The certificate configuration tutorials have unfortunately left me with some lingering questions.
Premise:
They have taught me that in order to set up a 3rd-party-signed certificate for a Splunk Enterprise server, I must:
1.create privatekey
2.create CSR, using the aforementioned private key
3.sent CSR to the CA authority of the current company
4.receive a multitude of certificates: a server cert, a CA root cert, and perhaps CA intermediate certs.
5.I can choose to combine the CAroot and CAintermediate certs to create a CAbundle.pem which i can reference to in any CAcert fields. (example: sslRootCaPath field in server.conf )
6. I need to combine the server cert, private key, and CAbundle to create a complete Splunk Enterprise signed certificate. (to be used by fields like for example inputs.conf:serverCert, or outputs.conf:sslCertPath )
So far so good. This procedure allows me to set up SSL connections between Splunk Enterprise instances.
I have two scenarios where this setup probably do not work, and I would like to know how I cán make them work:
1) I want to deploy 100 forwarders remotely and set them so that they send their data to an indexer or heavy forwarder through SSL.
Problem: The process of getting a 3rd party signed certificate for each and every forwarder is arduous and I don't believe it can be done remotely effectively.
My thoughts: Can I use (part of) the certification of the data receiver (IDX/HF) as a public key which I can then send to all forwarders?
Clearly I can not use the concatenated certificate described in premise_step6, because it contains a private key. Could I maybe use the signed servercert part that I received from the 3rd party, pre-concatenation ?
A splunk data receiver does not necessarily have to validate the certification of a date sender, so I don't see why each universal forwarder should be equiped with its own certificate. There has to be a way to have only them check whether the indexer has valid certification somehow.
2) Say I want to connect another application (like the Infoblox Splunk Connector) to a Splunk data receiver while using SSL.
My thoughts: I expect that sending the CAbundle (premise_step5) should be enough, so that the application side can create its own certificate and perhaps combine it with the CAroot somehow.. but I guess my question is the same as before; I cannot send the concatenated .pem from premise_step6. What is the best way to set up an SSL connection to another application?
Thanks in advance.