Follow the instructions below to allow DB Connect to provide a client certificate while communicating with Splunk components.

1. Set requireClientCert=false in $SPLUNK_HOME/etc/system/local/server.conf
2. Use cert.pem and privkey.pem from $SPLUNK_HOME/etc/auth/splunkweb, or generate a new Private Key and Certificate signed by the CA under $SPLUNK_HOME/etc/auth/ca.pem
3. Copy cert.pem and privkey.pem to $SPLUNK_HOME/etc/apps/splunk_app_db_connect/certs. Note that we use a naming convention, we expect the certificate and private key to be named cert.pem and privkey.pem.
4. Open Splunk DB Connect and navigate to Configuration > Settings > Keystore, click New Client Certificate and then copy the content from cert.pem to Certificate field and the content from privkey.pem (in PKCS8 format) to Private Key field, then click Save.
5. Verify privkey.pem is in PKCS8 format:

   PKCS8 contains a header as BEGIN PRIVATE KEY and PKCS1 as BEGIN RSA PRIVATE KEY

6. Convert privkey.pem to PKCS8 if needed using $SPLUNK_HOME/bin/splunk cmd openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in privkey.pem -out privkey-pkcs8.pem
7. Set requireClientCert=true in $SPLUNK_HOME/etc/system/local/server.conf
8. Restart Splunk.