These docs are for Cribl Edge 4.17 and are no longer actively maintained.
See the latest version (4.18).
Import Certificates and Keys
This topic explains how to import and manage TLS/SSL certificates and keys in Cribl Edge. Certificates you import here can be reused across multiple purposes, including:
- Secure TLS for API and UI Access
- Securing Leader-Edge Node Communication
- Secure Sources and Destinations with Certificates
Certificate Requirements
Cribl Edge expects certificates and keys to be formatted in privacy-enhanced mail (.pem) format.
You can use:
- Certificates from a public certificate authority (recommended for production; trusted by most clients by default).
- Certificates issued by your organization internal PKI (requires adding the root and intermediate CA certificates to client trust stores).
- Self-signed certificates (for lab/test environments only; requires manual trust configuration).
Generate a Self-Signed Certificate (Optional)
For non-production or lab environments, you can generate a self-signed certificate and private key using OpenSSL:
openssl req -nodes -new -x509 -newkey rsa:2048 \
-keyout myKey.pem \
-out myCert.pem \
-days 420This command generates:
myCert.pem: a self-signed certificate (valid for 420 days).myKey.pem: an unencrypted 2048-bit RSA private key.
Import a Certificate
On the Leader
- Navigate to Settings > Global > Security > Certificates.
- Select Add Certificate.
- Enter a descriptive Name (for example,
leader-ui-tlsorworker-tls). - In the Certificate field, do one of the following:
- Drag and drop your
.pemcertificate file into the field. - Click the upload button to browse for the file.
- Open the certificate file, copy its contents, and paste them into the field.
- Drag and drop your
- In the Private key field, upload or paste the corresponding private key in PEM format.
- (Optional) If your private key is encrypted, enter the Passphrase.
- (Optional) If you’re using a certificate signed by an external certificate authority (for example, a downloaded Splunk Cloud certificate), upload or paste the CA certificate chain into the CA certificate field. For details, see Obtain the Certificate Chain (TLS/SSL).
- (Optional) Add a Description to help identify the certificate’s purpose.
- Select Save.
On a Fleet
For distributed deployments, you can also import certificates at the Fleet level:
- In the sidebar, select Fleets, then select the Fleet you want to configure.
- Select Fleet Settings.
- Navigate to Security > Certificates.
- Select Add Certificate.
- Follow the same steps as above to upload your certificate and private key.
- Select Save.
- Commit and Deploy the Fleet’s new configuration.
Manage Existing Certificates
To view and manage certificates you’ve already imported:
- Navigate to Settings > Global > Security > Certificates (Leader) or Fleet Settings > Security > Certificates (Fleet level).
- Select a certificate name to view or edit its details.
- To delete a certificate, click the delete icon next to the certificate entry.
Before deleting a certificate, verify it’s not in use by any TLS configuration (Leader UI/API, Leader-Edge Node communications, Sources, or Destinations).
Using Imported Certificates
After importing a certificate, you can reference it by name in various TLS configurations:
| Purpose | Where to Configure |
|---|---|
| Leader UI/API | Settings > Global > General Settings > API Server Settings > TLS > Certificate name |
| Leader-Edge Node Communications | Settings > Global > System > Distributed Settings > TLS Settings > Certificate name |
| Edge Node TLS | Edge Node Settings > System > Distributed Settings > TLS Settings > Certificate name |
| Sources/Destinations | Individual Source or Destination TLS settings |
For step-by-step instructions on enabling TLS for specific use cases, see: