Import Certificates and Keys
This topic explains how to import and manage TLS/SSL certificates and keys in Cribl Edge. Certificates you import here can be reused across multiple purposes, including:
- Secure TLS for API and UI Access
- Securing Leader-Edge Node Communication
- Secure Sources and Destinations with Certificates
Certificate Requirements
Cribl Edge expects certificates and keys to be formatted in privacy-enhanced mail (.pem) format.
You can use:
- Certificates from a public certificate authority (recommended for production; trusted by most clients by default).
- Certificates issued by your organization internal PKI (requires adding the root and intermediate CA certificates to client trust stores).
- Self-signed certificates (for lab/test environments only; requires manual trust configuration).
Generate a Self-Signed Certificate (Optional)
For non-production or lab environments, you can generate a self-signed certificate and private key using OpenSSL:
openssl req -nodes -new -x509 -newkey rsa:2048 \
-keyout myKey.pem \
-out myCert.pem \
-days 420This command generates:
myCert.pem: a self-signed certificate (valid for 420 days).myKey.pem: an unencrypted 2048-bit RSA private key.
Import a Certificate
On the Leader
- Navigate to Settings > Globals > Security > Certificates.
- Select Add Certificate.
- Enter a descriptive Name (for example,
leader-ui-tlsorworker-tls). - In the Certificate field, do one of the following:
- Drag and drop your
.pemcertificate file into the field. - Click the upload button to browse for the file.
- Open the certificate file, copy its contents, and paste them into the field.
- Drag and drop your
- In the Private key field, upload or paste the corresponding private key in PEM format.
- (Optional) If your private key is encrypted, enter the Passphrase.
- (Optional) If you’re using a certificate signed by an external certificate authority (for example, a downloaded Splunk Cloud certificate), upload or paste the CA certificate chain into the CA certificate field. For details, see Obtain the Certificate Chain (TLS/SSL).
- (Optional) Add a Description to help identify the certificate’s purpose.
- Select Save.
On a Fleet
For distributed deployments, you can also import certificates at the Fleet level:
- In the sidebar, select Fleets, then select the Fleet you want to configure.
- Select Fleet Settings.
- Navigate to Security > Certificates.
- Select Add Certificate.
- Follow the same steps as above to upload your certificate and private key.
- Select Save.
- Commit and Deploy the Fleet’s new configuration.
Manage Existing Certificates
To view and manage certificates you’ve already imported:
- Navigate to Settings > Globals > Security > Certificates (Leader) or Fleet Settings > Security > Certificates (Fleet level).
- Select a certificate name to view or edit its details.
- To delete a certificate, click the delete icon next to the certificate entry.
Before deleting a certificate, verify it’s not in use by any TLS configuration (Leader UI/API, Leader-Edge Node communications, Sources, or Destinations).
Using Imported Certificates
After importing a certificate, you can reference it by name in various TLS configurations:
| Purpose | Where to Configure |
|---|---|
| Leader UI/API | Settings > Global > General Settings > API Server Settings > TLS > Certificate name |
| Leader-Edge Node Communications | Settings > Global > System > Distributed Settings > TLS Settings > Certificate name |
| Edge Node TLS | Edge Node Settings > System > Distributed Settings > TLS Settings > Certificate name |
| Sources/Destinations | Individual Source or Destination TLS settings |
For step-by-step instructions on enabling TLS for specific use cases, see: