I'm stepping into this splunk admin role and have multiple SSL certs expiring soon. We have 6 indexers managed by a master, 4 search heads managed by search head deployer, and thousands of universal forwarders managed by a deployer. I've read how to generate the certs and cert authority, but how should I go about distribution? Also any helpful hints on securing my environment better would be greatly appreciated.
You're in for some fun. If you have a look here :
The accepted answer mentions that you have to distribute your certificates into
$SPLUNK/etc/authwhich you can do via scripting, Ansible, etc... But if you check the answers underneath it, they mention using custom Splunk apps for including and distributing the certs and that also works.
You can therefore choose either of those approaches, I would say go for the one that you find easier to maintain and possibly one day handover. If you feel comfortable with changing a couple of lines in outputs.conf to point to the certs new location via a Splunk app then go for that. If you'd rather just deploy your certs using a script and be done with it without any Splunk config hassle then go for that as well 🙂
Either case configs are available online, I can help you find some docs if needed.
Good stuff David, thank you. I guess I should've been more specific with my question. We currently have custom apps that distribute our certs. My only concern or wonder if you will, is upon doing my rip and replace of all SSL certs in my environment, How are my clients going to talk to my deployment servers? And ripping and replacing SSL certs, I would think would need to be completed in a certain order to ensure all can communicate, so what would that order be?