Getting Data In

How to configure 3rd party ssl-certificates to use them as public key?

New Member

The certificate configuration tutorials have unfortunately left me with some lingering questions. 
They have taught me that in order to set up a 3rd-party-signed certificate for a Splunk Enterprise server, I must:
1.create privatekey
2.create CSR, using the aforementioned private key
3.sent CSR to the CA authority of the current company
4.receive a multitude of certificates: a server cert, a CA root cert, and perhaps CA intermediate certs.
5.I can choose to combine the CAroot and CAintermediate certs to create a CAbundle.pem which i can reference to in any CAcert fields. (example: sslRootCaPath field in server.conf )
6. I need to combine the server cert, private key, and CAbundle to create a complete Splunk Enterprise signed certificate. (to be used by fields like for example inputs.conf:serverCert, or outputs.conf:sslCertPath )

So far so good. This procedure allows me to set up SSL connections between Splunk Enterprise instances.

I have two scenarios where this setup probably do not work, and I would like to know how I cán make them work: 

1) I want to deploy 100 forwarders remotely and set them so that they send their data to an indexer or heavy forwarder through SSL.
Problem: The process of getting a 3rd party signed certificate for each and every forwarder is arduous and I don't believe it can be done remotely effectively. 
My thoughts: Can I use (part of) the certification of the data receiver (IDX/HF)  as a public key which I can then send to all forwarders?
Clearly I can not use the concatenated certificate described in premise_step6, because it contains a private key.  Could I maybe use the signed servercert part that I received from the 3rd party, pre-concatenation ? 
A splunk data receiver does not necessarily have to validate the certification of a date sender, so I don't see why each universal forwarder should be equiped with its own certificate. There has to be a way to have only them check whether the indexer has valid certification somehow.

2) Say I want to connect another application (like the Infoblox Splunk Connector) to a Splunk data receiver while using SSL.
My thoughts: I expect that sending the CAbundle (premise_step5) should be enough, so that the application side can create its own certificate and perhaps combine it with the CAroot somehow.. but I guess my question is the same as before; I cannot send the concatenated .pem from premise_step6. What is the best way to set up an SSL connection to another application? 

Thanks in advance.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!