topic Re: How to deploy self-signed certs to deployment clients using the deployment server in Security

How to deploy self-signed certs to deployment clients using the deployment server

dflodstrom — Tue, 29 Sep 2020 12:01:11 GMT

How do I push my self-signed certs to universal forwarders using the deployment server. The docs say:

Define the following stanzas in $SPLUNK_HOME/etc/system/local/outputs.conf (or in the appropriate directory of any app you are using to distribute your forwarding configuration) :

Do I need to push a script that moves the certs to a local folder? Can I just distribute an app with outputs.conf that point to $SPLUNK_HOME/etc/apps/my_ssl_app/auth/ for the certificates?

Re: How to deploy self-signed certs to deployment clients using the deployment server

lguinn2 — Sat, 03 Dec 2016 01:52:01 GMT

If you push the certs via a deployment app, then you must have a script that moves the certs to the appropriate directory. I think this is sort of kludgy but I think it can be done. I personally have never done this.

Remember that scripted inputs are inputs, but there is really no restriction on what the scripts can do. So you will have to create an input to invoke the script. And the script will have to be smart enough to only copy the certs once - and to trigger a restart afterwards.

I do not believe that you can leave the certs in the app directory.

Re: How to deploy self-signed certs to deployment clients using the deployment server

dflodstrom — Mon, 05 Dec 2016 18:38:00 GMT

Thanks for the reply. I was afraid this was the case.

Re: How to deploy self-signed certs to deployment clients using the deployment server

jonathan_cooper — Mon, 05 Dec 2016 19:43:35 GMT

Totally doable from a deployment app, and you are able to set the path to the cert files in that deployment app as well, so you won't have to move the certs anywhere (via updated server.conf). I have done this at a few customer sites and it works well.

One thing to keep in mind is to ensure that the "sslVerifyServerCert" in deploymentclient.conf is set to false so that new UF's coming online can still contact the DS and get their new certs/apps. Another parameter to keep in mind is "requireClientCert" in server.conf. Default is set to false, but if set to true brand new UF's would need the certs and server.conf before hand in order to work.

You can always hit me up on email if you need more info, but totally doable.

Re: How to deploy self-signed certs to deployment clients using the deployment server

dflodstrom — Mon, 05 Dec 2016 20:04:49 GMT

Ok this makes a lot more sense. I'll work this out and let you know if I run into any issues.

Re: How to deploy self-signed certs to deployment clients using the deployment server

marklaw2 — Tue, 12 Feb 2019 15:19:26 GMT

Jonathan - if you have a few moments I'd like the specifics and how-tos for this - facing similar problem with 5000+ UFs.

Re: How to deploy self-signed certs to deployment clients using the deployment server

adobrzeniecki — Tue, 16 Feb 2021 14:45:05 GMT

I have a customer that has four different outputs apps being sent from the DS to different types of UFs. We are thinking of putting each of the SSL certs in these different apps and pushing them to the designated forwarders. Question for you, as long as I put the correct path in clientCert, this will work properly correct? So for example:

/opt/splunk/etc/apps/myexternalapp/local/outputs.conf
clientCert = $SPLUNK_HOME/etc/apps/myexternalapp/local/splunk-forwarder.pem
sslPassword = shabadooo
sslVerifyServerCert = true
sslVersions = tls

Re: How to deploy self-signed certs to deployment clients using the deployment server

adobrzeniecki — Tue, 16 Feb 2021 14:45:54 GMT

Also the cert will be in the local directory of that app.