I had the same issue and coudn't fix it by following the guidelines above and updating the binaries in: $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools I fixed it this way: 1. I saw that the new SIC certificate was PULLED SUCCESSFULLY from the CheckPoint server regardless the error message "External handler failed with code '1' and output: 'REST ERROR[400]: Bad Request..." The certificate was available in "$SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/certs" 2. I manually editted the opseclea_connection.conf in "$SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/local" and added the new certificate under the problematic connection stanza: [connection_stanza_name] cert_name = connection_1234567890.p12 <-- Put the name of the new certificate here fw_version = R80 lea_app_name = Splunk_Server_LEA lea_server_auth_port = 18184 lea_server_auth_type = sslca lea_server_ip = 10.10.10.10 lea_server_type = primary management_server_ip = 10.10.10.11 opsec_entity_sic_name = CN=***,O=*** opsec_sic_name = CN=Splunk_Server_LEA,O=*** disabled = 0 No need to restart splunkd! The connection started working right away. No error messages anymore. I hope it helps colleagues who had the same issue.
... View more