The certificate configuration tutorials have unfortunately left me with some lingering questions. Premise: They have taught me that in order to set up a 3rd-party-signed certificate for a Splunk Enterprise server, I must: 1.create privatekey 2.create CSR, using the aforementioned private key 3.sent CSR to the CA authority of the current company 4.receive a multitude of certificates: a server cert, a CA root cert, and perhaps CA intermediate certs. 5.I can choose to combine the CAroot and CAintermediate certs to create a CAbundle.pem which i can reference to in any CAcert fields. (example: sslRootCaPath field in server.conf ) 6. I need to combine the server cert, private key, and CAbundle to create a complete Splunk Enterprise signed certificate. (to be used by fields like for example inputs.conf:serverCert, or outputs.conf:sslCertPath )
So far so good. This procedure allows me to set up SSL connections between Splunk Enterprise instances.
I have two scenarios where this setup probably do not work, and I would like to know how I cán make them work:
1) I want to deploy 100 forwarders remotely and set them so that they send their data to an indexer or heavy forwarder through SSL. Problem: The process of getting a 3rd party signed certificate for each and every forwarder is arduous and I don't believe it can be done remotely effectively. My thoughts: Can I use (part of) the certification of the data receiver (IDX/HF) as a public key which I can then send to all forwarders? Clearly I can not use the concatenated certificate described in premise_step6, because it contains a private key. Could I maybe use the signed servercert part that I received from the 3rd party, pre-concatenation ? A splunk data receiver does not necessarily have to validate the certification of a date sender, so I don't see why each universal forwarder should be equiped with its own certificate. There has to be a way to have only them check whether the indexer has valid certification somehow.
2) Say I want to connect another application (like the Infoblox Splunk Connector) to a Splunk data receiver while using SSL. My thoughts: I expect that sending the CAbundle (premise_step5) should be enough, so that the application side can create its own certificate and perhaps combine it with the CAroot somehow.. but I guess my question is the same as before; I cannot send the concatenated .pem from premise_step6. What is the best way to set up an SSL connection to another application?