topic Re: SSL enabled between deployment server and deployment client (UF) in Splunk Enterprise

SSL enabled between deployment server and deployment client (UF)

krusovice — Thu, 20 Jan 2022 06:25:08 GMT

In my environment, I've setup the SSL communication and authentication between Deployment Server and its deployment client. It is working fine.

The trouble came when nearly 1 year - the renewal of the SSL is needed, meaning the server.pem and cacert.pem in UF require to be updated with renewed SSL.

For the first year, we have used DS to push the SSL cert over to UF. Question is - is there any way to push the second year's SSL cert (server.pem and cacert.pem) over to UF using Deployment servers while the first year SSL still valid?

Or is there any best practice how to renew the cert in UF (deployment client) in yearly basis?

Thanks.

Re: SSL enabled between deployment server and deployment client (UF)

SinghK — Thu, 20 Jan 2022 06:33:15 GMT

Ow, are you saying that you pushed a common ssl cert to all UF's?

Re: SSL enabled between deployment server and deployment client (UF)

krusovice — Thu, 20 Jan 2022 07:02:51 GMT

Yes, in our environment, there is cacert.pem and server.pem sit in the UF that require to annually renewed.

Re: SSL enabled between deployment server and deployment client (UF)

SinghK — Thu, 20 Jan 2022 07:10:26 GMT

my understanding was ssl cert was very unique with priv key and everything unless csr and key is not generated on server it will not work.

i am very interested in the topic lets ask isoutamo or anyone else who can help.

@isoutamo

Re: SSL enabled between deployment server and deployment client (UF)

isoutamo — Thu, 20 Jan 2022 07:53:29 GMT

the best way to renew those is dependent on your way to use those. If you have use individual certificate in every node then you definitely need some tool which will manage that. But as the normal way to do this with splunk is to use one (or only few) cert for all UFs then it's much easier. Depending on place where you have put your cert files on UF you need a separate deployment tool (e.g. ansible, any MS based for windows) to renew those or use DS to add that on separate TA/SA on clients and then restart those.

r. Ismo

Re: SSL enabled between deployment server and deployment client (UF)

tinatan — Fri, 21 Jan 2022 07:08:10 GMT

Thank you for the reply, we are using one cert applied to all UFs.

Re: SSL enabled between deployment server and deployment client (UF)

msquicc — Wed, 02 Apr 2025 21:56:54 GMT

did you wind up getting a good solution in place for pushing new certs from the deployment server?

Re: SSL enabled between deployment server and deployment client (UF)

isoutamo — Wed, 02 Apr 2025 22:02:23 GMT

You should create an own app which contains all those needed certs. If you have Splunk Cloud in use you can copy the idea from its Universal Forwarder app.
Of course it needs that you have added your own private CA.pem into Splunk's CA certs file if you have this in use.

Re: SSL enabled between deployment server and deployment client (UF)

msquicc — Wed, 02 Apr 2025 22:19:23 GMT

thanks, yea, I was planning on giving that a shot, but mostly interested in how to replace those certs on the UFs before they expire.

ansible / MS tools could be a backup, but I'd really like to implement and have it fully controlled from the deployment server.

so, just thinking through it, updating the cert(s) in this app would push out the updated certs to the UFs, but then all of the UFs would fail to phone home until I update the certs on the deployment server? then I'd have to hope that everything works from a fully broken state? just seems risky.

open to suggestions, and maybe I'm over thinking some of it.

wondering if anyone's accomplished this in a safe practical way? @krusovice, what did you wind up doing?