These docs are for Cribl Stream 4.17 and are no longer actively maintained.
See the latest version (4.18).
Import Certificates and Keys
This topic explains how to import and manage TLS/SSL certificates and keys in Cribl Stream. Certificates you import here can be reused across multiple purposes, including:
- Secure TLS for API and UI Access
- Securing Leader-Worker Node Communication
- Secure Sources and Destinations with Certificates
Certificate Requirements
Cribl Stream expects certificates and keys to be formatted in privacy-enhanced mail (.pem) format.
You can use:
- Certificates from a public certificate authority (recommended for production; trusted by most clients by default).
- Certificates issued by your organization internal PKI (requires adding the root and intermediate CA certificates to client trust stores).
- Self-signed certificates (for lab/test environments only; requires manual trust configuration).
Generate a Self-Signed Certificate (Optional)
For non-production or lab environments, you can generate a self-signed certificate and private key using OpenSSL:
openssl req -nodes -new -x509 -newkey rsa:2048 \
-keyout myKey.pem \
-out myCert.pem \
-days 420This command generates:
myCert.pem: a self-signed certificate (valid for 420 days).myKey.pem: an unencrypted 2048-bit RSA private key.
Import a Certificate
On the Leader
- Navigate to Settings > Global > Security > Certificates.
- Select Add Certificate.
- Enter a descriptive Name (for example,
leader-ui-tlsorworker-tls). - In the Certificate field, do one of the following:
- Drag and drop your
.pemcertificate file into the field. - Click the upload button to browse for the file.
- Open the certificate file, copy its contents, and paste them into the field.
- Drag and drop your
- In the Private key field, upload or paste the corresponding private key in PEM format.
- (Optional) If your private key is encrypted, enter the Passphrase.
- (Optional) If you’re using a certificate signed by an external certificate authority (for example, a downloaded Splunk Cloud certificate), upload or paste the CA certificate chain into the CA certificate field. For details, see Obtain the Certificate Chain (TLS/SSL).
- (Optional) Add a Description to help identify the certificate’s purpose.
- Select Save.
On a Worker Group
For distributed deployments, you can also import certificates at the Worker Group level:
- In the sidebar, select Worker Groups, then select the Worker Group you want to configure.
- Select Worker Group Settings.
- Navigate to Security > Certificates.
- Select Add Certificate.
- Follow the same steps as above to upload your certificate and private key.
- Select Save.
- Commit and Deploy the Worker Group’s new configuration.
Manage Existing Certificates
To view and manage certificates you’ve already imported:
- Navigate to Settings > Global > Security > Certificates (Leader) or Worker Group Settings > Security > Certificates (Worker Group level).
- Select a certificate name to view or edit its details.
- To delete a certificate, click the delete icon next to the certificate entry.
Before deleting a certificate, verify it’s not in use by any TLS configuration (Leader UI/API, Leader-Worker Node communications, Sources, or Destinations).
Using Imported Certificates
After importing a certificate, you can reference it by name in various TLS configurations:
| Purpose | Where to Configure |
|---|---|
| Leader UI/API | Settings > Global > General Settings > API Server Settings > TLS > Certificate name |
| Leader-Worker Node Communications | Settings > Global > System > Distributed Settings > TLS Settings > Certificate name |
| Worker Node TLS | Worker Node Settings > System > Distributed Settings > TLS Settings > Certificate name |
| Sources/Destinations | Individual Source or Destination TLS settings |
For step-by-step instructions on enabling TLS for specific use cases, see: