The server certificate (server.pem) provided by Splunk by default is created when the Splunk service is started for the first time after installing Splunk.

The expiration date of this server certificate will be 3 years after the date of first activation. If the expiration date is approaching, you can renew the server certificate by following the steps below.

Server.pem update procedure

• Temporarily save the current server.pem under the $SPLUNK_HOME/etc/auth folder from a directory outside $SPLUNK_HOME.

*$SPLUNK_HOME is the installation directory. By default, it is as follows:

Linux :
Splunk Enterprise : /opt/splunk
Universal Forwarder : /opt/splunkforwarder
Windows :
Splunk Enterprise : C:\Program Files\Splunk
Universal Forwarder : C:\Program Files\SplunkUniversalForwarder

• Restart the Splunk service.

Command example:

$SPLUNK_HOME/bin/splunk restart

• After rebooting, make sure a new server.pem is created in $SPLUNK_HOME/etc/auth.

*You can check the expiration date of the newly created server.pem by executing the following command in $SPLUNK_HOME/etc/auth.

openssl x509 -enddate -noout -in server.pem