https://community.splunk.com/t5/Security/Multiple-forwarder-certificates/m-p/76208#M2548 <P>can someone please update clearly about this - <BR /> can I have two SSL certificates deployed on a single indexer? if yes, on same port or different ports?</P> <P>the issue is - during Certificates renewal, <BR /> we would like to follow this process - <BR /> 1. install a renewed certificate on indexer (while the old SSL certificate is still deployed)<BR /> 2. deploy the renewed certificate to forwarders (while some forwarders may be still having the old certificates)<BR /> 3. the UF's which got the renewed certificates will start communicating with the indexer's renewed certificate. <BR /> 4. whereas, the old UF's, until certificate renewal, will still be communicating with the indexer with indexer's old certificate. </P> <P>is this possible? how to add two [SSL] stanza's on outputs.conf?</P> <P>[SSL]<BR /> rootCA = $SPLUNK_HOME/etc/certs/cacert.pem<BR /> serverCert = $SPLUNK_HOME/etc/certs/splunk-idx-01.pem</P> <P>[SSL]<BR /> rootCA = $SPLUNK_HOME/etc/certs/renewedcacert.pem<BR /> serverCert = $SPLUNK_HOME/etc/certs/renewedsplunk-idx-01.pem</P> Tue, 29 Sep 2020 14:32:25 GMT inventsekar 2020-09-29T14:32:25Z https://community.splunk.com/t5/Security/Multiple-forwarder-certificates/m-p/76204#M2544 <P>How about setting up multiple certificates for forwarders, so that we are able to close parts of them?</P> <P>I seems I can create several forwarder certificates (step 3), but how do I set up the indexer to allow/deny several of them, the</P> <PRE><CODE>[SSL] rootCA = $SPLUNK_HOME/etc/certs/cacert.pem serverCert = $SPLUNK_HOME/etc/certs/splunk-idx-01.pem password = changeme requireClientCert = true [splunktcp-ssl:9997] compressed = true </CODE></PRE> <P>Seems to allow all forwarder certificates...</P> Thu, 15 Sep 2011 09:17:55 GMT https://community.splunk.com/t5/Security/Multiple-forwarder-certificates/m-p/76204#M2544 moseisleydk 2011-09-15T09:17:55Z https://community.splunk.com/t5/Security/Multiple-forwarder-certificates/m-p/76205#M2545 <P>Is it possible to set up some password required from clients, or perhaps multiple CA's - one for each client "group"</P> Thu, 15 Sep 2011 12:00:48 GMT https://community.splunk.com/t5/Security/Multiple-forwarder-certificates/m-p/76205#M2545 moseisleydk 2011-09-15T12:00:48Z https://community.splunk.com/t5/Security/Multiple-forwarder-certificates/m-p/76206#M2546 <P>A forwarder will accept any forwarder certificate that is signed by the specified rootCA file. Since all Splunk forwarders (and servers) come with the same default Splunk rootCA file, it will accept them all. If you wish to change this, you need to use a new rootCA, and distribute appropriate new client certificates to the forwarders. </P> Thu, 15 Sep 2011 14:36:48 GMT https://community.splunk.com/t5/Security/Multiple-forwarder-certificates/m-p/76206#M2546 gkanapathy 2011-09-15T14:36:48Z https://community.splunk.com/t5/Security/Multiple-forwarder-certificates/m-p/76207#M2547 <P>Aadding to gkanapathy's answer, Splunk doesn't at this time support multiple root CA certs for a single splunkd. (I am 99% sure anyway.) The <CODE>password</CODE> there is for unlocking key on the SSL server cert.</P> <P>If you need to partition these clients, you might be able to set up a "proxy" forwarder for each of them - and let that forwarder (probably a heavy forwarder) connect to the indexers on their behalf. If you do this, you'll probably need to forgo SSL between the proxy forwarder and the indexer. </P> Thu, 15 Sep 2011 16:12:12 GMT https://community.splunk.com/t5/Security/Multiple-forwarder-certificates/m-p/76207#M2547 dwaddle 2011-09-15T16:12:12Z https://community.splunk.com/t5/Security/Multiple-forwarder-certificates/m-p/76208#M2548 <P>can someone please update clearly about this - <BR /> can I have two SSL certificates deployed on a single indexer? if yes, on same port or different ports?</P> <P>the issue is - during Certificates renewal, <BR /> we would like to follow this process - <BR /> 1. install a renewed certificate on indexer (while the old SSL certificate is still deployed)<BR /> 2. deploy the renewed certificate to forwarders (while some forwarders may be still having the old certificates)<BR /> 3. the UF's which got the renewed certificates will start communicating with the indexer's renewed certificate. <BR /> 4. whereas, the old UF's, until certificate renewal, will still be communicating with the indexer with indexer's old certificate. </P> <P>is this possible? how to add two [SSL] stanza's on outputs.conf?</P> <P>[SSL]<BR /> rootCA = $SPLUNK_HOME/etc/certs/cacert.pem<BR /> serverCert = $SPLUNK_HOME/etc/certs/splunk-idx-01.pem</P> <P>[SSL]<BR /> rootCA = $SPLUNK_HOME/etc/certs/renewedcacert.pem<BR /> serverCert = $SPLUNK_HOME/etc/certs/renewedsplunk-idx-01.pem</P> Tue, 29 Sep 2020 14:32:25 GMT https://community.splunk.com/t5/Security/Multiple-forwarder-certificates/m-p/76208#M2548 inventsekar 2020-09-29T14:32:25Z https://community.splunk.com/t5/Security/Multiple-forwarder-certificates/m-p/76209#M2549 <P>Bump. I also want to define two <CODE>[SSL]</CODE> stanzas, for two different server certificates. Also, one of them would require client certificate, and the other would not. Is this possible?</P> <P>EDIT: Got an answer to my own question here <A href="https://answers.splunk.com/answers/549719/two-ssl-certificates-on-a-single-indexer-forwarder.html">https://answers.splunk.com/answers/549719/two-ssl-certificates-on-a-single-indexer-forwarder.html</A></P> Thu, 12 Mar 2020 11:35:12 GMT https://community.splunk.com/t5/Security/Multiple-forwarder-certificates/m-p/76209#M2549 hettervik 2020-03-12T11:35:12Z