Getting Data In

How to configure 3rd party ssl-certificates to use them as public key?

diegrens
New Member

The certificate configuration tutorials have unfortunately left me with some lingering questions. 
Premise:
They have taught me that in order to set up a 3rd-party-signed certificate for a Splunk Enterprise server, I must:
1.create privatekey
2.create CSR, using the aforementioned private key
3.sent CSR to the CA authority of the current company
4.receive a multitude of certificates: a server cert, a CA root cert, and perhaps CA intermediate certs.
5.I can choose to combine the CAroot and CAintermediate certs to create a CAbundle.pem which i can reference to in any CAcert fields. (example: sslRootCaPath field in server.conf )
6. I need to combine the server cert, private key, and CAbundle to create a complete Splunk Enterprise signed certificate. (to be used by fields like for example inputs.conf:serverCert, or outputs.conf:sslCertPath )

So far so good. This procedure allows me to set up SSL connections between Splunk Enterprise instances.

I have two scenarios where this setup probably do not work, and I would like to know how I cán make them work: 

1) I want to deploy 100 forwarders remotely and set them so that they send their data to an indexer or heavy forwarder through SSL.
Problem: The process of getting a 3rd party signed certificate for each and every forwarder is arduous and I don't believe it can be done remotely effectively. 
My thoughts: Can I use (part of) the certification of the data receiver (IDX/HF)  as a public key which I can then send to all forwarders?
Clearly I can not use the concatenated certificate described in premise_step6, because it contains a private key.  Could I maybe use the signed servercert part that I received from the 3rd party, pre-concatenation ? 
A splunk data receiver does not necessarily have to validate the certification of a date sender, so I don't see why each universal forwarder should be equiped with its own certificate. There has to be a way to have only them check whether the indexer has valid certification somehow.

2) Say I want to connect another application (like the Infoblox Splunk Connector) to a Splunk data receiver while using SSL.
My thoughts: I expect that sending the CAbundle (premise_step5) should be enough, so that the application side can create its own certificate and perhaps combine it with the CAroot somehow.. but I guess my question is the same as before; I cannot send the concatenated .pem from premise_step6. What is the best way to set up an SSL connection to another application? 

Thanks in advance.

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...