anymore. It no longer provides the security it did when it was in force. This can have various ramifications depending on how you set up Splunk platform deployment and the types of Splunk platform instances that make the secure connections:

  • Instances that use invalid certificates and the instances to which they connect log errors about the invalid certificates, increasing the size of log files on the instances
  • Instances can have problems connecting to other instances because of the invalid certificates, which can result in data loss or downtime
  • Malicious attackers can use machines to act as legitimate machines and intercept your data and communications, particularly if those instances are on the internet and not behind a firewall

To prevent problems like these, you must renew the TLS certificates on your instances before they expire. The exact process you perform to renew depends on several factors:

  • The type of certificate you used to secure your deployment initially.
  • The topology of your Splunk platform deployment. File management infrastructure helps deliver updated certificates faster.

If you have previously configured certificates for your infrastructure, the process can be as simple as updating the expiring or expired certificate with the new certificate and reloading the Splunk platform configuration to recognize the certificate. If the new certificates have updated X.509 common names or subject alternative names, you might need to include those updated names in your configurations.

If you use the Splunk Assist service to monitor your Splunk Enterprise deployment, the Certificate Assist component provides a list of all of the certificates that it knows about and when they are due to expire. Splunk platform instances whose certificates expire within a month trigger a Warning status and instances whose certificates expire within a week trigger a Critical status.

Splunk services and network listener ports can share certificates

Splunk platform instances can share services, service network listener ports, and certificates. Depending on the topology of your Splunk platform deployment, you might need to run more than one reload command that appears in the following table. If a certificate protects more than one service or network listener port, you must run the reload command for each service or port. If you use nonstandard listener ports, review your configuration files to see the certificates that protect each service, and run the reload command that applies to the service.

For more information on the network ports that Splunk platform components listen on, see Splunk components and their relationship with the network.

How to renew TLS certificates

The process of renewing a certificate is the same as creating a new one.

  1. Obtain new certificates.
    1. You can get a signed certificate from a third party. See How to obtain certificates from a third party for inter-Splunk communication.
    2. Or, you can generate and sign your own. See How to create and sign your own TLS certificates.
  2. Prepare the certificates for use on the Splunk platform. See How to prepare TLS certificates for use with the Splunk platform.
  3. Install the certificates on each instance, replacing the old certificates. Where you install the certificates depends on your existing certificate configuration. To replace existing certificates, the new certificates must have the same file names.
  4. (Optional) Configure the Splunk instance to use the certificates. You might need to change the configuration if certain elements of the certificates, such as their X.509 common names or subject alternative names have changed.
  5. Use a shell or command prompt to reload the configuration on the instance. See the table after this procedure to determine the command to use.

You can also restart the instance to enable the new certificate by entering the following command: ./splunk restart.

Service type Default network port Reload command
Splunkd management port (Indexers, search heads, forwarders, Splunk-to-Splunk) 8089 curl -u <username>:<password> -X POST https://<url of instance>:<port>/services/server/control/reload_ssl_config
Splunk Web 8000 curl -u <username>:<password> -X POST https://<url of instance>:<port>/services/server/control/restart_webui_proxy_only
Indexer Cluster 8080, 9887 curl -u <username>:<password> -X POST https://<url of instance>:<port>/services/cluster/config/_reload -d reload_replication_port=true
Search Head Cluster 8081, 8181, 9887 curl -u <username>:<password> -X POST https://<url of search head>:<port>/services/shcluster/config/_reload -d reload_replication_port=true
Forwarder (any type) 9997 curl -u <username>:<password> https://<url of forwarder>:<port>/services/data/outputs/tcp/default/_reload
App Key Value Store 8065, 8191 curl -u <username>:<password> https://<url of instance>:<port>/services/kvstore/control/restart
HTTP Event Collector 8088 curl -u <username>:<password> https://<url of instance>:<port>/services/data/inputs/http/ssl/_reload -d 'requireServerRestart=true'

In these examples, <username> and <password> are the credentials for the instance and <port> is the management port of the instance that you use.

By default, Windows does not include the curl web transfer tool. You can download the tool from the curl website.

Get help on renewing your TLS certificates

If you need help with renewing your certificates, see the following suggestions:

  • The Splunk Support team can help if you have an entitlement with Splunk.
  • For larger, more complex deployments, you can use the Professional Services group for assistance.
  • If you don't have a Splunk entitlement, you can post a question on the Splunk Answers community.
  • The Splunk community in Slack is a good place to receive guidance.
Last modified on 18 January, 2024
Test and troubleshoot TLS connections   Configure TLS certificate host name validation for secured connections between Splunk software components

This documentation applies to the following versions of Splunk® Enterprise: 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters