Getting Data In

How to configure 3rd party ssl-certificates to use them as public key?

diegrens
New Member

The certificate configuration tutorials have unfortunately left me with some lingering questions. 
Premise:
They have taught me that in order to set up a 3rd-party-signed certificate for a Splunk Enterprise server, I must:
1.create privatekey
2.create CSR, using the aforementioned private key
3.sent CSR to the CA authority of the current company
4.receive a multitude of certificates: a server cert, a CA root cert, and perhaps CA intermediate certs.
5.I can choose to combine the CAroot and CAintermediate certs to create a CAbundle.pem which i can reference to in any CAcert fields. (example: sslRootCaPath field in server.conf )
6. I need to combine the server cert, private key, and CAbundle to create a complete Splunk Enterprise signed certificate. (to be used by fields like for example inputs.conf:serverCert, or outputs.conf:sslCertPath )

So far so good. This procedure allows me to set up SSL connections between Splunk Enterprise instances.

I have two scenarios where this setup probably do not work, and I would like to know how I cán make them work: 

1) I want to deploy 100 forwarders remotely and set them so that they send their data to an indexer or heavy forwarder through SSL.
Problem: The process of getting a 3rd party signed certificate for each and every forwarder is arduous and I don't believe it can be done remotely effectively. 
My thoughts: Can I use (part of) the certification of the data receiver (IDX/HF)  as a public key which I can then send to all forwarders?
Clearly I can not use the concatenated certificate described in premise_step6, because it contains a private key.  Could I maybe use the signed servercert part that I received from the 3rd party, pre-concatenation ? 
A splunk data receiver does not necessarily have to validate the certification of a date sender, so I don't see why each universal forwarder should be equiped with its own certificate. There has to be a way to have only them check whether the indexer has valid certification somehow.

2) Say I want to connect another application (like the Infoblox Splunk Connector) to a Splunk data receiver while using SSL.
My thoughts: I expect that sending the CAbundle (premise_step5) should be enough, so that the application side can create its own certificate and perhaps combine it with the CAroot somehow.. but I guess my question is the same as before; I cannot send the concatenated .pem from premise_step6. What is the best way to set up an SSL connection to another application? 

Thanks in advance.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...