The most straightforward/lowest risk encryption to configure and enable in the Splunk Environment is standard HTTPS (TLS) encryption to the Splunk Web GUI. I say that this is the lowest risk as any failure in implementation results only is a certificate error or webpage not loading and not is an interruption to traffic forwarding or core management functionality.
Note: We will not cover obtaining a 3rd party Certificate Authority (CA) signed certificate. Numerous posts on the subject exist online and specifically on the various CA websites as well as the Splunk Docs site.
Note: HTTPS encryption of traffic inbound to the Splunk UI may also be accomplished via a front end load balancer. This is a recommended configuration for nodes in a search head cluster. Load balancer configuration/integration with Splunk is beyond the scope of this article.
To configure a Splunk instance to use TLS encryption at the search head, perform the following steps:
1) Upload the public key, private key, and intermediate certificate to Splunk.
Splunk Docs recommends the following location as an example. I will use the same location although the folder name can be changed as desired.
Modify "mycerts" to instead reference a short unique identifier for your organization.
Splunk, by default, uses cert.pem and privkey.pem as the file names for the public and private keys. I will use the same here although there is no requirement to do so.
Note that although not required, providing the intermediate certificate (excluding the root CA cert) is a best practice. The intermediate certificates are provided as a bundle from the CA and should be appended to the public key in the following order:
-----BEGIN CERTIFICATE----- # Your public key here #\ MIIFqjCCBJKgAwIBAgIQT0eb7D7qe0Fv+IPt8WRkPTANBgkqhkiG9w0BAQsFADCB jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G ...truncated... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- # Your lowest level intermediate here # MIIFqjCCBJKgAwIBAgIQT0eb7D7qe0Fv+IPt8WRkPTANBgkqhkiG9w0BAQsFADCB jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G ...truncated... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- # highest level (closest to root CA cert) here # MIIFqjCCBJKgAwIBAgIQT0eb7D7qe0Fv+IPt8WRkPTANBgkqhkiG9w0BAQsFADCB jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G ...truncated... -----END CERTIFICATE-----
For reference, the private key looks like this:
-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmPQfkbtXcvaxI ...truncated... -----END PRIVATE KEY-----
When the certs have been uploaded, we should see the following in place:
[splunk@lab01 ~]# ll $SPLUNK_HOME/etc/auth/mycerts/ total 8 -rw-r--r-- 1 splunk splunk 1704 Apr 23 20:18 privkey.pem -rw-r--r-- 1 splunk splunk 2025 Apr 23 20:29 cert.pem
2) Add the following attributes to your web.conf file:
vi $SPLUNK_HOME/etc/system/local/web.conf [settings] enableSplunkWebSSL = 1 privKeyPath = /opt/splunk/etc/auth/mycerts/privkey.pem serverCert = /opt/splunk/etc/auth/mycerts/cert.pem httpport = 8000
3) Finally, restart splunkd:
systemctl restart Splunkd
or via initd:
4) In the event of an issue after splunkd restart (web service does not start etc.) check the following:
netstat -an | grep 8000 (insert your expected web port here) tail (-f) $SPLUNK_HOME/var/log/splunk/web_services.log openssl s_client -connect my.hostname.com:8088
The first command lets us know if Splunk made it to the point that it is listening on the web port at all or not. web_services.log provides a more conclusive view into the nature of the error and will call out if a certificate file could not be found or read. OpenSSL simulates a connection to the HEC port and validates the SSL handshake and configuration.
(1) Splunk Docs: Secure Splunk Web Using a Signed Certificate
(2) Splunk Docs: Get Third Party Certificates for Splunk Web