All Apps and Add-ons
Highlighted

Splunk Universal Forwarder SSL Error

Observer

We have a few very old machines running UF version 6.2.X. [No, upgrading the UF/OS cannot happen] The certificate just recently expired and we are attempting to rectify the issue. My question is: does the certificate only have to be reissued to the indexers (I have read this in previous answers)? Or do I need to reissue certs to all the expired UFs, as well? 

If the latter question is the answer, what is the best way to go about it? Ship the certs with a new outputs.conf pointing to the new certs resident in that app? Or use SCCM and our in-house CA to issue new certs and set outputs.conf to point to that cert?

I appreciate any help!

0 Karma
Highlighted

Re: Splunk Universal Forwarder SSL Error

Communicator

@mdepuy 

It depends on your current configuration. In general, UF & Indexers have their own certs. So, you need to figure out which cert is expired?

Assuming both are expired, you can follow one of the below mentioned configurations

1) You can request one cert for all UFs & one for all indexers (with the same sslCommonName). 

2) You can request one cert for all UFs & one for each indexer (with unique sslCommonName). 

Please refer splunk documentation for more details.

https://docs.splunk.com/Documentation/Splunk/8.0.4/Security/ConfigureSplunkforwardingtousesignedcert...

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.