Set up an SSL test

SSL tests are designed to monitor SSL/TLS certificates for expiration, issuer validation, and protocol compliance to ensure secure connections. This page shows you how to create and manage SSL tests in Splunk Cloud Observability.

Upload a Certified Authority (CA) certificate (Optional)

If you would like to validate certificates issued by your private or internal CA certificate (untrusted), you need to upload your CA certificate as a PEM file and reference it from your SSL test. Your uploaded CA certificate, which is your issuer certificate, will be added into the trusted issuers or roots list.

For information on different certificate types, see SSL tests for different certificate types. If you need to upload your PEM file for an SSL test, see use a global variable for Certified Authority (CA) certificates.

Create an SSL test

To test certificates issued by publicly trusted CA and not self-signed, select the Simple test for publicly trusted certificates tab below for instructions. If you need to test self-signed or CAs that are not publicly trusted, select the Advanced test with custom trust settings tab instead.

As you build your test, you can use Try now to check that the configuration of your test is valid. Try now results are ephemeral and don't impact persisted run metrics. See Validate your test configuration with try now.

Simple test for publicly trusted certificates

  1. From the landing page of Splunk Observability Cloud, navigate to Digital Experience > Synthetic tests.

  2. From Synthetic tests, select Create new test > SSL test. The test creation view opens.

  3. Select the Simple tab.

  4. Enter SSL-specific details for your test:

    • Name

    • Hostname

    • Port

  5. (Optional) From Custom properties, you can add key-value pairs for filtering and grouping dashboards, charts, and creating alerts. For example: region:us1

  6. For Validation, select Add validation and choose one of these validation methods. See SSL test validations to better understand the validation methods.

    • Expiration in days

    • TLS version

    • Issuer name (CA name)

    • Algorithm

    • Is self signed

    • Is trusted

    • Is revoked

  7. Select the type of comparison (numeric or string) and enter a value for the validation. Here are some examples:

    • Check if the certificate expiration is more than 30 days: Numeric comparison > is greater than and then set the value to 30.

    • Confirm the TLS version is 1.2: Select Numeric comparison > equals and the set the value to 1.2.

  8. Add as many validations as needed following steps 4 and 5.

  9. For Details, select values for the following:

    • Locations

    • Frequency

  10. (Optional) Toggle the following options on:

    • Round-robin - enables the test to cycle through locations one at a time for your selected frequency.

    • Auto-retry - automatically reruns a test if it initially fails.

    • Active - sets the test to an active state once it is created.

  11. (Optional) Select Create detector to create a CA certificate-level detector.

  12. After you have validated your test configuration with Try now, select Create to create the SSL test.
Advanced test with custom trust settings

  1. From the landing page of Splunk Observability Cloud, navigate to Digital Experience > Synthetic tests.

  2. From Synthetic tests, select Create new test > SSL test. The test creation view opens.

  3. Select the Advanced tab.

  4. Enter SSL-specific details for your test:

    • Name

    • Hostname

    • Port

  5. (Optional) From Custom properties, you can add key-value pairs for filtering and grouping dashboards, charts, and creating alerts. For example: region:us1

  6. For Validation, select Add validation and choose one of these validation methods. See SSL test validations to better understand the validation methods.

    • Expiration in days

    • TLS version

    • Issuer name (CA name)

    • Algorithm

    • Is self signed

    • Is trusted

    • Is revoked

  7. Select the type of comparison (numeric or string) and enter a value the validation. Here are some examples:

    • Check if the certificate expiration is more than 30 days: Numeric comparison > is greater than and then set the value to 30.

    • Confirm the TLS version is 1.2: Select Numeric comparison > equals and the set the value to 1.2.

  8. Add as many validations as need following steps 4 and 5.

  9. For Details, select values for the following:

    • Locations

    • Frequency

  10. (Optional) Toggle the following options on:

    • Round-robin - enables the test to cycle through locations one at a time for your selected frequency.

    • Auto-retry - automatically reruns a test if it initially fails.

    • Active - sets the test to an active state once it is created.

  11. (Optional) Under Advanced configuration, enter a server name for your reference.
  12. For Certificate configuration:

    1. Toggle Ignore self-signed certificate on if your self-signed certificate does not have a CA root so that your test will pass. SSL tests will fail if your eslf-signed certificate does not have a CA root and you have toggled this setting to on.

    2. Select a certificate authority from the dropdown.

      Note: You will need to have uploaded a certification to Splunk Synthetics for this step.
  13. After you have validated your test configuration with Try now, select Create to create the SSL test.

Manage SSL tests

  1. Navigate to Digital Experience > Synthetic tests.

  2. Next to the SSL test that you want to edit, select Action icon > Edit.

  3. If you want to delete the API test, select Action icon > Delete.

  4. Edit the configurations for the SSL tests as needed.

  5. In addition to editing configurations, you can perform these other actions:

    • Pause a test

    • Run a test

    • Create Detector

    • Copy a test

    • View test info

  6. Select Save.

Auto-retry

Run a test again automatically if it fails without any user intervention. It’s a best practice to turn on auto-retry to reduce unnecessary failures from temporary interruptions like a network issue, timeouts, or other issues. Auto-retry runs do not impact subscription usage, only the completed run result counts towards your subscription usage. Auto-retry requires at least runner version 0.9.29.

Custom properties

Add custom properties in the test creation page in advanced settings. Use key-value pairs to create custom properties to filter and group dashboards, charts, and create alerts. A list of suggested custom properties is available for each test based on the tags associated with your test. For example: env:test, role:developer, product:rum. When you have multiple key-value pairs, the logic is AND among the results. So in this case, the results show all tests for the RUM product with a developer role in the environment test.

Screenshot of 2 custom property key value pairs, env:prod and role:developer.

Custom properties are single-valued and don’t support multiple values, like region:eu, us. For each test, a key can only be used once. For example, you can have env1:test and role:developer, but you cannot have env:test and env:prod in the same test.

Key requirements:

  • Keys must start with an uppercase or lowercase letter. Keys can’t start with special characters or numbers.

  • The remainder of the key can contain letters, numbers, underscores and hyphens.

  • Keys can’t be named test_id or test.

  • Key size can’t exceed 128 characters.

See Custom properties.

Create a detector

You can create detectors based on metrics relevant to SSL tests in the same way you would create other detectors for Splunk Synthetic Monitoring tests. The most important metric for a detector for SSL tests is Days until Expiration, which checks for the expiration of a CA certificate. See the section "Set up a detector for Splunk Synthetic Monitoring tests" on Detectors and alerts.