Re: Splunk Universal Forwarder SSL Error

mdepuy · ‎06-29-2020

We have a few very old machines running UF version 6.2.X. [No, upgrading the UF/OS cannot happen] The certificate just recently expired and we are attempting to rectify the issue. My question is: does the certificate only have to be reissued to the indexers (I have read this in previous answers)? Or do I need to reissue certs to all the expired UFs, as well?

If the latter question is the answer, what is the best way to go about it? Ship the certs with a new outputs.conf pointing to the new certs resident in that app? Or use SCCM and our in-house CA to issue new certs and set outputs.conf to point to that cert?

I appreciate any help!

anilchaithu · ‎06-29-2020

@mdepuy

It depends on your current configuration. In general, UF & Indexers have their own certs. So, you need to figure out which cert is expired?

Assuming both are expired, you can follow one of the below mentioned configurations

1) You can request one cert for all UFs & one for all indexers (with the same sslCommonName).

2) You can request one cert for all UFs & one for each indexer (with unique sslCommonName).

Please refer splunk documentation for more details.

https://docs.splunk.com/Documentation/Splunk/8.0.4/Security/ConfigureSplunkforwardingtousesignedcert...

Splunk Universal Forwarder SSL Error

administration

configuration

troubleshooting

The OpenTelemetry Certified Associate (OTCA) Exam

From Manual to Agentic: Level Up Your SOC at Cisco Live

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Join the Conversation