https://community.splunk.com/t5/Security/Encrypting-traffic-between-universal-forwarder-and-indexer/m-p/676457#M17595 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/56891">@snix</a>,</P><P>have you read this:&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/Security/AboutsecuringyourSplunkconfigurationwithSSL" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/Security/AboutsecuringyourSplunkconfigurationwithSSL</A>&nbsp;?</P><P>Ciao.</P><P>Giuseppe</P> Sat, 03 Feb 2024 06:41:42 GMT gcusello 2024-02-03T06:41:42Z https://community.splunk.com/t5/Security/Encrypting-traffic-between-universal-forwarder-and-indexer/m-p/676433#M17594 <P>I would like to start encrypting traffic between the universal forwarder on my Windows devices and my single Splunk 9.x indexer that is on a Windows server. For the moment I am only concerned with getting SSL going on the indexer. I see you can also setup a certificate on the clients for authentication to the server but I want to take it one step at a time.&nbsp;</P><P>I have a GoDaddy cert I would like to use with the indexer and I have looked over much of the documentation on Splunk's site on all the ways you can make this configuration work but it left me confused. I can't find any mention to what to do about the public key. I see where the documentation references the server certificate and even the sslPassword in the input.conf file but no reference where to to put the key location.</P><P>Is it just assumed you combine the server cert + the private key into a single pem file and if so is the order just server cert first then private key?<BR /><BR />Example:</P><P>&nbsp;</P><LI-CODE lang="markup">-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----</LI-CODE><P>&nbsp;</P> Fri, 02 Feb 2024 20:52:18 GMT https://community.splunk.com/t5/Security/Encrypting-traffic-between-universal-forwarder-and-indexer/m-p/676433#M17594 snix 2024-02-02T20:52:18Z https://community.splunk.com/t5/Security/Encrypting-traffic-between-universal-forwarder-and-indexer/m-p/676457#M17595 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/56891">@snix</a>,</P><P>have you read this:&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/Security/AboutsecuringyourSplunkconfigurationwithSSL" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/Security/AboutsecuringyourSplunkconfigurationwithSSL</A>&nbsp;?</P><P>Ciao.</P><P>Giuseppe</P> Sat, 03 Feb 2024 06:41:42 GMT https://community.splunk.com/t5/Security/Encrypting-traffic-between-universal-forwarder-and-indexer/m-p/676457#M17595 gcusello 2024-02-03T06:41:42Z https://community.splunk.com/t5/Security/Encrypting-traffic-between-universal-forwarder-and-indexer/m-p/676498#M17596 <P>The proper order for the pem file is</P><OL><LI>Subject's certificate</LI><LI>Subject's private key</LI><LI>Issuing CA certificate chain (unless you explicitly trust the issuer of the subject's certificate).</LI></OL><P>The location of the file is tricky because the settings can be either inherited from the default server-wide settings which you set up in server.conf - <A href="https://docs.splunk.com/Documentation/Splunk/latest/admin/serverconf#SSL.2FTLS_Configuration_details" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/admin/serverconf#SSL.2FTLS_Configuration_details</A> or can be overriden at the specific input level.</P><P>As a side note - certificates for web interface are configured differently.</P> Sun, 04 Feb 2024 13:12:39 GMT https://community.splunk.com/t5/Security/Encrypting-traffic-between-universal-forwarder-and-indexer/m-p/676498#M17596 PickleRick 2024-02-04T13:12:39Z